If you’ve been online in the last few weeks, you’ve probably heard about the DDoS attacks that took down websites across the internet. What you may not realize, however, is that the attacks didn’t just hit big companies—small businesses were affected, too.
These kinds of attacks have grown more frequent over the last few years, especially against small businesses. And, with the holiday season rapidly approaching—bringing both increased business and increased risk—there’s never been a better time to revisit your cybersecurity defenses. By learning what makes businesses vulnerable to attack, you can bolster your current security practices and set up a plan to minimize damages in the event of a breach.
Why Small Businesses Are Vulnerable to Cyber Attacks
InfoSec journalist Taylor Armerding offers two reasons for the uptick in small-business cyber attacks: lax security practices and smarter hacking technology. Many small-business owners don’t adequately prioritize security efforts, assuming that cybercriminals won’t bother with smaller organizations. Hackers, however, armed with ever-evolving digital tools, are more than willing to take advantage of those weaknesses.
Once a hacker infiltrates a system, resource and budget limits can make it hard for a small business to rein in the damages. The attacker might hold company data for ransom, sell customer information, use credit card numbers to access bank accounts, or use the compromised system to gain entry into a larger organization. In extreme cases, there may even be political implications tied up in the hack.
Small Business Data Breaches Carry Hefty Consequences
Data breaches affect small businesses both quantitatively and qualitatively, and the ultimate impact is often severe: roughly 60% of small businesses close within six months of experiencing a data breach.
The monetary element of a breach is often the first and most obvious expense an attacked company will face. Quantifiable terms of a hack generally include forensic analyses, fines, lawsuits, infrastructure and POS-system upgrades, and credit monitoring.
Nonmonetary effects can be extreme, too—reputation damage and bad publicity aren’t easily erased. Other indirect costs include the potential loss of payment card privileges, as well as time spent responding to and recovering from a hack.
Setting Up Defenses Against Cyber Attacks
If you don’t want to deal with the consequences of a breach, you’ll need to ensure that your company’s defenses are essentially impenetrable. These nine steps can help you reinforce your current security infrastructure.
- Perform a security audit of your business. Examine and catalog every possible section of your existing security setup. Don’t forget to really scour end points like employee devices, POS systems, integrations with business partners, and third-party services. The Federal Communications Commission has a great interactive cybersecurity template to give you an idea of what to cover.
- Look at infrastructure and POS system needs. According to a 2015 study by the Ponemon Institute, 32% of data breaches arise from system malfunctions. Avoid those issues by assessing your system’s current capacity, as well as its ability to scale safely with increased holiday traffic.
- Check for updates and patches regularly. Hackers seek to turn the slightest software or hardware crack into a full-blown fissure, so stay on top of security updates and software patches.
- Invest in multiple external servers or Cloud backup services. Smart security involves regularly backing up data in a secure location, and having multiple copies of those backups is key. If you’ve got your data stored with two separate services, you’ll still be covered if one goes down.
- Limit access to information. While transparency is good, don’t overshare security information. By limiting access, you decrease the number of entry points into your business’s systems and data.
- Prepare and share a written security policy across your organization. Training, education, and documentation can help employees minimize risky online behaviors and keep customer information secure.
- Monitor your business. Your business’s security is only as good as its oversight. You, or someone in IT, should oversee the use of strong passwords, network access, and downloaded applications.
- Draft a response and recovery plan. The plan won’t prevent a cyber attack, but it will help you be prepared if you ever encounter one.
- Stay informed. Stay up to date with concerns, trends, and best practices by following security-related blogs and websites.
Navigating the Aftermath of a Security Breach
If your defenses have been breached, stay calm. This is the time to put your recovery plan into action. Take these nine steps as soon as possible.
- Hire a forensic investigator. To effectively manage a breach, you need to know the extent of it, so seek out the aid of a skilled data breach analyst.
- Limit the damage where possible. Disconnect any and all servers or devices you believe to be compromised.
- Enact reporting protocols. Most state laws require businesses to report data breaches, so find out which rules and regulations apply and set up a process for following them.
- Employ contact information. Besides contacting the authorities, you should also alert your customers and other involved parties, including business partners. Notifying consumers and communicating with them regularly is a good business practice and could lessen damage to your reputation.
- Explore legal options. If you have legal counsel or have purchased cybersecurity insurance, you should contact your lawyer and insurance agent, too.
- Prepare communication responses. You should formulate statements that can be released to the media and social networks. Prepared statements prevent floundering when a hack occurs and can decrease the chances of a social firestorm.
- Plan for delays and restitution. You could experience delays in resolving a data breach, so set some capital aside to cover slow months and secondary breach costs, such as credit monitoring for customers.
- Test the security repairs. Once necessary repairs are made, hire someone to try to bypass them. This type of penetration testing helps ensure that vulnerabilities have been resolved and prevents future weaknesses.
- Learn from the breach. No one wants to deal with a cyber attack, but the experience can help you shore up your prevention and recovery strategies.
Data breaches are serious business, but with an understanding of what could make your company vulnerable, you can develop an overarching cybersecurity plan that addresses prevention, resolution, and recovery. With proper foresight, your business can withstand any attack and return to providing services and making profits.