The assumption is that they have a lot of data and other valuable information. Further to that, these are the companies that are most often in the news as victims of cyber criminals.
This is a misconception that Dominic Vogel — cyber security expert and founder and chief strategist officer for Cyber SC — sees all too often. In fact, he said that more than 80 percent of cyberattacks are focused on small organizations.
“The bad guys see small organizations as low-hanging fruit,” said Vogel. “They have very few — if any — security precautions in place. They lack any in-house staff, or any serious technology to be able to deal with that threat, compared to the larger companies.”
But that doesn’t mean the threat is any less serious. In fact, the opposite is true.
“In this hyper-connected global economy, the reason the bad guys are going after the small organizations is because they’re a stepping stone to access the larger corporate networks,” explained Vogel. “As a small business, if you end up being hacked, and that ends up affecting a large company . . . you cease to exist as a business.”
Vogel pointed to an example several years ago of a small HVAC vendor that hackers used to launch an attack on their client, the retail giant Target. “That HVAC company ceased to exist as an organization. Paradoxically, the organizations that have the most to lose are the small companies.”
Although big organizations can suffer immensely from these kinds of attacks, for the most part, they survive. They have a big enough war chest to weather the incident, whereas a smaller company without those kinds of resources will go under.
Yet as the number of cyberattacks continue to spike, along with the cost to address them, the proportion achieving top scores for their cyber security readiness is marginally down year-on-year, according to one report.
To protect against these kinds of disruptive and possibly lethal incidents, Vogel has three basic rules for small businesses to follow that act as a bare minimum for cyber risk mitigation.
1. Securely back up your files
This is especially pertinent to small businesses: back up all critical files and data. “One of the most prevalent threats that we see right now, especially with small businesses, is ransomware,” said Vogel. If the business’s data only exists locally on one or two computers, they have no choice but to pay the criminals to release their data back to them.
Of course, the data could be lost for any number of reasons besides a ransom attack. A useful exercise that Vogel goes through is asking a company: if you were to lose access to your data for an hour, does that affect your company? What about six hours? Twelve? “Some small businesses say they could exist for a day or two, but if we hit the third day, that’s when things start to get messy,” said Vogel. “There’s only so long you can function as a company without accessing your critical data.”
The lesson: Make sure you’re regularly backing up data to a secure source.
2. Update your equipment
This goes for everything: laptops, desktops, tablets, smartphones, and whatever else you use for your business. Make sure everything is set up to automatically update the operating system as well as any applications you use, like Adobe Reader and Google Chrome.
“Most modern applications now allow you to just check a box and they will update it automatically, you don’t even have to spend time doing it,” said Vogel. “But make sure they’re all set to automatically update, that’s a huge, easy thing to do and it lowers the risk surface.”
3. Practice proper password management
For Vogel, there are two pieces to this. The first is using a proper password manager, like LastPass. That way you and your staff don’t have to remember 10 different passwords — they only have to remember one password and use it on multiple applications.
“Password managers, especially for small businesses, it’s a super simple, super easy thing to do,” said Vogel. “Great risk reduction, in my opinion.”
The second part is that wherever possible, Vogel advises companies to leverage multi factor identification. “Depending on what web services or web applications you’re using, if there’s the opportunity to use multifactor identification, do so,” he said.
Of course, these aren’t the only three things that companies should do, but these are the things he described as “low hanging fruit” for cyber protection, that makes it more difficult for a cyber criminal to get through. “If you just make it a little bit harder, a little bit more expensive for the bad guys to do their thing, they’ll go elsewhere,” he said.
The other advantage to practicing these is that they’re very inexpensive to do. “They can be done quickly and cheaply, especially with a 10- or 15-person company, that stuff could be done within a few days,” said Vogel. “And boom — you’ve got you instant risk reduction, without having to spend weeks or months and tens of thousands of dollars to get that up and running.”