Big cyber-breaches are generally associated with big businesses – Target, Home Depot, and Sony Pictures – to cite just a few headline-grabbers of late. The reality, however, is that small businesses are the most vulnerable to cyberattacks. In fact, consider these disturbing facts:
- In a recent study of cyberattacks, 70 percent of the breached businesses had less than 100 employees.
- Cybercriminals steal upwards of $1 billion annually from small-and-medium-sized businesses in the United States and Europe alone.
- Fully 60 percent of small businesses that are victims of a cyber-breach close their doors within six months.
Hackers see small businesses as low-hanging, breachable fruit because they have more digital assets than an individual consumer, but far less security than a large company. Also, the partnerships that small businesses often have with larger businesses provide back-channel access to what hackers truly treasure – credit-card data, intellectual property, and information paving the way for identify theft.
Given the uniqueness of every small business, there isn’t an impenetrable, cookie-cutter approach to cyber-security. With that caveat in mind, see how your small business stacks up against this cyber-security checklist:
- PCI compliance – If your business processes, stores, or transmits credit-card information, make sure that these operations are compliant with PCI DSS (Payment Card Industry Data Security Standards). If you’re not compliant – and a breach occurs – the fallout can include stiff fines and penalties.
- DLP software – Data loss prevention (DLP) software should be used to stop sensitive information from being sent via email. This type of information should only be sent if it’s encrypted or otherwise protected through DLP technologies.
- Cyber insurance – Some small-business owners are under the impression that their general liability insurance policy will help them recoup losses or professional fees resulting from a data This actually isn’t the case, so a separate policy that covers these types of cyber-breach damages is recommended.
- Software updates – Hackers are perpetually on the prowl for vulnerabilities in antivirus software. So, when your software manufacturer or other security application informs you that an update or patch is available, do not hesitate to install it.
- Education – Teach employees what forms a cyber-breach can take so that – ideally – they can prevent one from occurring, or at least mitigate the damage if a cybercrime does take place. There also should be established rules regarding how employees are to handle customer information and other crucial data.
- Firewall – In the world of computers, a firewall is a set of programs that are designed to prevent outsiders from accessing data on a private network. Not only does your small business need a firewall, but if any employees telecommute, their home systems also must be protected by a firewall.
- Data backup and access – All of your businesses important data should be backed-up regularly, preferably through an automated process. Backed-up data should be stored offsite or in the cloud. Additionally, employees should not have unfettered access to all of your data systems. Instead, they should only be allowed access to the data systems that are needed for their specific duties, and they shouldn’t have the ability to install software without permission.
- Physical access – Computers that are used by your employees should not be easily accessible by unauthorized individuals. Laptops are especially vulnerable to theft, so they should be locked up when unattended. The administrative information associated with your business’s computer network also should be closely guarded.
- Wi-Fi network – If your business has a Wi-Fi network, take steps to ensure that it’s secure, encrypted, and hidden. Achieve the latter by preventing the network’s name from being broadcast; also, password protect access to your router.
- Passwords and authentication – The importance of creating security-strong passwords – passwords that should be changed every three months – cannot be overstated. Security experts further recommend multi-factor authentication that requires information beyond just the password to gain entry. Also make sure that any of your vendors that handle sensitive data – particularly financial data – offer multi-factor authentication for your account.