While much attention is paid to large cyber-attacks against corporations – think Wonga, Talk Talk and Tesco – small businesses are equally susceptible to cybercrime. According to a study by the UK government, almost half (48%) of small businesses reported having been impacted by a cyber breach or attack in the last twelve months. At the same time, research from the Federation of Small Businesses (FSB) reveals that 65% of SMEs are unprepared for such attacks.
What makes small businesses vulnerable is their lack of infrastructure and resources, especially compared to those that large companies can devote to IT security. With that said, there are some simple but impactful steps small businesses can take in order to protect themselves in the face of an ever-expanding attack surface. But first, a quick look at the challenges that small businesses are confronting.
The unique threat facing small businesses
As mentioned above, small businesses are especially vulnerable to cybercrime because of IT security spending constraints and staffing limitations. This common sense takeaway bears out in the data. According to a recent report by US IT security firm Barracuda Networks, an average employee of a small business with less than 100 employees will receive 350% more social engineering attacks than the average employee of a large enterprise. In seeking to trick people into divulging data that may prove materially or socially beneficial (credit card information, banking information, passport numbers) social engineering-oriented cyber criminals likely know that the hardware and software protecting enterprises isn’t always financially accessible to small businesses. Case in point: although cybercrime is up, in its 2022 Cyber Readiness Report Hiscox UK reported that overall small business IT spending is down – perhaps a casualty of pandemic-induced financial pressures, including global market fluctuations and supply chain woes.
Strategies for minimising data security risks
In the same Hiscox report, one in five respondents said they ‘risked insolvency because of a cyber incident’. While it’s easy to feel disheartened by this statistic – and the growing financial and security-related pressures small businesses must contend with – there are some simple and straightforward security best practices small businesses can immediately implement in order to minimise risk to their bottom lines.
The nuts and bolts: 2FA and strong passwords
To start, small businesses can protect their devices by always updating to the latest version of device software, updating browsers and operating systems, and installing reputable anti-virus (AV) software. They can further shore up device security with two-factor authentication (2FA), a technological approach that requires users to utilize two separate methods of verifying their identity in order to access an account. A useful definition for 2FA is that logging into a service involves something that you know, such as a password, and something that you have, such as your phone, hardware token, or other authentication code. According to a survey by the Cyber Readiness Institute, 54% of small businesses haven’t set up multi-factor authentication (another way of referring to 2FA and the most common way to describe the process beyond using one step to log in to an account). This is a fairly dismal showing when considering 2FA is the best strategy for combating risks associated with compromised passwords. While we’re on the topic of passwords, creating strong and unique passwords is non-negotiable. Passwords are the first line of defence for data. They should not be easy to guess and should not be reused across sites. While reusing passwords is tempting – most people rely on memory to ‘manage’ their passwords, which makes reuse common – it leaves data even more vulnerable.
The best, and most straightforward, strategy for managing passwords is to use a password manager. Password managers allow users to generate new, unique passwords that are then stored in a virtual vault. When a user visits a site or opens an app that is linked to the password manager, the password manager automatically fills in the user’s login name and password.
Most password managers are intuitive and engineered to be integrated into existing workflows with little disruption. They also require very little training. In short, they offer a lot of bang for their buck, especially when considering there are a number of good, affordable business password managers available on the market. Ultimately, password managers save organizations time, money, and peace of mind in the long run.
Knowing when to take a second look
Being aware of how to deflect phishing threats is also very useful. Phishing refers to the psychological strategies scammers use to manipulate humans into clicking on compromised links or divulging sensitive information. It can be done through emails, phone calls, and texting, and falls underneath the ‘social engineering’ umbrella mentioned earlier.
There are a few simple steps for staying safe from phishing attacks. To start, small business employees should check to make sure emails they receive look legitimate and are from a proper institution. They should hover over links to confirm they’re going to the right website and avoid clicking on links they’re unsure about – at least until confirmed by further research. Alternatively, they can directly log in to the account in question to confirm veracity. They should also avoid opening attachments from people they don’t know – or unexpected attachments from people they do know without checking first. Password managers themselves also help mitigate phishing attacks.
None of these recommendations involve purchasing technologies that break the bank or setting aside a slush fund for cyber insurance. They don’t necessitate AI, machine learning, threat teams, or the hiring of a Chief Security Officer. Just a little bit of upfront effort (taking the time for system updates, implementing 2FA/MFA and a business-wide password manager, and an awareness of risks) will pay off