Small businesses are the most likely to be hacked — Here’s is what they need to know
When Ukraine’s capital, Kiev, experienced a power outage in 2016, it looked like an issue that had occurred a year earlier. But having a critical look at it by two big cybersecurity companies, ESET and Dragos INC, they uncovered something more threatening about the lights-out which was linked to malware framework, CRASHOVERIDE and INDUSTROYER that focused on attacking the electrical infrastructure of the grid through the industrial control system (ICS).
If such a magnitude of attack can happen to a nation’s grid, then what is left for small businesses to do?
Our over-reliance on technology shows that we are faced with more risks and vulnerabilities to cybersecurity challenges. Data breaches and cyber threats are rampant today, having an estimated cost to hit an average of 6 trillion dollars through 2021. That’s an overwhelming figure, especially for small business owners to handle.
I spoke to several leaders in the IT community to get their feedback on these important question rocking the cybersecurity landscape; what are the most significant threats a small business needs to consider? What does cyber insurance cover? What is excluded in cyber insurance policies? What’s the difference between data breach and cybercrimes? And what expert tips should businesses consider when trying to protect themselves against cybercrimes?
What are the biggest threats a small business needs to consider?
Without a doubt, electronic data breaches cyber attacks are the biggest threats facing small businesses. Recently, data breaches have grown wild and a report from Gemalto, suggest that data breach compromised nearly 4.5 billion records during the first half of 2018. The latest of them all happened to Marriott data breach, where hackers catered away with almost 500 million customer data, which includes; names, addresses, phone numbers, credit cards as well as passport information details. Five hundred million is no small figure, and the data stolen can be used to cause havoc and criminal activities.
“That’s why small business owners need to step up their game by first avoiding the ignorance mentality and lack of awareness or “It can’t happen to me” attitude,” said by Anthony Buonaspina, the CEO and founder, LI Tech Advisors. He also added that Small businesses need to be proactive and consider building a defense against Ransomware attacks, phishing attacks, weak passwords, DDoS attacks just to start. Plus it’s essential to train your employees on the responsible use of the internet and periodically send out fake phishing attempts to your employees that test their responsiveness that require training if they fail.
Another opinion from Charles Lobert, Vice President of Sales and Marketing, Vision Computer Solutions, he suggested that “the biggest threat that a small business needs to consider, is an uneducated employee. By that, I don’t mean a malicious employee, but an unaware employee that doesn’t know what to be suspicious of, or how to react if they receive an email that they are wary of, or end up stumbling on a webpage that doesn’t look quite right.”
What does cyber insurance cover and what is excluded in cyber insurance policies?
Social media, the internet of things and online transactions have influenced how business functions and reach out to potential customers. With its advancements, there is a likelihood for an attack to occur. So as part of a coordinated risk management plan, cyber insurance comes into play for small and large companies.
Typically cyber insurance covers legal fees and expenses that may come from lawsuits brought on by a data breach, restoration of personal identities of affected customers, recovering compromised data, repairing damaged computer systems. A good cyber insurance policy is a prudent step to take to help protect the operation and continuity of your business.
Another IT community leader, Laith Pahlawan from Orange Crew, clearly stated that “Cyber Insurance can help protect your data and identity with an early warning system to protect the user’s identity. Cyber insurance is not a prevention program and cannot protect against hardware theft and data corruption.”
As with any insurance policy, Anthony also shared his view on this by saying “be careful about the type of coverage you purchase; you need to make sure you read the fine print as to what the exclusions are. Sometimes a cyber policy may exclude coverage if you do not have adequate security measures in place and deny a claim.” Mr Duleep Pillai from Veltec Networks also expressed his views by adding that “Companies have different policies/plans which includes Security & Privacy, Privacy breach response, Regulatory Defense & Penalties, Website media content liability, PCI fines, expenses and cost, Cyber extortion, First party data protection, First party network business income. Check with a business insurance agent.”
From all the feedback I can conclude that they all advice business to get cyber insurance. According to the reports of PwC, the total premiums from cyber insurance is projected to reach $7.5 billion by 2020. The figures suggest that companies are the eye-opening need for cyber insurance, and it can go all the way to cover; investigations, the business loses, privacy and notification, as well as lawsuits and extortion.
What’s the difference between data breach and cybercrimes?
These terms might sound different, but I most cases, they are addressed for all almost the same meaning. Laith explained the differences, “that Data breaches are caused by weakness in a program which intentionally or unintentionally exposes a method of stealing private data, a good example of that is the Linkedin hack that exposed millions of passwords. A similar occurrence happened to Marriott data breach, as mentioned earlier, while cybercrime is a direct attack on a data source to extract specific information like Transaction Fraud, Piracy, and Advance Fee Fraud. ”
What expert tips should businesses consider when trying to protect themselves against cybercrimes?
Virtually all the IT leaders suggested the same approach and tactics used to avoid been hacked daily. I have compiled the list below;
Encrypt and Backup data
The first thing that a small business needs to do is put the appropriate protection in place to protect their network and their data – an active firewall, a good up to date anti-virus solution, etc. However, it is also imperative to educate your employees about the wide range of security threats out there.”
Furthermore, If your users know how to spot a phishing email, or how to recognize a site that may not be secure and legitimate, that training will go a long way towards ensuring that an uneducated employee doesn’t give an attacker an open door through all that security that you just put in place. You need to make sure you prevent physical access to sensitive data and also render it useless if it falls into the wrong hands. Data encryption is the best “quick fix” for data breaches. If a data breach occurred, the data would be inaccessible.
Secure your hardware
Make sure you are using the latest security patches, and complex passwords are being implemented. Use 2-factor authentication where possible. Also, make sure that you can remote-wipe any mobile devices that might be lost or stolen to protect the data it has access to.
Train your employees
One of the weakest security points is your employee. Ongoing training is very important to maintain a heightened level of awareness of cyber threats. Purchase a cybersecurity training service that will automatically send out fake phishing attempts to test your employees and train them if they fail. One employee falling victim to a phishing attack and unknowingly giving their password to the wrong person could be devastating for a small business. A cyber-security breach can cause loss of clients, loss of revenue, and even has the potential to cause the corporation to cease operations.
Invest in cyber insurance
Consider this business continuity insurance if any of the security measures you have taken fail.
The bottom line
I will like to conclude from the sweet words of Laith. Which is “We get thousands of tricks a day to get us to fork out our money, we are very likely to fall for one of these scams, in fact, it is inevitable, the only way we can protect ourselves is to reduce exposure to the number of attempts, so how do we do that? We use spam filters, Antivirus, learn about spoofing, learn about social engineering, monitor our cyber identities, increase the complexity of our passwords, use two factor authentication, firewalls, security patches, Internal company Processes, etc. at the end, instead of a thousand attacks a day, not we are only exposed to 10, and that, you can handle, problem solved, right? Even with that, if you are a company of 20 people, you have to deal with 200 attacks a day. So do not be surprised if every once in a while, you still get someone that is having a bad day, or too much on their plate, click OK on something that they didn’t have the time to absorb completely, and before you know it, your money is somewhere in China.”