What small business owners can learn from recent government and corporate security breaches so they can prevent them.
Almost everyone is aware of recent Russian cyberattacks that impacted government agencies, oil pipelines, and large companies across the United States. These major ongoing cybercrimes are reported in the news almost every day.
The total damage done by these virtual assaults is still unclear. It could cost billions of dollars to clean up after them, including the cash paid to get oil flowing to the southeastern United States (some of which has been recovered) and to resolve other ransomware attacks.
What we do know for certain is that hackers have been able to gain access to the emails and internal files of the U.S. Treasury and Commerce departments, prevent fuel from flowing through major pipelines, jeopardize the reputations of many companies and steal the personal and financial information of private citizens.
The organizations involved were forced to scramble to plug the leaks revealed by the breaches and recover from them.
This has left many small and mid-sized businesses (SMBs) worried about the cybersecurity threats they face. After all, if government agencies and major companies can be hacked, how can anyone feel confident that they won’t be, as well?
The good news — if there is any in all this — is that SMBs know that they have to take steps to prevent the hacks and other cybersecurity breaches they’re facing and prepare to recover from them should they happen. Here are some lessons learned from recent breaches and what organizations can do to guard against being hacked.
It’s better to play offense than defense.
Cyberattacks do a lot of damage that requires significant clean-up. Personal and business information is often compromised. It can be very expensive for a small business to recover from a hack. In many cases, businesses are forced to close their doors because their reputations are harmed in ways that can never be repaired.
This is why it’s always better to be proactive rather than reactive when it comes to guarding your small business systems and data against cyber threats. Take steps as soon as possible to protect your operation against being attacked. Don’t gamble by waiting. It could leave you the victim of a costly or fatal hack. Have an expert scan your systems and software to find out whether your business may have vulnerabilities that could leave it exposed to cyber crooks.
It isn’t just a Russian government problem.
Many SMBs may be lulled into complacency thinking that all attacks are a Russian-government-against-the-world issue. They believe their relatively small operations will never be found by the cyber criminals working out of Moscow, St. Petersburg, or other Russian cyber hot spots.
That could be a big mistake.
While some of the largest and most reported-on attacks are Russians hitting nations and their best-known businesses, the vast majority of them are smaller hackers focused on less prominent targets, such as small businesses, their clients, and individual people.
Large-scale cyberattacks regularly top the news because they impact massive numbers of people and cost millions or billions of dollars. Hacks on smaller businesses don’t get the same coverage because they affect a smaller number of people, cost less and may be limited to a single region. Still, real businesses and people are significantly harmed by them.
Don’t treat the lack of coverage of small business hacks as a reason to not focus on cybersecurity protection. Use the coverage of big attacks as a reminder to regularly have professionals check the cybersecurity of your operation. You could be next.
Don’t just guard against the last attack. Plan for what’s next.
Most organizations find out about a cyber hack and protect their systems against the issues that caused it. Of course, it’s necessary to make sure organizations don’t leave themselves vulnerable to known threats. However, it’s unlikely that hackers will go back to their old tactics. They are too smart. They’re already planning their next schemes.
That’s why it’s critical for small business owners to stay current on trending hacking tactics — or to work with a cybersecurity expert who follows these things. Pick the brains of your cybersecurity firm and the people on your team to come up with all the ways your organization could be vulnerable and take steps to guard against them.
Schedule time to learn about emerging cyberattack methods and how your small business can take steps to avoid becoming a victim of them. Many cybersecurity specialists write about these topics and offer seminars and webinars about them. The United States Small Business Administration (SBA) offers training on the topic. You can also turn to the National Cybersecurity Alliance and the U.S. Department of Homeland Security when large-scale issues come up. Many of the service providers you already use, including Microsoft, Verizon, your cyber insurance agency, and others also regularly share good information about cybersecurity for small businesses.
If you don’t have the staff needed to come up with security solutions to guard your business, you owe it to the security — and success — of your operation to get professional guidance and support.
Don’t think it’s just a Russian issue.
Russians aren’t the only people conducting attacks. It’s also the Chinese, others nations across the world, cyber thieves in the U.S., and more.
Don’t think your business is safe because Russians would never care about an organization of your size. They actually do. So do criminals around the world. As do people within your organization, along with business partners and suppliers. They want access to your business secrets, financial information, and client data. Don’t forget, disgruntled employees or vendors with a grudge might have something against your business and try to bring you down as payback.
Small mistakes have been known to bring down institutions. The same could be true for YOUR operation.
That massive Russian breach that brought U. S. government agencies to their knees in early 2021 was the result of Russian hackers who were able to figure out a password used by a software company. The firm used a simple and easy-to-figure-out password and the Russians were able to exploit it. This gave them control over software used by all the agencies and businesses that were hacked, allowing them to break through their firewalls. This provides a valuable lesson on why it’s important for everyone associated with your business to practice sound cybersecurity best practices every minute of every day with absolutely no exceptions. A single small human error is all it takes for hackers to break into systems and wreak havoc.
Build a cybersecurity plan before it’s too late.
Most government agencies and businesses that have experienced cyber breaches shared one thing in common: They either didn’t have a cybersecurity plan or the one they had wasn’t adequate.
Do you need to build a new cybersecurity protection plan from the ground up?
Perhaps it’s time to strengthen your current one so it’s bulletproof.
Protecting the cybersecurity of your small business doesn’t have to be difficult or time-consuming. But it does have to involve more than just installing and updating security software or antivirus software. Here are the six steps you need to take to ensure your organization isn’t compromised.
Regularly inventory your small business data.
Work with all your employees to identify the data you store online. Put an extra focus on sensitive material that could do significant harm to the reputation of your business if it’s ever lost or stolen by cyber thieves. Don’t try going it alone. No one person knows everything stored by a business, even a small one. Mom often hides things from pop at the smallest mom-and-pop operation. Inventory all types of data, including:
- Payment and credit card information from customers
- Private health records
- Personal financial information
- Sales records
- Employee and customer contact information
- Legal documents and records
- Bank statements
- Research and development documentation
- Human resource records
- Payroll information
- Marketing and sales strategies
- Intellectual property.
Create a master list of every piece of information your business stores, processes, transmits, and communicates. This could turn into a very BIG list, even for relatively small businesses. Don’t leave anything out. You never know what hackers could be interested in stealing or the cyber assets that could be damaged or lost in an attack. This list is everything you need to protect and what you have to check, replace and report if a hack happens.
Remember: Inventorying business data isn’t once and done. It should be revisited whenever new processes, procedures, software, or systems are implemented. Also, it’s important to do a data backup regularly and store it someplace safe so you can replace lost data if you’re ever the victim of an attack. Your inventory can be used to develop a sound data backup plan.
Keep a record of where business information is used and stored.
Once you identify all the data your business maintains, make a record of where it is stored, used, and transmitted. There are obvious places such as servers and databases. Don’t forget other places like spreadsheets, text documents, contact lists, mobile devices, or the cloud. Check with all your employees. You never know where people could be storing information including private devices like tablets and smartphones.
You can’t protect your business data if you don’t know where all of it is located at any given time. You have to ask around to ensure you are aware of everything. This is a critical step toward developing processes and procedures related to handling sensitive information.
Maintain an inventory of all your business hardware, software, and cloud storage services.
Once you know what data you have and where it’s stored and used, create and maintain an inventory of all of it. Be aware that it will probably need to be updated regularly. This list will keep you up-to-date on all the tech-related assets you have to protect. If you’re ever hacked you must have an accurate and complete picture of what records you have and where they can be found. It’s the only way to quickly figure out what harm may have been done to your business and your client’s private information. Having a timely inventory makes it possible for you and the people on your team to act quickly to make updates, back up systems that have been harmed, take protective measures, complete a data breach investigations report and inform customers of a hack as quickly as possible.
Tip: It’s a good idea for you and the people you work with to come up with a response plan before you need one. A hack can be stressful and it’s almost impossible to come up with an adequate response plan on the fly.
Educate all the users of your systems on how to handle data properly.
Many businesses think about cybersecurity as an IT issue. It’s not.
It’s an issue that everyone working for — and associated with — a small business must be involved in. In the end, protecting sensitive data is the ultimate responsibility of the people who handle, transmit and look after it every single day. If the people you work with don’t understand cybersecurity is part of their jobs, how can you expect them to take responsibility for it?
Develop cybersecurity policies that include proven cybersecurity measures and cybersecurity practices. Train employees on everything they need to know to be able to recognize and report security threats like phishing attacks, malicious software, malware, baiting, and other scams; understand how to use passwords correctly; always ensure they’re using a safe internet connection and wi-fi network; properly look after your systems and data.
Did you know: Phishing emails are one of the biggest threats to small business security. They are often disguised as coming from reputable organizations, which makes people trust them. Once opened, they can release malware or ransomware that can harm operating systems, software, and more, which could shut down your operation?
Implement multi-factor authentication.
Cyber crooks are constantly looking for new ways to break into businesses and other organizations, which means even the best cybersecurity plan could be vulnerable. That’s why it’s important for organizations to implement multi-factor authorization as an enhanced level of protection. At most small businesses, access to sensitive systems and data is protected only by a login name and password. Technology has made it easier for cyber crooks to figure them out, providing a direct way to break into business data systems.
Strong passwords are harder for hackers to figure out, but they can still leave organizations vulnerable. Many people can’t remember them or dislike using them, even if they have a password manager available to them.
Multi-factor authentication makes users verify that they are attempting to access software, a system, or other tech assets through a text message, email, or app. It’s an added check to prove they are who they claim to be and that they’re authorized to access the asset. It’s virtually impossible for cybercriminals to break into anything that’s protected by multi-factor authentication.
Get expert help against cyberattacks.
Cybersecurity isn’t easy. And basic security isn’t enough. That’s why so many small businesses fail at protecting their operations. Most don’t have adequate knowledge or staffing to handle all aspects of it. That’s why they outsource to professionals. They can work with you to do a risk assessment to identify issues with what you’re currently doing to protect the security of your small business. They’ll also share expert advice on how to tighten your cybersecurity plan and implement security measures so it’s less likely that hackers will be able to break into your business.
It’s not worth it to take chances with the future of the business you’ve worked so hard to build. A single data breach could destroy its reputation, losing the trust of your customers and those considering doing business with you. Get started today building a solid data security plan for your business and getting the support you need to effectively execute it.