Managing security for any size business is a difficult job. The biggest corporations have large teams of IT executives, engineers and expert security advisers to help them out, and sometimes they still don’t get it right.
The task of managing security for a small business can be even more challenging because you don’t have those layers of input to rely on. Instead, the small firm’s ability to protect itself, its customers and its partners is dependent on a very small team of probably overworked individuals, or maybe just one overworked individual — you.
Small business operators might think they’re too small to be in harm’s way of security threats, and as a result many lack formal security strategies. However, the reality is security attacks targeting small businesses are on the rise. About 43 percent of attacks last year alone targeted small businesses, a steep increase from just 18 percent back in 2011, according to security software firm Symantec.
Also, a Verizon Data Breach Investigations Report suggested that 71 percent of attacks target companies with 100 or fewer employees.
Far from being out of harm’s way, it appears that small businesses are sitting ducks — if they don’t take action.
If you want to do a better job managing security, it helps to know what you’re up against. The biggest threats are often gaps in your own awareness and understanding of your options. With that in mind, here are 10 security threats many small businesses face, along with starting point measures to better protect your business:
What to do about it: Giving everyone access to everything is a good way to open the floodgates to practically anyone to access to sensitive data. Start by cultivating a document and data classification strategy granting access to sensitive details, such as intellectual property, financial data or employees’ personal data, to only a select, trusted few. Make everyone in the organization sign agreements to adhere to this policy.
What to do about it: Bring Your Own Device policies are perfectly acceptable and financially prudent, but mobile malware and other threats are growing fast. Require staff to use a VPN for remote access and only those secure apps that you have already approved. Short of that, make sure employees can lock their phones and have access to a data wiping capability in the event a phone is stolen or lost.
What to do about it: A bit of bad code is going to do its best to mind its own business while stealing from your business, and could go on for months, compromising passwords, copying documents and even stealing identities. You need software that frequently searches your systems for attack vectors, updates protections, and administers patches where needed. Also, consider subscribing to a managed IT security service from a trusted partner.
What to do about it: It’s hard to keep up, but getting employees to follow really basic precautions — like not opening mysterious e-mail attachments and not clicking on questionable or obviously NSFW links — can do wonders protecting you from whatever is circulating. Also, most security software updates take care of threat definitions as new attack trends emerge, and again, an outside partner can help — it’s that firm’s business to be aware of the latest threats to your business.
What to do about it: Security partners can help with this, too, but just as an exercise you should think defensively. Identify in your own mind rivals or other parties that might have reason to go after your intellectual property, access copies of internal communications, or just generally mess things up for you and cost you money. Some hackers may just see a defenseless small business they can destroy, but other times, the threat is personal and known — if you heighten your awareness to it.
What to do about it: Every business makes a decision about what kind of cloud to use — public, private or hybrid — but assuming many small businesses use public clouds, your cloud service provider should have security policies and mechanisms in place. If you’re especially concerned, you might want to encrypt your data transactions with the cloud.
What to do about it: Make sure your payment systems and providers comply with the Payment Card Industry Data Security Standard, and that they encrypt transactions between you and your customers. An additional option is to enable tokenization, replacing payment card numbers with secure tokens. Using security software or a service provider to frequently monitor potential vulnerabilities is also important.
What to do about it: Studies suggest a single security attack can cost a business an average of almost $200,000, much more than the price tag for security software or a monthly managed service fee. Find the money somewhere to properly protect your business.
What to do about it: This needs to be taken very seriously as a threat to cyber security, as well as personal and physical security. But, on the cyber front, make sure all credentials for this employee have been revoked — ideally before they leave the building. Ensure the disgruntled person doesn’t have access to anyone else’s credentials, and that there are no other paths open for outside access to sensitive data and systems.
What to do about it: You need to make employees understand their employment is conditional upon their ability to follow policies and procedures. If they don’t get it, one sure-fire way to protect your business is to make them former employees.
No business is too small to fall prey to security threats. Assess the risks and take action to protect your data and software from future attacks.