I was going to begin this blog by posing a question to chief executives about how high cyber security is on their list of priorities.
But on reflection, that’s probably a moot point.
Cyber security has made its case with most board members and C-levels, backed by a litany of data breaches across the world that have resulted in gargantuan amounts of data and profit loss — to the point where some companies have had to shut down.
So you already know that implementing a good cyber security strategy is key for your business to keep running smoothly.
But do you know exactly how important it is?
Here’s a sobering fact to remind you of how vulnerable businesses are to cyber attacks. According to a 2019 report, there was a 424% increase in new breaches of small businesses in 2018 compared to 2017.
What’s more, in a survey of 1,000 small- and medium-sized businesses, 78% of respondents indicated they had been the target of cyber attacks in the past 12 months.
So here’s a wake-up call for those small business owners who think they can get away with lax cyber security policies. Cyber criminals are increasingly targeting small companies, and today, it is imperative your business — no matter how small or big — is equipped to handle cyber attacks of any scale.
Why are more cyber criminals targeting small businesses?
Less data, less money, less cyber risk, right?
In fact, smaller businesses are popular targets for cyber attacks because cyber criminals (sometimes correctly) assume your defences aren’t as strong as bigger companies.
Some hackers may prefer to focus on bigger companies because of the ratio of effort and risk to their ultimate reward, but others are increasingly targeting smaller companies.
Firstly, smaller businesses are often the gateways to bigger rewards. As part of a supply chain, many small businesses have professional relationships with larger organisations, or simply by the nature of the organisation, they may be the conduit to a network of sensitive data, such as for contracting services firms, accounting practices, legal firms, conveyancers, and others. These organisations are custodians of sensitive data, ranging from customer information through to confidential passwords, systems access, and valuable financial information — exactly what cyber criminals take advantage of.
They often attempt to hack into smaller organisations’ systems to gain access to bigger, higher revenue-generating companies too. Home Depot’s 2014 data breach is a famous example of this — cyber criminals stole the retailer’s network credentials via a third-party vendor and used them to seize the credit and debit card information of 56 million Home Depot customers.
Secondly, with enterprises, even though there are more entryways and is more money to steal, and perhaps even better data to ransack, there will also be increased cyber security to keep their systems tight. Enterprises generally will have the resources to invest in cyber security, including the right tools, people and processes, and the capacity to train frontline staff effectively.
Comparatively, smaller businesses and startups tend to focus proportionately more time and effort on getting a business up and running, generating wealth and ideas, and getting a brand out there. You may not have much experience with business cyber security, other than virus protection — and you probably don’t have a great deal of funds to dedicate to the cause. We all know small business owners and startup founders need to wear many hats, and being a cyber security chief probably isn’t one them.
But that doesn’t mean that you should ignore the threat — especially because the stakes of doing so are way too high.
The cost of cyber attacks to small businesses
I’ve witnessed first-hand the devastation that cyber attacks can cause small businesses. This ranges from monetary fraud, through to IP corruption, and even the ability to cripple a business. That’s mainly because of lost revenue due to downtime, and the cash spent attempting to remediate the breach, plus the often overlooked reputational damage. They can all really add up.
In fact, according to Ponemon Institute, cyber attacks cost SMEs an average of $2.2 million. Clean-up costs are responsible for about half, with the other half due to business disruption.
Besides these costs, you can get into trouble with governmental agencies too. Both the GDPR and the Notifiable Data Breaches scheme require strict reporting should customer data become compromised — with the potential for stiff penalties and fines for non-compliance, up to $2.1 million for the NDB, and up to €20 million ($32 million) or 4% of the company’s global annual turnover for GDPR.
Damage to trust and reputation
When you’re just starting out, making a name for yourself, the trust in your brand and reputation is something that you are actively building. You don’t have the goodwill and reputation that large companies have accumulated. Your good name and trust in what you do are critical. Just as positive word-of-mouth can help you grow, bad sentiment and negativity can quickly cripple your business. Brand trust and customer satisfaction levels both typically plummet after a cyber attack.
So how are small businesses being compromised?
There are many avenues of attack, but several studies have cited phishing emails as the top threat vector for businesses today. For example, the 2018 Ponemon and Keeper report found phishing/social engineering attacks continue to be the number one attack SMBs experienced. This was followed by web-based attacks, general malware and also stolen/compromised devices.
The figures aren’t ground-breaking. Email is a surprisingly easy road into your systems, and unlike phone calls that purport to be from Microsoft with a distinctly strange accent and line of questioning, emails can more easily seem legitimate. Every day, my team at MailGuard intercepts a host of legitimate-looking phishing and brandjacking attempts that are destined to land in business inboxes and fool staff.
How to fortify your systems
In an ideal scenario, companies would have a dedicated cyber security consultant or an in-house team of security experts who can conceptualise and execute a robust cyber security strategy. However, that just isn’t a possibility for most.
Nevertheless, it’s key for companies to recognise that they are appealing and vulnerable targets for hackers and cyber criminals, more so than they have ever been in the past.
Here are some pointers to get you started.
1. Be a pro-security CEO
As a chief executive or business owner, it’s up to you to set the agenda for cyber security in your organisation and actively take charge of boosting cyber resilience within your company.
You may not be an expert yourself, but you need to know what policies to put in place to instigate security improvements, and what the risks are to your business.
Collaborate with your teams and ask them to suggest ways your company can strengthen its security stance. You should call on all corners of your business, from sales through to operations, marketing, finance and IT.
They are well-versed in the different IT processes that their teams handle every day, and may give you useful insights on which aspects of those processes could be made more secure.
2. Cyber security education
Ensure everyone in the company knows they have a part to play in creating a cyber-savvy culture. Think about it: if everyone in your organisation practices good cyber habits, the need for you to allocate a substantial amount of resources for cyber security would be drastically reduced.
Being cyber-savvy is a process that begins with awareness. If you want your team to participate in making the business safer from hacking and cyber crime, you have to give them the knowledge to make good security choices. It doesn’t just happen. It’s a matter of generating awareness throughout the entire team and empowering them to think of themselves as the first line of defence.
The goal of cyber security education in a business setting is to give team members a functional understanding of how to avoid potential threats. By educating teams about how cyber security works a company significantly improves frontline resilience.
Every person in a company doesn’t have to be an IT expert, but everyone should have a basic understanding of the cyber threats like malicious email that they are likely to encounter on a daily basis.
There are several inexpensive means of providing this information to them, such as finding free guidebooks online and/or workshops on how to be cyber secure.
3. Good password hygiene
Did you know 81% of data breaches are caused by weak and/or stolen passwords? Ensuring employees practice good password hygiene is a great way to boost cyber resilience in your company. Encourage them not to use generic passwords or repeat old ones. You can enforce password rules that disallow password reuse or even similar password reuse (this can be trickier to set up).
Encouraging employees to use multi-factor authentication can make it harder for phishing scammers to hack into your company if it is available for key business-critical systems. Doing so will provide an extra layer of protection for extremely confidential information, especially for your cloud-based accounts. This is because when a user wants to log in to their account, they will have to pass a second stage of authentication, which commonly involves an SMS message sent to their phone, alerting the original account holders to any fraudulent attempts at sign-ins.
You can also take advantage of reputable services such as HaveIBeenPwned to see if confidential data has been compromised in any data breaches. Data that they may find has been leaked can include things like usernames, passwords and addresses. Investing in a good password manager such as LastPass might also prove useful in the long run. Options include USB keys, codes sent to an app, or a verification email as complements to the standard password.
Get the facts
Companies are spending more on cyber security now than ever before, but those funds aren’t always targeting the most significant dangers. There seems to be a bit of a disconnect amongst many chief executives about the sources of cyber threat.
Studies consistently show that more than 90% of cyber attacks are perpetrated via email, yet email security is rarely the biggest item in cyber security budgets. If we’re going to win the battle against cyber crime we have to get real about the nature of the threat.
This article was first published on the MailGuard website, and was republished with permission.
You can help us (and help yourself)
Small and medium businesses and startups have never needed credible, independent journalism and information more than now.
That’s our job at SmartCompany: to keep you informed with the news, interviews and analysis you need to manage your way through this unprecedented crisis.
Now, there’s a way you can help us keep doing this: by becoming a SmartCompany supporter.
Even a small contribution will help us to keep doing the journalism that keeps Australia’s entrepreneurs informed.