Most cybersecurity breaches of major companies, from Equifax, to Yahoo, have made headline news. While smaller companies tend to fly under the radar of news sources, they are not immune from the relentless efforts of hackers. In fact, the risk is even greater, since many owners may not have a cybersecurity protocol or plan in place.
Since smaller businesses tend to have less cash flow and savings, having business interrupted from even a minor hack can be financially catastrophic. The Ponemon Institute, an independent company which conducts research on privacy, data protection, and information security policy, said the global average cost of a data breach is now $3.62 million, while the average cost for each lost or stolen record consisting of sensitive and confidential information is $141.
“In today’s interconnected world, no organization is safe from the threat of cyberattacks, data breaches, proprietary information loss, or even just basic Denial of Service (DoS) attacks,” says Nathan Wenzler, chief security strategist at AsTech, a San Francisco-based security consulting company. “Regardless of size, every business must have access to cybersecurity expertise in order to identify ways to mitigate that risk by protecting critical assets, and help to implement those strategies in as efficient and effective of a means possible.”
Whether hackers are able to shut down a business temporarily or even permanently, the likelihood is higher than many business owners believe. If hackers are able to obtain sensitive data, they are likely to threaten businesses with costly ransomware.
“A major breach can certainly put a company out of business. However, the extent of damage and the business’s ability to recover is precipitated by several factors,” says Serge Borso, adjunct instructor at SecureSet, a Denver-based immersive and accelerated cybersecurity academy. “In cases involving ransomware, a critical component to limiting the negative impact is implementing a proper segmentation and making regular backups of critical systems and data.”
Companies that rely on mobile payments can mitigate risks by using a dedicated device instead of a personal or multi-purpose device and a virtual private network known as a VPN. The objective is to reduce the threat to systems and networks that are processing payments.
“Point-of-sale terminals should be monitored physically by employees or managers to ensure they have not been tampered with, as well as virtually, to validate they are working as designed, such as with end-to-end encryption,” he advises.
Securing a company’s assets from a theft or major fire or earthquake is a top priority for business owners, but the same scrutiny must take place to prevent fraud from cyber criminals.
“This is less about criminal activities and more about an organization’s readiness for any incident,” explains Chris Roberts, chief security architect at Acalvio, a Santa Clara, Calif.-based provider of advanced threat detection and defense solutions. “The same logic is applied if a company is in the middle of a flood.”
Not being able to access records or payment systems for a prolonged period of time could be detrimental to the bottom line. “Most companies would be out of business if they can’t process payments or send invoices for a short period of time,” he says.
Small businesses are increasingly becoming targets of the black-hat hacking community, which is made of hackers who break into a computer system or network with malicious intent, says Mary Ann Miller, a senior director and fraud executive advisor at NICE Actimize, a Hoboken, N.J.-based financial crimes software solutions provider. The fraudsters are hacking log-in credentials or buying data breaches of small business and consumer email accounts from the dark web.
The most popular technique is socially engineering the small business and then spoofing the email address to commit the fraud. Spoofing can be accomplished easily and by one character change—if a company name is “Hello.com,” the fraudster changes it to “Hel!o.com,” she says.
“The slight change is very hard to catch at a glance,” Miller said. “The fraudster then begins to communicate with the small business and social engineers the business to pay an invoice or bill that is due, but directs the funds to the fraudster-controlled bank account.”
The fraudsters are able to easily comprehend the relationship and communications between the small business and their suppliers or customers, since they have been reading and spying on their inbox.
Smaller companies who cannot afford a full-time employee to prevent fraud should seek a contractor who can come in for a few hours or one day a week, recommends Roberts.
"There’s too much to do to be able to remember everything yourself,” he says. “It’s as simple as that. You don’t do your own taxes as a small company. You employ an accountant, and you have building maintenance look after the place. We are no different. Get someone who knows what they are doing.”
While hackers are relentless in their pursuits, even burgeoning businesses can protect themselves and lower this risk by setting up a small business account with their bank, says Miller.
“Your bank will ensure you have protections and will educate you on a regular basis on the latest fraud attacks against small businesses and on steps you should take to protect your business,” she says.
Small business owners cannot rely on a single system or service to effectively mitigate against transactional and online fraud risks, East West Bank recommends. Instead, they should seek to adopt several risk mitigation practices, such as multiple layers of security, refinement of operational procedures and system controls, and installation of IBM® Security Trusteer Rapport® and other security software to obtain higher levels of security protection.
One common tactic fraudsters use is to send a fraudulent email seeking payment for services or a product. Business owners should verify the payment information with the vendor when they receive an email, and place a call to confirm the payment instructions are accurate. Fraudsters often attempt to trick owners by altering the original email instructions so that the money is instead rerouted to them instead of the legitimate vendor. Putting in place two-factor controls for logging into business email communications is also beneficial, Miller says.
As both owners and employees tend to be apathetic about changing their passwords frequently, this can be the downfall of many companies, says Roberts.
“Start to pay attention to those passwords that you don’t like to change or you use the same one for work as you do for Yahoo or Facebook,” he advises. “Change them, separate them, and basically start to do password hygiene.”
As more data is stored in the cloud, companies need to ensure they limit the information they share with suppliers and vendors, and that safeguards are in place, says Steve Durbin, managing director of the Information Security Forum, a London-based authority on cyber, information security, and risk management.
“Organizations of all sizes need a full understanding of what extent they rely on cloud storage and computing,” he said. “They may have data in the cloud they don’t even know about.”
Relying only on reactive security solutions, which are typically implemented after a data breach, is not an effective method, says Wenzler.
Proactive security solutions, such as patching systems or running anti-virus software on endpoints, can fix vulnerable code or “act as a wall to stop viruses and malware before they are installed, long before these systems can be exploited,” he says.
Most companies address the issue of hacking by using a combination of proactive and reactive solutions, Wenzler adds.
“Rarely does only one or the other work to fully protect an organization’s critical data and assets. It does require reasonable amounts of analysis by trained security and risk professionals to understand the specific needs of an individual organization and to determine which layers of defense are best suited,” he explains.