In 2016 Cyber Streetwise and KPMG surveyed 1,000 small businesses and 1,000 consumers across the UK. Less than a quarter, only 23% of small business owners pointed to cybersecurity as their top concern. It’s a shockingly low number, giving that 60% had experienced a cyber breach and 89% of them said it impacted their reputation, damaged the brand and resulted in the loss of clients.
Another factor worth mentioning is that, if a big enterprise has enough resources to handle a cyber attack or the consequences afterward, for small businesses it can be critical and maybe even lead to the bankruptcy.
Cybersecurity can be a daunting challenge for small business owners. So what happens and why?
Employee negligence is the number one concern when it comes to cybersecurity risk. Yes, humans are the weakest link. Either it’s accidental loss (of a device or an important document) or lack of management when contracts with external vendors end.
As it turns out, a recent survey of small business owners by Shred-it revealed, that hackers are no match for employee negligence. Almost a half of business leaders claimed human error caused a data breach at their organization. Many of those mistakes were made because of poor basic habits: employers tend not to lock their computers, leave important papers on the table for everyone to see. On top of that, employees often do not have enough knowledge of the software they use.
Even if business owners make sure all of the internal infrastructures are protected, an employee could go to a coffee shop, connect to the public WiFi network, check work email while a snooper ‘phishes’ the sensitive data.
An employee is biased (for instance, was hired to access a trade secret). An entirely different kind of human error. There are so many ways for a worker to abuse sensitive information if he or she wishes or was hired to do that.
Everybody uses a phone. It is difficult to track it because the contents of the phone can be encrypted. A ‘spy’ can take pictures of the necessary documents and send them to your competitors. Without you ever finding out.
Inexperienced staff completing important tasks. If you have a student or an intern working for you and you let him program your websites, intranets without supervision, you practically leave tons of backdoors for the snoopers to get in.
It’s impossible to make an error-free software even for the most experienced specialist, imagine how much damage the lack of experience can do.
Businesses do not pay enough attention to backups. A backup means you copy files to a secondary site for preservation. In case of some kind of a device failure, backups guarantee you don’t lose your data. It’s one of the essential tasks regarding tightening cybersecurity.
If malware infects a device, the attacker can restrict your access to the stored data. Usually, the victim is asked to pay a ransom (it’s called ransomware).
Regular data backups can help avoid significant losses. In this case, if the access to your files is somehow compromised, backup is the best way to recover your data.
Unfortunately, malware is not the only threat. There are so many cases with the typical scenario: company X has no automatic backups installed for their financial data. Their accountant notices that and starts laundering money, but the employee does it extra carefully – while manipulating timestamps. Only when the company begins its annual backups, it notifies the data is a year older than it has to be – say, 2017 instead of 2016. It costs them a lot of money and effort to realize it was the accountant who did it. This situation illustrates how vulnerable the system can be if it’s not protected enough.
Lack of software updates. Even if you installed security or anonymization software, if it’s not updated regularly, it’s helpless. Upgrades often include various security fixes, new robust features, they improve the stability of your software and make sure all of the old features are erased. Failure to do so results in scammers taking advantage of unsupervised software vulnerabilities.
On top of that, it leads to malware (ransomware, cryptoware) and other kinds of malicious software that can severely damage the data the company handles, as well as the devices the company uses.
Shared WordPress hosting. Shared hosting services are not secure. Moreover, there are shady WP plugins which are easily cracked and used for mining cryptocurrencies.
No audits, which are essential to keep the company’s security up to date. A security audit is an internal in-depth systematical and measurable analysis on a level of the company’s computer system security. Essentially, it reveals if there are any potentially hazardous loopholes.
An audit includes evaluating physical configuration, software, the handling of related processes, interviewing staff, etc. Such reviews also determine if a company is compliant with new legal regulations, for instance – with the General Data Protection Regulation (GDPR) in Europe.
Audits are necessary, but costly – varying from up to tens of thousand dollars. Small businesses tend not to spare a part of their annual budget for such processes. It’s understandable, yet dangerous.
Poor password hygiene. Inadequate password management is still a top digital security threat. Even though people are aware of security best practices, 59% of users use the same password across different platforms; 61% don’t change their passwords; 47% don’t create different passwords for work and personal accounts, a recent study shows.
Often employers aren’t aware of these habits of internet users, hence, don’t encourage their employees to practice proper password hygiene. Companies which take this matter seriously have clear password politics, organize mandatory workshops, perhaps include password management section in an employment contract.
Companies don‘t hire specialists responsible for their online security. Despite owning sensitive information, companies claim not to have money to hire an expert.
Especially having in mind that, for example, in the USA security experts earn up to $60 an hour. However, one dedicated security professional can control all of the computer systems, make sure it’s up-to-date and make other employees aware and educated about the best security practices.
Considering the potential costs, such investment doesn’t seem like a very expensive endeavor, unless the specialist herself/himself becomes a leak.