2020 broke all records for business interruption and data lost in cyber breaches along with the number of cyberattacks on companies, government, and individuals. This upwards trend is continuing in 2021.
If you are part of a small or medium size business, the word “cyberattack” may not mean much to you. You might be thinking “Oh, my business is too small, hackers would never target me, what would they gain?”. However, this sort of belief can lead your business into a world of pain down the track. In fact, the target of nearly half of all Australian cyber-crimes are small businesses (ASBFEO Guide), which is why bolstering your cybersecurity is no longer a choice, but a necessity.
Why are small and medium size businesses being targeted?
In one word, opportunism. Cyber criminals, like common thieves, will go for the unlocked window. In addition, it is a numbers game – you might not be specifically targeted but simply caught up in the hacker’s mass attack.
Many businesses often fail to take proactive measures against potential cyber breaches, with 87% of small businesses (ASBFEO Guide) leaving the burden of protection solely on antivirus software. However, looking at the fact that in the last year, 62% of small businesses experienced a cybersecurity incident (ACSC Small Business Survey), it becomes clear that antivirus software by itself is not enough. As the reliance on the internet for business processes increases, so too does the risk of falling victim to fraudulent activities carried out by malicious actors. As such, it is extremely important that employees within your business are aware of the importance of cybersecurity to prevent the loss of sensitive company data or your systems being frozen by a ransomware attack where you’ll be asked to pay a ransom to unlock them.
However, according to the Australian Cyber Security Centre, owners of small businesses generally had an “average” or “below average” understanding of cybersecurity (ACSC Small Business Survey), suggesting that a key reason behind the lack of precautionary measures may be a lack of appropriate policies for the business on how technology is used and cyber safety awareness and training within the workplace.
Smaller businesses that deal with larger companies are also being targeted as a way to hack the larger company. For this reason, many large companies are requiring that those smaller companies in the supply chain to have in place cyber compliance including policies and training.
So, what can be done? How can your business protect itself?
There are a few things you and your business can do in order to strengthen your knowledge and skills in the cybersecurity realm. Here are some of the simplest and most effective ways of doing so:
Learn about the Common Types of Cyberattacks
Knowing what you are at risk from helps you to shine a light in the dark. By understanding some of the common attacks, your business is more prepared at recognising and potentially avoiding cyberattacks. Here are the cyberattacks that most commonly affect businesses:
Phishing occurs when an attacker sends a fraudulent message (for example, in the form of an email or text) to try to trick your business into providing sensitive personal or financial information to them. Be wary of emails that ask you to send personal information or ask you to click on a link, especially if the sender makes it sound urgent.
Short for malicious software, it is any software that is designed to intentionally cause harm to a computer network or device. Your devices can become infected with malware in various ways, including downloading infected programs, clicking on links sent through phishing emails, and visiting infected websites. Types of malware include spyware, ransomware and viruses.
Denial of Service Attacks
These occur when an attacker uses a network of computers to send data to your system, which overloads it and makes it unavailable.
Watering Hole Attacks
This is when an attacker sets up a fake or infected website you are known to use, and then uses it to infect visitors of that site.
Understand that Prevention is Better than a Cure: Protect your Cyber Assets
Recovering from a cyberattack can be a lengthy, costly and difficult process, which in the end, still often results in the loss of critical information. Having your business in a position to prevent cyberattacks can help you to avoid the difficulties associated with salvaging your stolen data. The following are some steps you can utilise to protect your assets:
Use Complex Passwords
A good way to create a strong password is to first think of a phrase you will easily remember, such as “to be or not to be, that is the question”. Take the first letter from each word of that phrase, and then add your current age to the end of it. Next, capitalise every second letter and insert some punctuation. In our case, then, our password could be something like “tB!oNtB,tItQ!38”. You should also change your passwords periodically and better still use password protection software that is available at a relatively low cost.
Keep your Software Up-to-Date
The manufacturer of your device will often release updates periodically to not only ensure that the software runs properly, but also that its security features are up to date. Cyber criminals are constantly finding new ways to hack into devices, so having your devices up to date is a good way of reducing your risk.
Use Two-Factor Authentication
Most cloud services you use will have two factor authentication (2FA) and you should enable it. 2FA provides an extra layer of security to make sure that people trying to gain access to an online account are who they say they are. First, a user will enter their username and a password. Then, instead of immediately gaining access, they will be required to provide another piece of information such as an SMS code sent to them or a code from an “authenticator”- many of the big names such as Microsoft and Google have authenticators you can download for use on your smartphone.
Do Regular Data Back-Ups
Your business should have a plan regarding how often your data is backed-up. Back-ups can take various forms, including cloud backups, which store your data on offsite secure servers. With cloud backups, you can then access your data through the internet. Another method is physical backups, where you save your data onto a physical drive. This ensures that should a cyberattack occur, you have a ‘restoration point’ for your data, protecting you from severe losses of data.
Have Business-Wide Cyber Security Training Programs and Cyber Policies
Your business’ cyber security is only as strong as its weakest link. You should have a cyber policy that sets out what you expect of staff and contractors so everyone in your business understands and deals with the main risks related to their use of the internet and your systems. Furthermore, all members of a business should receive training to help them to identify and mitigate the risks that they will inevitably face online. Utilising an online cyber security and awareness training platform may be a worthwhile investment for your business as it will be the most cost effective and efficient way for small and medium size businesses to cover cyber risk. Some important things to look out for in determining whether a platform is effective are:
- Is it intuitive and easy to understand? This will ensure that members of your business are not discouraged from using it.
- Does the platform keep up to date with cyber security news and relevant alerts?
- What types of training does it use and what testing? For example, a platform that uses simulated phishing attacks may help your business to effectively prepare for the real thing and provides better compliance.
- Does it include cyber policies and other features that may benefit your business? Cyber policies will assist you in setting out standard processes that protect information and technology in your business.
Flawlessly protecting your business online is next to impossible. However, there are steps you can take to ensure that you mitigate the risks your business will encounter.
As more and more small and medium sized businesses move online, opportunistic cyberattacks will inevitably become more prevalent, making having a cyber policy together with cybersecurity education, training and testing an essential part of your business. In the end, although antivirus software is a useful tool to have, it is ultimately the people within your business who play the largest part in keeping your business and its data safe.