Think your business is too small to be of interest to a cyber criminal? Think again. While big companies make the headlines for their data breaches, small companies are also a favourite target of hackers. "Small businesses can be a really sweet spot for cybercriminals. They have more money to steal than a consumer and less security in place than a large business," said Kevin Haley, director of security response at Symantec. Hackers know that smaller businesses have fewer resources for protection, but still have equally valuable information, making them a prime target.
According to a survey conducted by Nationwide, 58% of small businesses reported some sort of cyber attack. The most common forms of attack, based on the survey, were computer viruses, cited by 36 percent of respondents. Next came phishing attacks, cited by 29 percent, and then trojan horses, cited by 13 percent. More information on common cyber attacks and how to prevent them can be found here.
A significant problem for the companies surveyed was being unprepared for an attack. About 57 percent of the firms did not have dedicated employee or vendor monitoring for cyber attacks in place. This means that almost every 3 out of 5 organizations does not use log management to monitor employee or vendor activities; which is problematic as there is no way to either identify unusual activity or decipher from which user an attack can likely spur. What’s even worse was the lack of a planning of what to do in case of an attack; about 76 percent did not have a plan in place. In addition, 57 percent did not have a plan for protecting employee data, and 54 percent didn’t have a plan for protecting customer data.
The study by Nationwide illustrates that small businesses need to protect themselves, as well as have plans and procedures in place in case a breach does occur. The survey also found that recovery from an attack was slow and expensive. “About 20 percent of cyberattack victims spent US$50,000 and took more than six months to recover, while 7 percent spent more than $100,000 and took more than a year to recover.” In addition to the actual dollars spent, trying to recover a company’s reputation post-breach can take well over a year.
So, what’s a small company with limited resources to do? Two of the larger problems highlighted by this survey are uncertainty over what a cyber breach looks like, and planning and preparedness for when a breach occurs. Small business owners need to educate themselves and their staff as to what an attack could look like. They need to learn about different types of cyber fraud schemes and common threats, such as phishing and spoofing scams, social engineering, malware and systems hacking. In addition, having security protocols and procedures in place will help staff recognize when someone is trying to breach the system, and what to do about it. Out of the security policy, businesses can then prepare an incident response plan. Similar to having a fire drill, employees are trained in what to do in the event of a breach, by simulating a breach and gauging the response.
In addition, organizations will find that proper vulnerability management will help protect systems from hackers exposing flaws in software code. Whether using patch management or upgrading software versions, ongoing management will help. Additionally, incident management software will send alerts to users when a system fails and will be able to pinpoint which system was exploited. While it’s nearly impossible to monitor and manage both vulnerabilities and incidents alone, specific software is designed to monitor your network and highlight these problem areas. For more information on this software, check out our Core Services page.