Cybersecurity for Small- to Medium-Sized Businesses

Today’s small- to medium-sized businesses face unique cybersecurity challenges. To protect against malicious attacks, business owners and managers must understand the risks, assess where their company is vulnerable, and put the appropriate protections in place. 

Lack of Oversight 

In a small-to medium-sized business setting, each employee has to take responsibility for helping to protect the company’s valuable data and computer systems. However, employees are spread thin, wrapped up in meeting deadlines, and anxious to provide timely and quality customer service. In the rush to deliver exemplary service (to external clients AND internal partners), employees may not realize they could be exposing the company to risk. They may cut corners and release secure data in order to meet a deliverable. They may make a judgement call that meeting the deadline is more important than following cybersecurity protocols. Managers must require that employees ONLY share the minimum necessary information to perform the task at hand – even to internal partners.  

Additionally, small- to mid-sized businesses rarely have an in-house IT department or enough managers and key employees who understand cybersecurity. How can they adequately monitor their systems and cybersecurity programs if no one fully understands how they work? It is the managers/owners job to not only define cybersecurity protocols for their business, but also make sure employees are trained on AND follow them. Managers/owners must reinforce that - while timeliness is important - QUALITY AND SECURITY are more important both to your clients and to the business! 

Likelihood of Personal Device Usage 

Small- to medium-sized businesses tend to have more flexible scheduling; employees may work from home or take their company-owned laptops out of the office. This generally less regimented approach results in more employees using personal devices while working. There is often a lack of policies surrounding personal device usage. 

Any laptops, computers/tablets, or mobile phones – business AND personal - that access the company network (including wi-fi) must be protected like all other in-office equipment. For example, failing to install adequate firewalls on a single employee’s laptop opens the company up to a myriad of possible attacks. 

Lack of Time 

Again, small- to medium-sized businesses generally have limited time and resources. They might be forced to skimp on employee training – or just assume everyone has common sense and will just “know” what to do. This may seem like it has little to do with cybersecurity, but employees play a large role in your company’s safety and security. Many cybersecurity attacks, especially those related to email, can be prevented by employee diligence. 

Typically, if a business needs a new security-related service, they use google to find an option that fits their price range. Then, they install it and forget about it, assuming the program will manage itself and protect the business from all cybersecurity-related threats. However, this is not enough – programs need to be tailorized to each individual business’ needs AND maintained. The “set it and forget it” mentality creates dangerous vulnerabilities. Not to mention, having the correct software is only one piece of the puzzle. 

Common Attacks on Small- to Medium-Sized Businesses 

Social Engineering Attacks 

Social engineering attacks rely on human interaction to extract information that should not be released. This type of attack can wreak havoc on small- to medium-sized businesses. Phishing and spoofing are the two most common social engineering attacks. Both cause many compliance issues and incidents of theft each year. 

Phishing 

Phishing is a type of scam in which hackers contact a target, usually by email, posing as a reputable website or trusted entity. 90% of phishing attacks come through email. By assuming a false identity, hackers lure individuals into revealing sensitive information, like login credentials or banking and credit card details. For example, a phishing email may appear to come from a user’s employer – it could even have the company logo or other element that at-a-glance could appear credible. It asks for the employee’s username and password to the company website. The user provides the information and grants the hacker access. 

Spoofing 

Hackers also use a method called spoofing. In this case, the attacker sends an official-looking message, usually an email, to a target that contains a link. Clicking on this link installs malware on the recipient’s device. 

Though these attacks pose a serious threat to businesses, they can be prevented with adequate training.  It is vitally important to teach employee how to recognize these malicious emails – and reinforce this training annually. 

Malware Attacks 

Hackers install malware on devices remotely, often through email. There are always new innovations in harmful software like drive-by malware. This is a type of attack that installs malware onto a user’s device without them having to click on a malicious link. Again, employee training and using a secure email service that can filter out, or at least highlight these dangerous messages is what businesses need. 

Hidden Cost of Cyber Attacks 

Cyber-attacks send shockwaves through small-to medium-sized businesses. There are numerous hidden costs, especially if your company handles Protected Health Information (PHI) and a cyber-attack causes a breach. 

First, an organization must clean up the mess, or rather, patch the leak. The problem must be solved as quickly as possible. Therefore, a business will likely have to hire a compliance or cybersecurity expert to help with the cleanup. They will likely pay premium prices and rush fees because this must be done immediately. Not to mention, all other business matters must be put on hold until the mess is cleaned up. 

The business may incur LEGAL FEES or FINES. The bad publicity from the incident may lead to a LOSS OF BUSINESS OR TRUST from clients, employees, and business associates. 

Covered Entities (organizations required to comply with HIPAA) must notify individuals whose information was exposed in a breach. If the breach impacts more than 500 individuals, the Covered Entity must notify Health and Human Services (HHS), and potentially their State Attorney General’s office, immediately. Breaches affecting less than 500 people should be reported to HHS within 60 days of the end of the calendar year in which they occurred. After a breach, cyber insurance costs will skyrocket, if the company is able to get insurance at all. 

In 2017, the average cost of a breach for a medium-sized business was $2 million, and it has only gone up since. If companies spent just 10% of that cost on proper cybersecurity measures, it is likely that breaches could be prevented altogether, or at least seriously mitigated. 

The adage, “an ounce of prevention is worth a pound of cure” perfectly describes a businesses’ relationship with cybersecurity. 

What Can Small- to Medium-Sized Businesses Do to Stay Safe? 

Rely on Experts. 

The best thing businesses can do to stay safe is to work with an expert. Outsource the complex, difficult-to-understand tasks to a cybersecurity expert. A comprehensive approach to cybersecurity involves working through every little detail; if you do not feel equipped to do this, Armoureye is here to help. 

Many small and medium-sized business owners complain about the cost of taking proper cybersecurity measures. Think about it like paying for parking; putting $2 in the meter is worth protecting yourself from a $50 ticket, or worse – getting your car towed! The upfront cost of cybersecurity may seem steep, but small and medium-sized businesses simply cannot afford the risk of doing nothing or doing cybersecurity poorly. 

Complete a Risk Assessment 

Companies should perform a thorough Risk Assessment. HIPAA requires Covered Entities to perform a Risk Assessment, but any company benefits from this exercise. A Risk Assessment evaluates all possible vulnerabilities and establishes a blueprint for the creation of Privacy and Security Policies and Procedures. 

Risk Assessments also help companies understand which actions they can reasonably address on their own and which they should outsource to experts. We recommend you review your Risk Assessment annually and perform one from scratch every 2-3 years, or when you’ve had any major changes in your systems  Getting new servers, upgrading to new operating systems, and using new software for collecting or storing PHI all warrant a new Risk Assessment. 

Backup Data 

Backup and archive everything. We recommend following the 3-2-1 rule: keep three copies of your data on two different storage platforms, one of which is offsite. Hackers coerce business owners into paying large sums of money to release their data and/or end a ransomware attack. We always ask our clients: how long can you live without your data? Many businesses would be devastated to lose even a week of material. Additionally, Covered Entities must retain PHI for a minimum of six years (if not longer, depending on state requirements), so secure storage is a must.  

Secure Email 

Using a free version of an email service may be tempting but doing so puts your company at risk. Paid email services offer cybersecurity features, like filtering and warning labels that protect users from spam, malware, and phishing threats. This removes a great deal of risk. Even though employees should be trained to recognize and report these malicious email attacks, preventing them from interacting with these types of messages altogether is ideal. Additionally, if you send or receive any PHI via email, you must use email encryption. This is one of the many services Armoureye offers. 

Conclusion 

Cybersecurity for small- to medium-sized businesses is not as daunting as it seems if you ask for help. Why not hand things over the experts, for the sake of your business? 

You can find a full list of Amoureye’s offerings at https://armoureye.com. Call us to schedule a FREE consultation. 

Go from vulnerable to secured today.