Too Small to Hack? Think Again!

We’ve all seen the headlines that emphasize the fact that hackers are targeting large companies including Target, Sony, and Anthem.  What many don’t realize is that smaller businesses have become even bigger targets for cyber criminals because they know that smaller businesses have fewer defense resources than large enterprises. What this means is that small business owners need to be cautious about protecting their customer data, cognizant of how they collect that data, and increasingly focused on ensuring that their employees understand the risks associated with managing that data.
The unfortunate reality is that no business is too small to be hacked.  National Cyber Security Alliance research shows that two thirds (66%) of small businesses are dependent on the internet for its day-to-day operations; 38% characterize it as very dependent and 67% say they have become increasingly dependent on the Internet in the past 12 months. If you have a website, send email to your clients, or store customer information online (and you’re lax in your security practices), you could be exposing your customers to threats.
If you are like most businesses, you have vital information to protect, including customer data, financial records and reports, and intellectual property; the reality is that cyber criminals are actively looking to access any or all of that information. Despite this reality, most small businesses have not addressed the tremendous risk presented.  For example:

  • 77% do not have a formal written Internet security policy for employees.
  • 63% do not have policies regarding how their employees use social media.
  • 60% say they have a privacy policy in place that their employees must comply with when they handle customer information and half (52%) have a plan or strategic approach in place for keeping their business cyber secure.
  • More small business owners (45%) say they do not provide Internet safety training to their employees than those that do.
  • Two thirds (67%) allow the use of USB devices in the workplace.
  • Six in ten (59%) say they do not require any multi-factor authentication for access to any of their networks, and only half (50%) say that all of their machines are completely wiped of data before disposal.

What to do?

As silly as it might sound, one of the first lines of defense is to put a privacy policy in place, so customers know what information you collect and how you use it. The second step is to follow the policy. If something were to go wrong and your business systems were unlawfully accessed and/or information breached, the first thing you will need to be able to produce is a privacy policy and be able to illustrate what steps were taken to act in accordance with it.  In maintaining awareness surrounding the information your business has about its customers and by routinely deleting the information you don’t need, your business will mitigate its risk.

Finally, follow these best practices, from StaySafeOnline.org:

  • Fully protect your own computer systems and keep software, browsers and operating systems current.
  • Scan everything you attach to the network.
  • Keep hackers out with a good firewall.
  • Filter for spam.
  • Train employees to be vigilant.

SMART TIP:  Invest in developing appropriately stated and structured policies and practice strong security measures now, so you don’t have to do it after a breach.