While perhaps not good news for small business owners, employee interaction with email attachments activates most computer viruses. Although some worms can spread from one computer to another without a person enabling them, employee curiosity about an HTML link or responding to a seemingly legitimate email produces most cyberattacks. At LOVE LAW FIRM, we offer strategies to address risk management and your cyber risk exposure.
Consider the Alternative
Aside from the need to protect sensitive data of customers and employees from cyberattacks, the owner’s potential personal legal and financial exposure for failure to mitigate this risk should elevate it as a serious concern. Small businesses rarely have a team of experts devoted to cyber issues. Regrettably, most seem more likely to face severe consequences of letting cyber threats go unnoticed and unanswered than large corporations. It is estimated that 60% of small businesses go under after suffering a data breach. This is due to the high costs of remediation, as well as the reputational and marketplace damage associated with the breach. Company employees, the defense chain’s weakest link, often do not know how to protect sensitive data.
Six defense strategies that can reduce the occurrence of threats and lessen their impact are:
1. Train Your People
The consequences of opening unknown HTML links and visiting unsafe websites which can allow malicious intrusion to occur need to be understood by everyone in the enterprise. Employees need to know how to look for signs of phishing scams, unusual URLs in emails, odd requests for account verification and the like. They need to be reminded regularly of their absolute need to protect the data integrity and systems of the company.
In addition, business owners often neglect of updating systems with security patches. Those reminders that pop up telling a business owner to upgrade your software, install a patch, or take some other action are often ignored – those installations can take time, require work and interrupt workflow. This, unfortunately, exacerbates the potential for cyberattacks.
Finally, downloads of malicious files provide an invitation to hackers to control company systems. Employees download these files while surfing the internet at work, looking at entertainment sites, or otherwise visiting sites that are unapproved.
While statistics show that most attacks exploit employee behavior, business owners may seem reluctant to acknowledge and address the issue. Training provides a viable alternative to an expensive investment in cybersecurity defenses. Regular classes on best practices in risk management can inform employees and alert them to the scams that are presented on a near daily basis. Additionally, tests that monitor user response to potential risk can reveal the effectiveness of training.
2. Require Strong Passwords
As a protection against unauthorized access to company accounts, databases or proprietary data, passwords fail when employees use the same one for multiple accounts. The practice of reusing a password for a personal account on a company’s business system provides a widely exploited weakness. All too often, employees leave passwords at default settings (e.g., Password123) or other easily guessed, common passwords.
Longer and more complex passwords provide more protection than short and simple ones, no matter how frequently changed. Some experts recommend using a short sentence that hackers find challenging to break. Remembering a list of passwords often proves difficult for employees, but a password management tool will help. Of course, make sure it’s properly password protected.
One of my personal favorite descriptions of the problems with passwords is by the British comedian Michael McIntyre. If you need a break from the seriousness of cybersecurity issues, watch this brief clip.
3. Use Software with Encryption
Simply put, encryption helps protect data. You should invest in software programs, systems and data storage that provide encryption as part of the offering. Look for software services offered by reputable and large companies that are applicable to your industry and needs. Purchase subscriptions to those, after doing your due diligence, to protect your data. I know that the makers of my client management system have decidedly more resources than I do to focus on protecting the security of the software. By using their program, I am benefiting from their dedicated cyber security experts and expenditure.
4. Evaluate Your Points of Entry
Vulnerabilities exist everywhere that smartphones, tablets, laptops and desktops connect to the internet. The opportunity for hackers to install malware on small business computer systems increases with each electronic device and the applications that run them, especially when employees are allowed to use personal devices while performing work. Small businesses may have thousands of entry points for hackers to exploit.
As an inexpensive but effective defense, a policy that enforces best security practices may help secure company data. You may also consider if you want to permit employees to use personal devices for work, or if you want to require them to use company provided resources (e.g., computers, phones, etc.). In addition, requiring regular updates and patches to software and operating systems can prevent vulnerabilities at entry points, as discussed above.
5. Update Your Anti-virus Protection
Software that can detect unusual activity can establish a defensive line that alerts small business owners to an impending attack and subsequent damage. Small business owners have traditionally relied on anti-virus software that recognizes malicious code. This software examines a portion of code or signature to find a match with attributes of known malware. However, this signature-based system of identification can no longer defend against increasingly sophisticated cyberattacks. As a result, companies may need to invest in security systems that recognize employee user patterns and distinguish them from malicious input. If a business owner is relying on anti-virus software that is more than a couple years old, it needs to be updated immediately.
6. Keep a Backup Copy Handy
A lack of understanding, budgetary restrictions, or both may cause companies to fail to protect sensitive data. Fortunately, a hacker’s demand for ransom to return computer access to owners becomes far less powerful with regular system backups. As companies grow and compile more proprietary data and customer databases, they become more attractive to hackers. However, backed-up data can prevent the need to succumb to ransomware demands. A safe backup system that can scale to company demand provides a copy of sensitive data that allows work to continue.
As you review your company’s strategies for defense against cyberattacks, let these six techniques help you reduce risk. Don’t let your business be part of the majority that fail after a cyberattack.
Francine E. Love is the Founder & Managing Attorney at LOVE LAW FIRM, PLLC which dedicates its practice to serving entrepreneurs, startups and small businesses. The opinions expressed are those of the author. This article is for general information purposes and is not intended to be and should not be taken as legal advice.