For the malicious actors who perpetuate cybercrimes, it’s generally a “numbers game.” If they try widespread, indiscriminate attacks on all types of businesses, at least one will surely succeed. Unfortunately, this means there’s no such thing as a business being small enough to escape targeting. In fact, it’s stated in the Verizon 2022 Data Breach Investigations Report that small businesses are often targeted at high rates because of their size. The logic follows that they have fewer resources for cybersecurity and training and are therefore easier to breach. An oft-repeated mantra in cybersecurity is that it’s a matter of when a business will be attacked, not if. So, how can small businesses protect themselves? Today, we’re breaking down the current state of small business cybersecurity and some of the best tips to implement for your venture.
The Importance of Cybersecurity for Small Businesses
Larger companies generally have more robust implementations and trained workforces that disincentivize cybercriminals’ attempts. The difficulty of breaching their defenses has turned more attention to smaller businesses in recent years.But preparedness can similarly help protect small and medium-sized businesses. Cybersecurity ROI can be difficult to define, but, per IBM’s 2022 Cost of a Data Breach Report, a successful cyberattack leads to losses averaging $4.24 million. Adopting a proactive stance with implemented solutions, employee training, and documented response programs substantially mitigates the likelihood and damage of a successful attack. These efforts not only prevent headaches and lost resources but could also be the difference in whether a business survives a data breach’s aftermath.
How Often are Small Businesses Targeted?
The frequency of small business attacks has been documented in Verizon’s Data Breach Investigations Reports, which combine forensic data from 83 partner organizations. In 2020, small businesses—defined by the report as under 1,000 employees—were targeted by nearly 56% of known incidents and fell victim to 46% of known successful breaches. In 2021, these percentages jumped to 76% of known incidents and roughly 74% of known successful breaches.
The State of Small Business Cybersecurity Preparedness
Despite the risks, most small businesses are ill-prepared to fend off cyberattackers:
Yet, when asked about their concern over being targeted, 80% of small businesses stated they were “not concerned about being the victim of a hack in the next 12 months” or were “not concerned at all.” There’s a clear disconnect cybercriminals are exploiting.
Common Small Business Cybersecurity Threats
Many of the most common cybersecurity threats that small businesses face depend on social engineering and the ability to trick users into believing a malicious actor’s legitimacy. This is why employee training that helps users recognize these attacks is so crucial.
These attacks are often preventable with awareness and simple steps like making a follow-up call to the sender to confirm a message’s validity. Some of today’s most dangerous cyberthreats that small businesses face include:
- Phishing – Involves a malicious individual pretending to be or represent a legitimate person or entity and often leveraging social engineering to convince a user to click on links or download attachments containing malware.
- Business Email Compromise (BEC) – A specific subset of phishing that attempts to convince employees to complete wire transfers, with malicious actors as the recipients.
- Ransomware – A specific type of malware (i.e., “malicious software”) that encrypts systems and data, locking out businesses until a ransom is paid. However, decryption often doesn’t occur following payment.
- Tech support scams – Cybercriminals will sometimes pose as legitimate tech support personnel to gain user credentials and other sensitive information.
- Unsecured remote access – The rise of work-from-home during the pandemic has increased remote access security challenges and the need for strict authentication protocols and “zero trust” models.
- Third-party security – Cloud platforms and services have significantly increased the number of network connections that businesses must protect. If a vendor is compromised, malicious actors can leverage their access to breach client businesses.
- Distributed denial of service (DDoS) – DDoS attacks overload websites and other IT resources by sending endless requests that tie up servers, preventing legitimate user access.
Of these attacks, phishing claimed the highest number of victims in 2021—323,972 per the FBI’s Internet Crime Complaint Center (IC3). However, BEC attacks, which exclusively target businesses, led to the heaviest losses at nearly $2.4 billion.
11 Tips for Small Business Cybersecurity
Although the cyberthreats facing small businesses can be daunting, proper training, awareness, and solutions will help bolster defenses. To that end, New Horizons has compiled 11 tips to help businesses defend against ever-evolving cybercrime techniques.
1. Implement a Cybersecurity Training and Awareness Program for All Employees
Particularly for social engineering attacks, a business' personnel comprise the most critical line of cybersecurity defense. Unfortunately, this is because if a user willfully shares credentials, sensitive information, or transfers money to a person or entity they believe is legitimate, there are little to no cybersecurity implementations that can help.
Crucially, cybercriminals continually adapt their techniques, so cybersecurity training is never a “one-and-done” effort. Training must recur periodically and following critical events or newly identified threats.
2. Adopt Industry-Applicable Cybersecurity Frameworks
Depending on the industry, there may be a dedicated cybersecurity compliance framework your business must implement (e.g., HIPAA for healthcare, PCI DSS for credit card activity). These frameworks provide thorough guidance for cybersecurity programs, specifying the controls and their restrictiveness.
However, not every industry must adhere to one of these frameworks. For businesses that don’t have a mandatory compliance obligation, they can always turn to “Special Publications” published by the National Institute of Standards and Technology (NIST), like SP 800-53.
3. Configure Strict Authentication Protocols
On top of strict password policies, businesses should configure multifactor authentication (MFA). MFA requires users to enter a second set of credentials (commonly a PIN code or “one-time password” on a timer) at login. This helps ensure that even if a password is compromised, intruders won’t be able to log in.
4. Provide IT Employees with a Path to CompTIA Security+ Certification
CompTIA Security+ is a globally recognized cybersecurity certification. Earning certification attests to the individual having the baseline knowledge that core information security roles require. The expertise gained meets US Department of Defense and ISO 17024 standards, so rest assured that certified individuals will meet the demands of their role.
5. Enforce Strict Password Policies
Without enforcing strict password policies, login credentials can be one of the weakest cybersecurity links in any organization. Per the latest guidance released by NIST in SP 800-63B, modern password policies should:
- Emphasize length over complexity – Encourage users to come up with sufficiently long “passphrases” that are easier to remember than alphanumeric strings.
- Not enforce regular resets – Users often reset their passwords with similar or weaker versions of their existing credentials.
- Screen against commonly used passwords – Although complexity is now less emphasized, known weak passwords and formats should be automatically denied.
- Limit failed login attempts – Particularly successful in defending against brute-force intrusion attempts, limiting the number of login attempts automatically locks an account when a suspicious number of authentication failures occur.
- Adopting these user password guidelines will help secure critical entry points to your network and systems. For implemented systems, the most important step is always changing the vendor-supplied default passwords.
6. Complete Microsoft’s AZ-500T00 Course (or Equivalent)
Microsoft’s AZ-500T00 certification is similar to CompTIA Security+ in that it ensures Azure Security Engineers have the baseline knowledge their role requires. Particularly if an organization relies on Microsoft Azure for cloud infrastructure, having available cybersecurity professionals with this certification is a necessity.
7. Implement Automated Security Solutions
Small businesses need to maximize their cybersecurity return on investment. Automated solutions—like threat monitoring and vulnerability scanning—will enable cybersecurity professionals to gather the insight and assessment information they need without expending additional bandwidth.
8. Implement Robust Email Security
Security solutions like anti-malware scanners and integrated cloud email security (ICES) will help substantially reduce the threats of phishing, ransomware, and other email-delivered cyberattacks. These platforms will scan incoming and outgoing email traffic for known threat signatures and quarantine any identified positively. Sophisticated solutions will also utilize artificial intelligence and machine learning to expand identification capabilities beyond recognizable signatures, helping to perceive and prevent unknown threats.
9. Enforce “Zero Trust” and the “Principle of Least Privilege”
“Zero Trust” is a cybersecurity model that emphasizes no implicit trust of users and devices whatsoever, even if they had previously accessed a given network. Every connection must first be verified and continually reverified throughout the connection’s duration. Similarly, all user accounts should be provisioned access permissions according to the “Principle of Least Privilege.” This asserts that employees should only be granted the level of access strictly required for their role’s responsibilities—no more, no less.
10. Leverage Encryption
Encrypting hardware and data provides an extra line of defense should a breach occur. Without the cryptographic key necessary for decrypting information, it remains unreadable. Encryption can even be used for HIPAA-subjected entities to demonstrate that a data breach did not occur because the cybercriminal could not actually read the information they’ve obtained.
11. Conduct Penetration Testing with Ethical Hackers
Once the implementation of your security program is underway, the best thing to do is conduct penetration testing to assess its strength and determine any vulnerabilities. Penetration testing is a form of ethical hacking where an individual attempts to breach a company’s security. They then compile advisory reports based on their findings that help inform your organization’s security program. Before hiring or partnering with an ethical hacker, small businesses should first verify whether they'd earned the EC-Council (EC) Certified Ethical Hacker (CEH). This certification indicates whether the individual has acquired ethical hacking knowledge and is continually updated to provide training on the latest cybercriminal attack methods.
Steadfast Cybersecurity for Your Small Business with New Horizons
The cybersecurity threats that small businesses must contend with are very real and very dangerous for ongoing operations. However, ensuring personnel have the proper training and certifications to build and enforce a strict security program will substantially mitigate the threats. Robust cybersecurity is easily achieved through certifications like CompTIA Security+, Microsoft’s AZ-500T00, and CEH. New Horizons provides comprehensive training courses that help employees achieve these certifications. As the largest Cisco-authorized training partner and deliverer of 40% of all authorized Microsoft training, New Horizons is the most reliable way to earn cybersecurity certifications that substantially help cybersecurity for small businesses.
Contact us today to learn more about New Horizons’ certification training programs.
CNBC. Main Street overconfidence: America’s small businesses aren’t worried about hacking. https://www.cnbc.com/2021/08/10/main-street-overconfidence-small-businesses-dont-worry-about-hacking.html
Corvus Insurance. Survey Findings: SMB Cyber Readiness. https://insights.corvusinsurance.com/cyber-risk-insight-index-q1-2022/survey-findings-smb-cyber-readiness
IBM. 2022 Cost of a Data Breach Report. https://www.ibm.com/security/data-breach
IC3. 2021 Internet Crime Report. https://www.ic3.gov/Media/PDF/AnnualReport/2021_IC3Report.pdf
NetSec.news. Summary of the NIST Password Recommendations for 2021. https://www.netsec.news/summary-of-the-nist-password-recommendations-for-2021/
NIST. Computer Science Resource Center. https://csrc.nist.gov/publications/sp
NIST. SP 800-53 Rev. 5. https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final
NIST. SP 800-63B. https://nvlpubs.nist.gov/nistpubs/specialpublications/nist.sp.800-63b.pdf
Verizon. 2021 Data Breach Investigations Report. https://www.researchgate.net/publication/351637233_2021_Verizon_Data_Breach_Investigations_Report
Verizon. 2022 Data Breach Investigations Report. https://www.verizon.com/business/resources/reports/2022/dbir/2022-data-breach-investigations-report-dbir.pdf
Wall Street Journal. Small Businesses Struggle With an Increase in Cyberattacks. https://www.wsj.com/articles/small-business-cyberattacks-increase-11654540786