Small businesses are easy target for hackers wanting to steal customer data. Source: Shutterstock

Small businesses are easy target for hackers wanting to steal customer data. Source: Shutterstock

Why small businesses should take cybersecurity more seriously

IT is a common assumption that small businesses do not need comprehensive cybersecurity protection — owners usually argue that there’s not much to steal.

It is almost as if criminals will overlook these businesses and focus their efforts into breaking into the systems of billion-dollar enterprises.

But, the truth is, small and medium-sized businesses (SMBs) account for more than 90 percent of all enterprises in the APAC and are very much in the crosshairs of unscrupulous hackers.

In fact, the generally relaxed attitude of SMBs that are just getting on-board the digital transformation bandwagon makes them an extremely easy target.

According to one data compilation, nearly half of cyberattacks are directed at small businesses. What is even more alarming is that the total economic damage inflicted by cyberattacks in the region alone amounted to a whopping US$17.5 trillion.

And, one figure suggests that about 60 percent of small enterprises go out business within six months after a cyberattack incident.

What makes them an easy target?

The majority of cyberattacks carried out have just one purpose: to steal customer data.

Big companies may have a big pool of data, small businesses usually have less secure networks that make them easier to breach.

Big companies are typically equipped with comprehensive security measures as well as threat anticipation protocols making them less attractive to cyber-criminals.

And as these criminals are already looking to prey on businesses that are lower in the food chain, small businesses’ general lack of preparedness for an attack makes them an especially easy target.

Some of the other vulnerabilities of small businesses are:

  • General lack of resources – This includes time, budget, and expertise to implement and maintain adequate security measures.
  • Shortage of talent – Small businesses typically do not have a designated IT security specialists on their payroll.
  • Lack of training and awareness among staff – Most staff members at small organizations are neither aware of risks, nor are trained to be vigilant of malicious threats.
  • Unqualified third-party IT services and security– Small businesses who outsource their IT maintenance are effectively placing the trust of their customers on a third-party vendor who may or may not have the right skills for the job.
  • Outdated security system  – Without anyone in charge of overseeing systems updates, the existing system may be too old to protect against newer, more sophisticated threats.

Rapid digital transformation increases risks

As organizations become more digitized and adopt more complex networks – that could be on-premise, cloud or hybrid –  as well as other technologies such as IoT, the business environment itself becomes more complicated.

Not only does this connected ecosystem exponentially increases the value of data, but a small business that may be a vendor to a bigger company could be targeted in order to breach the larger entity.

This was exactly what transpired a couple of years ago when hackers broke into US-based retail giant Target’s network using login credentials stolen from its refrigeration and HVAC vendor.

The hack led to the theft of credit card information of over 41 million customers and resulted in Target suffering millions in damages.

Understanding the risk

Different companies face different types of risks, and organizations should first understand the nature of the threats they are susceptible to, before choosing the protective measures they need.

The most common type of attack that takes place in the small business setting is the phishing attack, which starts with communications – via e-mail or text message pretending to be from a credible source, such as a financial institution – and directs unsuspecting users to a website that mimics a legitimate webpage, set up to obtain the users’ credentials.

Another type of attack that continues to keep business leaders awake at night is the ransomware. It’s a form of malicious software (malware), that takes control of a computer and denies access to critical data until a ransom is paid.

The most common method of delivering malware, again, is via e-mail, the number one mode of communication in modern offices.

Damages resulting from these attack could range from economic losses in millions to the decline in consumer trust or brand reputation.

What small businesses should do

So, what can companies do to secure their network, and by extension, everyone else within their ecosystem in the process?

Small businesses need to go back to the basics.

Organizations, first and foremost, have to establish a work culture that values (data) security.

Companies need to establish standard practices such as a password policy for devices that connect to the company network and proper internet usage guidelines for workstation use, among other things.

It is also imperative that enterprises update their antivirus software and maintain properly serviced devices, as these are proven methods to keep a network safe from viruses, malware, and ransomware.

Further, organizations should also deploy firewall security that restricts outsider or third party entity from accessing the company network.

Firewalls often serve as the first line of defense against cyber threats, and in addition to the standard external firewall, companies should also install internal firewalls, as well as secure the organization’s WiFi networks.

Beyond that, employee access to data has to be restricted to relevant groups only.

Employee laptops, mobile, and other devices are all potential weak links that could be used to gain access to and compromise the company network, and thus credentials must only be issued to trusted personnel.

Moreover, remote access and other employees’ access to the network should require multi-factor authentications, beyond passwords alone.

And finally, companies should always back up important data, at the very least, on a weekly basis.

These files may include word documents, spreadsheets, human resource records, and other important files — stored on-premise and in the cloud.

Backed-up files should also be checked regularly to make sure that they are functioning correctly.

And to be certain, companies could also purchase a cyber insurance policy -to protect themselves in the event of economic loss from a data breach.

Only 20 percent of Asian companies are currently insured against cyber threats at the moment and analyst are expecting increased take-up of stand-alone cyber insurance, which might bring down the premium price.

Paradigm shift needed

In the end, all the steps prescribed might not be able to provide iron-clad protection against the increasingly sophisticated cyber threats, but the fundamental change in the mentality – that hackers are only focused on the Fortune 500 companies – has to happen.

It might seem like a small step, in the grand scheme of things, but any step towards making businesses less attractive to cybercriminals is a step in the right direction.