Ad Blocker Detected
Our website is made possible by displaying online advertisements to our visitors. Please consider supporting us by disabling your ad blocker.
John Griffin Jr. is CEO & Founder of AGB Investigative Services, which provides physical security and cybersecurity services in 12 cities.
A small law firm, a manufacturer with 35 employees and a nonprofit with two people can all be technology-driven companies. Their basic operations rely on operating systems, software applications and networks as much as any brand-name financial institution or multinational retailer.
But unlike those big companies, which typically survive a headline-grabbing cybercrime, these incidents can be devastating for small- and medium-sized enterprises (SMEs). As the founder of a cybersecurity and physical security company, I’ve seen that SMEs face the heavy price of business interruption, remediation and data recovery, sometimes working only from paper records, and they may lack the capabilities and personnel to protect their critical IT infrastructure from cybercrime.
Small Business, Big Ransoms
In the past five years, ransomware has accounted for 40% of total incident costs related to cyber claims, according to the Cyber Claims Study 2021 Report by NetDiligence. In 2020, the average ransom demand was $247,000. The cost to recover from a SME cybersecurity incident was around $352,000. These costs don’t reflect the customer trust stolen with sensitive data.
Well aware that small businesses have incomplete or nonexistent cybersecurity systems, criminals target them in bulk, sending out endless phishing attacks with the hopes of catching just a few victims in their automated nets. As of October 2021, Google sent out 50,000 phishing or malware attack warnings, a 33% increase from the same period in 2020.
Work from home and work from anywhere technologies, common since the Covid-19 pandemic, further expose employees and small business systems to cyberattack. According to one study, during the Covid-19 pandemic, nearly 70% of full-time employees in the United States began working from home.
Unfortunately, I’ve seen that small companies rarely take steps to protect their remote workers by setting up two-factor authentication (an extra login step) or encryption to protect computer drives. Also, millions of employees left their jobs during the pandemic. Have all their email accounts and logins been disabled? Likely not.
SME Vulnerabilities And Cybersecurity
Why are small businesses so vulnerable? They may lack the operational know-how and personnel to properly protect their IT systems and networks. Here are some of the situations I’ve observed that often make small businesses more vulnerable:
• IT infrastructures tend to be out of date, not updated regularly or configured incorrectly.
• The individual responsible for IT — the chief financial officer, the CEO or some random staffer — are rarely up to speed on the latest security threats and solutions. Hiring a chief information security officer is often untenable, given that the average salary is around $165,000.
• A mishmash of local hardware, networks, devices and applications can make cyber defense nearly impossible.
• Cyber awareness training for employees is ineffective or nonexistent.
• Backups may be unreliable or untested.
• Disaster recovery and business continuity planning haven’t been prioritized. Company leaders may assume, incorrectly and to their peril, that they’re too small to be a target of cybercrime.
Getting Ahead Of A Sticky Situation
To get started improving your company’s cyber security profile, you don’t need a new piece of hardware or antivirus software. Begin with a thorough inventory of your physical and cyber assets and an assessment of known vulnerabilities. It is important to establish a “data governance” document setting benchmarks for how to manage data. This playbook is especially useful in small organizations, where passwords may be tracked on Post-it Notes on computer monitors or affixed to the bottom of mousepads.
Employee cybersecurity awareness training is also essential. A top security threat vector for the ransomware epidemic is phishing or other attempts at social engineering, or tricking people to get into sensitive networks. IBM’s 2021 X-Force Threat Intelligence Index found phishing led to one-third of cyberattacks. Make sure your employees know what to look for in these situations.
Another way to get ahead is with penetration testing. “Pen testing” verifies that your security approaches work as expected. In my experience, few small businesses have the expertise to conduct penetration testing, so you may want to consider working with an expert. (Disclosure: My company provides these services.)
Finally, I suggest every business implement real-time monitoring of your networks and servers. While strong passwords, two-factor authentication, encrypted data and network firewalls are important and will slow down attackers, 100% prevention isn’t affordable or feasible.
For small businesses, taking steps to block the potentially catastrophic impact of a cyberattack can be well worth the investment.
Forbes Business Council is the foremost growth and networking organization for business owners and leaders. Do I qualify?