Cyber crime is big business. Computer security software company McAfee estimates that cyber criminals cost the global economy $375 billion – $575 billion in losses each year, which is more than the national income of most countries.
It’s not only big corporations in cyber criminals’ cross hairs, however. Nearly one-half of U.S. small businesses report falling victim to attacks. The resulting fallout, which can reverberate beyond financial losses to include brand damage and customer churn, is often catastrophic: The National Cyber Security Alliance estimates that 60% of small businesses that suffer a cyber attack shut down within six months of the crime.
But forewarned is forearmed. Businesses that understand the scale and scope of the digital threats facing them can then take the measures necessary to secure their IT systems against calamity.
Assessing the Dangers
American companies suffered an average of 160 successful cyber attacks per week in 2015, more than three times the 2010 average of 50 per week, according to the Ponemon Institute’s 2015 Cost of Cyber Crime Study. 97% of businesses surveyed were the victims of a malware attack (software specifically engineered to access or damage an IT system without the owner’s knowledge), while 76% were victims of web-based tactics like phishing.
Not all threats are external, either. 43% of companies reported cyber attacks by malicious insiders and 36% suffered attacks resulting from a lost or stolen device, Ponemon found.
Cyber threats are growing increasingly sophisticated as technology becomes further entrenched in all phases of our professional and personal lives. Smartphones are particularly attractive targets for cyber criminals: By the end of 2015, close to 200 million Americans owned smartphones, many of them white-collar professionals, presenting myriad opportunities and vectors of attack, from malicious apps to web browsing. The rapid growth of cloud computing and the advent of the Internet of Things (IoT), which adds a multitude of new connected devices to office and home environments, also present new opportunities for hackers to exploit.
Small businesses should additionally brace themselves for emerging trends including:
- Cyber espionage: Intellectual property, production processes, blueprints, and other proprietary assets stored on business networks are catnip to hackers.
- Extortion attacks: The 2015 breach of Ashley Madison didn’t just do damage to the dating website’s brand, it also jeopardized the privacy and safety of users, some of whom received blackmail threats. Small businesses with data and assets they wish to keep confidential present an irresistible opportunity for extortion-minded hackers.
- Stolen data aggregation: Data hijacked from smaller organizations may have relatively little value on its own terms. But combined with information and intellectual property from other businesses, the collective value can skyrocket. While electronic health records (EHRs) have been in the news when they are stolen by the millions from large data repositories, they are also swiped from doctors’ offices and urgent care facilities. Because their black market value far exceeds the value of credit card numbers because of the permanence of the information, the opportunities for fraud are increased.
Five Steps to Comprehensive Cyber Security
Cyber criminals frequently target small businesses (especially those with fewer than 250 workers) because they view these companies as soft, easy marks. Here are five steps your business can take to prove them wrong.
- Train employees on security protocols
Small businesses wouldn’t dream of failing to train staffers on the core processes related to their day-to-day duties, but cyber security often gets ignored.
Securing organizations against cyber attacks begins with educating employees on the dangers lurking around every digital corner. Decision makers should establish basic security practices and policies for all staff members, requiring strong, unique passwords that are changed every three months. Employers should also implement online activity guidelines and rules of behavior for handling and safeguarding client information and other critical data. These guidelines should incorporate appropriate penalties for any cyber security violations that put the company and its customers at risk.
- Fully secure all information, hardware, and networks
Make certain that your company’s IT systems are as impenetrable as possible. Equip all computers with antivirus software and anti-spyware tools, purchased only from reputable, established software firms, and update them regularly. All credible software vendors regularly issue patches and product updates to bolster security and functionality; instruct IT managers to configure all software to install these updates automatically.
Secure your web connection behind a firewall. Make sure Wi-Fi networks are secured via password protection and hidden so the wireless access point or router does not broadcast the network name.
- Control access to computers and other devices, onsite and off
Prevent unauthorized individuals from accessing business computers and restrict administrative privileges to trusted IT staff and other key personnel. Create separate user accounts for each employee.
Laptops and other connected devices are commonly stolen or lost, so urge staffers to exhibit caution and common sense when working outside of the office environment.
Require users to password protect all devices, encrypt their data, and download security applications to prevent criminals from stealing information when connected to public networks. IT managers should also create clear reporting procedures for lost or stolen equipment and ensure that all staff members are well-versed in them.
- Regularly back-up all critical business data
Make backup copies of all vital data stored on the company’s computers, whether it’s documents, databases, spreadsheets, financial files, human resources information, or accounts receivable/payable records. Automate weekly backups if possible, and store all copies either in a secure offsite facility or in a secure cloud environment.
- Purchase cyber insurance
Cyber insurance packages safeguard companies from data breaches, network attacks, and other common perils of doing business in the digital age, such as denial of service attacks, malicious code, spoofing attacks, and social engineering (i.e., manipulating individuals into performing criminal actions or divulging confidential information).
Cyber insurance premiums typically include loss prevention or avoidance, protection against catastrophes, and resolution coverage to assist businesses when a cyber attack occurs. Policies and prices vary depending on numerous factors, including the size of the business, the industry vertical it serves, and the scope and volume of data on its IT network.
Small business cyber coverage is an increasingly lucrative segment of the insurance industry, and for good reason: Savvy companies know that surviving and thriving in the digital age means being safe, not sorry.