Protect your small business from cyberattacks now.
By Alexandra Walsh
News outlets began reporting in early March that cyberattacks on businesses and government agencies increased following the Russian invasion of Ukraine, with the risk of spillover cyberattacks against non-primary targets becoming much more widespread.
Scope of the Threat
The conflict amplifies the broader trend of increased volume, size, and sophistication of cyberattacks and the corresponding significant financial, reputational, and legal risks to those potentially impacted.
Government agencies globally have highlighted increased cyber risk amid the deepening crisis.
Earlier this year, the U.S. Cybersecurity and Infrastructure Security Agency, the Federal Bureau of Investigation, and the National Security Agency issued a joint advisory, warning critical infrastructure entities of increased risk of Russian state-sponsored attacks. The U.S. Department of Homeland Security warned in a January memorandum as well that operators of public infrastructure could be targeted because of the geopolitical tensions.
Cyberattacks and Small Businesses
Even before the Russian invasion of Ukraine, cyberattacks were a growing threat for small businesses and the U.S. economy. According to the FBI’s Internet Crime Report, the cost of cybercrimes reached $2.7 billion in 2020 alone.
Business IT teams handled 623 million ransomware attacks in 2021, up 105% over the previous year, according to security vendor SonicWall. The firm reported a 1885% increase in attacks on government targets as well as huge increases in healthcare (755%), education (152%), and retail (21%) establishments.
Small businesses are attractive targets because they have information that cybercriminals want, and typically lack the security infrastructure of larger businesses.
According to a recent Small Business Administration survey, 88% of small business owners felt their business was vulnerable to a cyberattack. Yet many businesses can’t afford professional IT solutions, have limited time to devote to cybersecurity, or they don’t know where to begin.
Common Cyber Threats
Small businesses operators can start by learning about common cyber threats, understanding where their business is vulnerable, and then taking important steps to improve their cybersecurity.
Cyberattacks are constantly evolving, but small business owners should at least be aware of the most common types.
Malware (malicious software) is an umbrella term that refers to software intentionally designed to cause damage to a computer, server, client, or computer network. Malware can include viruses and ransomware.
Viruses are harmful programs intended to spread from computer to computer (and other connected devices). Viruses are intended to give cybercriminals access to your system.
Ransomware is a specific type of malware that infects and restricts access to a computer until a ransom is paid. Ransomware is usually delivered through phishing emails and exploits unpatched vulnerabilities in software.
Phishing is a type of cyberattack that uses email or a malicious website to infect a machine with malware or collect our sensitive information. Phishing emails appear as though they’ve been sent from a legitimate organization or known individual. These emails often entice users to click on a link or open an attachment containing malicious code. After the code is run, a computer may become infected with malware.
Assess Your Business Risk
The first step in improving your company’s cybersecurity is understanding your risk of an attack, and where you can make the biggest improvements.
A cybersecurity risk assessment can identify where your business is vulnerable, and help you create a plan of action—which should include user training, guidance on securing email platforms, and advice on protecting the business’ information assets.
There’s no substitute for dedicated IT support—whether an employee or external consultant—but businesses of more limited means can still take measures to improve their cybersecurity.
The Federal Communications Commission offers a cybersecurity planning tool to help you build a strategy based on your unique business needs.
The Department of Homeland Security administers the Cyber Resilience Review, a non-technical assessment to evaluate operational resilience and cybersecurity practices. You can either do the assessment yourself, or request a facilitated assessment by DHS cybersecurity professionals.
DHS also offers free cyber hygiene vulnerability scanning for small businesses. This service can help secure your internet-facing systems from weak configuration and known vulnerabilities. You will receive a weekly report for your action.
Use the Supply Chain Risk Management Toolkit to help shield your business information and communications technology from sophisticated supply chain attacks. Developed by the DHS Cybersecurity and Infrastructure Agency, this toolkit will help you raise awareness and reduce the impacts of supply chain risks.
Cybersecurity Best Practices
Employees and emails are a leading cause of data breaches for small businesses because they are a direct path into your systems. Training employees on basic internet best practices can go a long way in preventing cyberattacks. The “Stop. Think. Connect” campaign from DHS offers training and other materials.
Training topics to cover include:
- Spotting a phishing email
- Using good browsing practices
- Avoiding suspicious downloads
- Creating strong passwords
- Protecting sensitive customer and vendor information
- Maintaining good cyber hygiene.
Use updated antivirus software
Make sure each of your business’ computers is equipped with antivirus software and antispyware and updated regularly. Such software is readily available online from a variety of vendors. All software vendors regularly provide patches and updates to their products to correct security problems and improve functionality. Configure all software to install updates automatically.
Secure your networks
Safeguard your internet connection by using a firewall and encrypting information. If you have a Wi-Fi network, make sure it is secure and hidden. To hide your Wi-Fi network, set up your wireless access point or router so it does not broadcast the network name, known as the Service Set Identifier (SSID). Password-protect access to the router.
Use strong passwords
Choosing strong passwords is an easy way to improve your cybersecurity. Be sure to use different passwords for your different accounts. A strong password includes:
- At least 10 characters or more
- At least one uppercase letter
- At least one lowercase letter
- At least one number
- At least one special character.
Use multifactor authentication
Multifactor authentication requires additional information (e.g., a security code sent to your phone) to log in. Check with your vendors that handle sensitive data, especially financial institutions, to see if they offer multifactor authentication for your account.
Protect sensitive data and back up the rest
Regularly back up the data on all computers. Critical data include word processing documents, electronic spreadsheets, databases, financial files, human resources files, and accounts receivable/payable files. Back up data automatically if possible, or at least weekly, and store the copies either offsite or in the cloud.
Secure payment processing
Work with your banks or card processors to ensure the most trusted and validated tools and anti-fraud services are being used. You may also have additional security obligations related to agreements with your bank or processor. Isolate payment systems from other, less secure programs and do not use the same computer to process payments and surf the internet.
Control physical access
Prevent access or use of business computers by unauthorized individuals. Laptops can be particularly easy targets for theft or can be lost, so lock them up when unattended. Make sure a separate user account is created for each employee and require strong passwords. Administrative privileges should only be given to trusted IT staff and key personnel.
A final note: the National Cybersecurity Alliance, a public-private partnership, provides help to small business owners to stay secure. Visit https://staysafeonline.org/events/.
The Small Business Administration and its resource partners host cybersecurity in-person and virtual events. Visit www.sba.gov/events/find?dateRange=all&distance=200&q=cybersecurity&pageNumber=1.