The holiday shopping season is just around the corner, which means more small businesses will be targeted by hackers and should start taking steps now to beef up their security. But the holidays aren't the only time SMBs will be targeted by sophisticated cyber-criminals: according to the Verizon 2014 Data Breach Investigations Report, 10% of all hacks affect smaller organizations and, even worse, SMBs are almost twice as likely as bigger companies to lose valuable data when they are attacked (18% versus 10.5%, respectively).
While cyber attacks on major U.S. corporations like Target and Home Depot garner most of the media coverage on hacking, the reality is, smaller businesses also face significant risks. Increasingly, hackers view small businesses as low-hanging fruit that requires less time and money to compromise -- which makes them a prime target for financial fraud attacks, cyber extortion and network breaches with the goal of using the SMB to backdoor a larger company (a good example is Target's HVAC vendor, which allowed hackers to infect the retail giant's point-of-sale devices with malware).
Many small business owners mistakenly believe they're not at risk because their company is "too small" to be a worthwhile target for a hacker. This "defense in obscurity" argument has been around for many years, but it's no longer valid, particularly due to the rise of black market crimeware kits, which have made it substantially easier and less expensive for even unskilled hackers (known as "script kiddies") to target a wide swath of businesses. If your SMB is in any of the following industries, consider yourself warned, because you're a prime target for cyber-criminals: retail, restaurant, financial services, healthcare, or any business that serves Fortune 1000s.
Here is a hacking checklist with five things every SMB should ask itself:
- Is Customer Data Vulnerable? - Do you store credit card numbers, passwords, contact information or any other sensitive information about your customers on your website or anywhere else on your network? Since it's harder for SMBs to protect themselves against sophisticated attacks, you need to ask yourself, do you really want to be responsible for securing all of this information? What To Do: At a minimum, don't store card numbers or passwords on your website. Have customers login using a trusted identity provider like Facebook Connect or OpenID Require instead, and re-enter their card information each time they make a transaction. Also, make sure your site provides end-to-end encryption the entire time a person is on the site.
- Do You Handle In-Store Transactions? - Chances are, your business conducts at least some credit/debit card transactions in the store or office. This makes you a target for point-of-sale (POS) tampering, POS malware, WiFi eavesdropping and network breaches, and you should assume that at least one of these will eventually happen. Unfortunately, simply meeting the Payment Card Industry (PCI) security standards isn't enough to prevent these attacks. What To Do: Make sure you're running updated operating systems and firmware on your POS devices; run any patches as soon as they come out; keep the POS equipment locked up when not in use (if possible); and physically inspect equipment for signs of tampering. Make sure the in-store WiFi does not connect to the register machines. Lastly, take out a cybersecurity insurance policy to cover the costs of a breach.
- Would a DDoS Attack Ruin Your Business? - Is your business dependent on website activity? If the answer is 'yes,' you need to have a plan in place for dealing with a serious outage. Cyber criminals are now frequently using distributed denial-of-service (DDoS) attacks as a way of extorting business owners for tens of thousands of dollars. What To Do First, consider signing up for a DDoS service, which immediately detects these attacks and then mitigates them by blocking malicious IPs. Have multiple "mirror" websites on separate hosting services that can be launched immediately if your main site is attacked. Consider taking out cybersecurity insurance to cover the costs of a DDoS event. Finally, make sure you have an emergency contact sheet (DDoS mitigation team, web host providers, insurance contact, etc.) so that you can get in touch with the right people as soon as an incident happens.
- Are You Protecting Critical Files? - Another popular extortion scheme uses a virus or trojan known as "ransomware" to lock your files behind an unbreakable wall of encryption, making it nearly impossible to get them back unless you pay a ransom. What To Do: The only way to combat ransomware is by backing up all of your important data on external hard drives. However, hard drives can be infected too, so keep these offline until you're doing your daily or weekly backups, and rotate between more than one external hard drive (ex: hard drive A on weeks 1, 3, 5, hard drive B on weeks 2, 4, 6, etc.).
- Do You Have Network Access to Larger Companies? - If your business provides services to a Fortune 1000, hackers could target you as a way of backdooring the larger company. What To Do: As an SMB, you can't prevent high-level attacks, all you can do is try to 'silo the damage.' How do you do this? Have a dedicated computer(s) that you use for nothing else than to access the Fortune 1000 network -- that will reduce your chances of picking up malware. Segment these computers from the main network (don't share servers, don't use WiFi), so that if your business is infected, it will be less likely to spread to these computers. Limit as much as possible how many people have access to the Fortune 1000 network. Use password managers so that you can write highly complex passwords (10+ characters long, upper/lower case letters, numbers and special characters) and change them every week.
While SMBs have limited resources to invest in cybersecurity, that doesn't mean they have to go unprotected. By taking the simple, strategic steps outlined above, every business can improve its security against hackers without having to break its bottom line.