We talk to a lot of businesses. Not surprisingly, one of the topics that most often comes up is security. Many understand, and to some level accept, that their data is at risk and will likely be compromised in some manner at some point. They may try to minimize these risks by taking precautionary measures, but they understand there is always a risk. However, data breaches are so prevalent today that we run the risk of becoming complacent, feeling that they are somewhat inescapable. This often leads to security risks going unaddressed.
Another reason that these vulnerabilities persist is because some small and midsized businesses truly believe they are immune or completely protected from cyberattacks. A significant data breach seems so unlikely in the moment and it’s easier and more cost-effective to focus on core business initiatives.
In discussing security concerns with area businesses, we’ve found some common reasons businesses cite for not addressing security concerns.
- My business is too small to be targeted.
A false sense of security has been the downfall of many organizations when it comes to cybersecurity for small businesses. Believing their more modest resources provide anonymity, these business owners feel they are not even on hackers’ radar. They say the size of their business makes them trivial or insignificant to cybercriminals.
However, studies show that exactly the opposite is true – small business are a primary target for cyberattacks. According to Symantec’s 2016 Internet Security Threat Report, 43% of phishing cyberattacks target small businesses! The reason is simple: you’re the low hanging fruit. Small and midsized business have a lot of data, but often not a lot of protection. These businesses lack the security resources of larger enterprises and are easier to penetrate.So, although you may not be Equifax, Yahoo, the Department of Justice, or Target, you are a much more attractive target in terms of making a quick and easy pay-out.
- I don’t have any valuable information.
Many small businesses we talk to believe they don’t store any data that would be valuable to cybercriminals. To them, their business is too lean to amass any information that is attractive to hackers.However, small businesses collect and store much of the same data larger companies do, albeit in smaller quantities. If you have any employees, their personnel records will contain information hackers target. If you store any client information, such as billing addresses, payment information, or e-mail addresses, you’re collecting valuable data. In addition, your relationships with larger vendors or partners may make you an attractive target to get to an even bigger fish.Here’s the bottom line: for any modern business operating today, the belief that they don’t collect data attractive to hackers is just false.
- I can just use the basic, free services.
We get it. There are a lot of really good, free tools out there. However, you must be smart about it – there’s a time and place for everything, and when it comes to your security software, freeware is not the time nor the place.First, there is almost always a trade-off with free services. Certain baseline features are included for free, but don’t offer the protection you thought you were getting. To unlock that, you must upgrade to a paid premium site. And, freeware may also grant the software provider access to your data, thus creating a direct security hole.Secondly, it’s important to recognize that freeware is not managed. It’s only as good as when it was created or last updated. And a free service contains no incentive to perform regular updates. Security is not set-it-and-forget-it. Cyberattacks are changing all the time and getting increasingly sophisticated. An unmanaged, outdated free service will not be effective in protecting your data.
- I have antivirus. I’m protected.
Some small businesses think if they just load a good antivirus application, they are good to go. However, this is certainly not enough. Antivirus or antimalware software only provide protection from some types of cyberattacks. More sophisticated attacks use social engineering to trick unsuspecting employees into opening the door past any antimalware controls. These corrupt phishing emails often impersonate a trusted colleague, vendor, or institution like a bank to fool the recipient into providing valuable information or access to data.And there are even more risks to your data, including hardware or software malfunctions, user error, or internal sabotage.Small businesses should employ a layered approach to security, similar to larger businesses but on a smaller scale. It’s important to address the three main variables that put your data at risk : technical, business, and human.
- Arguably the easiest to address are the technical variables with tools like antivirus software, firewalls, and a good data backup and retention solution.
- Be sure to plan for the business variables, with processes for data access and controls and procedures for data destruction, user policies, and documentation.
- And don’t leave out one of the most important variables that add risk to your security: the human variable. Increase security awareness among your employees, provide consistent training, and enforce your policies. Make data vigilance a part of your business culture – your team should learn how to question and verify any questionable inquiries or requests.
- Cybersecurity is an IT problem.
Whenever a technology problem arises, there is a tendency to just throw it to the “IT people”. Whether it’s the technical jargon or the screens of what looks like mumbo-jumbo, on the surface, it seems best to just let IT take care of it.But your business’ data security is not a technical problem; it’s a business problem. Data, and the integrity of it, affects your whole business. Your IT team needs to understand how you access and use data and how it flows in and out of your business in order to protect it properly. And you need an understanding of how it’s secured and how it will be restored in the event of a problem.Data security is a strategic endeavor that requires participation from multiple departments – ownership, finance, operations, human resources, and IT.
- Protecting my business is good enough.
You don’t work in a silo – you work with partners, suppliers, vendors, or subcontractors. Oftentimes, small businesses overlook vetting the security practices of the third-party organizations they employ.But guess what? Their level of data security affects you. Some of the biggest attacks involve infiltration of a third party that subsequently compromises another business. You may take all the right steps to increase your company’s data security only to leave yourself open to risk via a business partner. Be sure to talk to your local providers, e.g. your accountant, lawyer, suppliers, etc., what they do to secure data.
- It’s inevitable – there’s no way to stop a cyberattack, so why try so hard?
It is quite true that security incidents are somewhat inevitable – they are going to happen. And they are going to happen to your business. Probably not on the scale of Equifax or Target, but they will happen.This is a very defeatist approach, and not one that jives with successful small business owners. Now, although it’s true that you can’t stop every single attack, you most certainly can stop most and that’s a big part of the battle. You also can take proactive measures to minimize any damage, making any future attack more of a nuisance than a major event. The bottom line is that, regardless of the pervasiveness of cyberattacks, it is your responsibility to protect your customers, employees, and business by taking data security seriously.
- If it happens, we’ll recover.
Again, due to their size, many smaller businesses don’t believe a data breach would have that significant an effect on their business.So I ask, how big of an impact would a sudden loss of $256,000 make on your business? Could you easily recover from that? Because that’s the amount a single cyber breach could cost you in terms of related costs like downtime, according to analysis by Tech Republic of a study conducted by industry research firm IDC. Hopefully, you would recover, but it could result in some serious adverse changes to your operations. And the majority are not that lucky. According to the National Cyber Security Alliance, 60% of small companies are unable to sustain their businesses over six months after a cyberattack.
Don’t let your business fall victim to a false sense of security or, even worse, ambivalence. It’s important to be informed when it comes to your business’ data security and take the appropriate steps to mitigate risk.