Cyber-attacks are a growing and significant concern for small and medium-sized businesses (SMBs). Despite the common misconception that hackers only target behemoths, SMBs make increasingly attractive prey. In fact, certain types of attacks, like phishing, are much more commonly aimed at SMBs. It is critical to both (1) institute best practices to minimize the chance of experiencing a cyber-incident, and (2) take measures now to minimize the potential damage in the event a cyber-incident does occur.
“Fifty percent of SMBs have been the victims of a cyber-attack and over 60% of those attacked go out of business.”
Dr. Jane LeClair
Chief Operating OfficerNational Cybersecuity Institute
Avoiding a Cyber-Attack
Cyber-attacks are a permanent and persistent threat to your organization, and there is no way to entirely remove that risk. However, by implementing cybersecurity controls, you can minimize the probability of a successful cyber-attack.
- Keep your software, applications, web browsers, and operating systems up-to-date. Set updates to occur automatically. Do not use software that is no longer supported by the vendor.
- Know where your important data is located. Secure your physical and electronic files. Ensure important files and systems are encrypted and regularly backed up. Perform periodic back up data recovery tests.
- Require strong passwords, or passphrases which are longer and more complex than passwords, on all your applications and devices. Use a password manager to securely store all passwords.
- Have formal policies and procedures for safeguarding data and systems.
- Use Multi-Factor Authentication (MFA) wherever possible. MFA reduces risks associated with compromised passwords.
- Enforce strong security standards before employees or vendors connect to your network.
- Create a culture of security. Conduct employee information security awareness training consistently. Training should include common attacks and tactics used by cyber-criminals (such as social engineering, phishing, etc.). Refer to the FTC factsheets on Phishing, Ransomware, Business Email Imposters, and Tech Support Scams for additional information on training topics.
- Know your vendors. Your vendors are ultimately your responsibility, and software supply chain risk is often an overlooked area of cyber risk. Review your software vendor contracts to understand what the vendor will be responsible for in the event that your business is affected by a cyber- incident, such as a supply chain attack. This also includes confirming your vendor’s own processes for overseeing subcontractors and managing risks. In addition, periodically conduct risk assessments for third-party relationships.
37% of companies hit by ransomware had fewer than 100 employees.
Employees of small businesses experience 350% more social engineering attacks than those at larger enterprises.
In 2020 alone, there were over 700,000 attacks against small businesses, totaling $2.8 billion in damages.
80% of all hacking incidents involve compromised credentials or passwords.
95% of cybersecurity incidents at SMBs cost between $826 and $653,587.
Limit the Damage of a Cyber-Attack
It is not a matter of if you will experience a cyber-incident, but when. Even with best practices to minimize the probability of a cyber-incident occurring, the risks are increasing and are difficult to avoid. It is important to take steps now to prepare and minimize the potential impact of a cyber-incident.
- Defensible Space. Implement layered defenses to increase prevention, detection, and response capabilities. Consider building a “Zero Trust” security framework that requires all users to be authenticated and authorized before access to any applications/data is granted.
- Cyber Insurance. Cyber insurance is one option that can minimize incurred costs in the event of a cyber incident. Review your cyber insurance to understand the policy coverage. Refer to the FTC Cyber Insurance factsheet for additional information cyber insurance.
- Business Continuity Plan/Disaster Recovery (BCP/DR). Have a plan, and test it. Having a BCP/DR process in place prior to a cyber incident is crucial for a successful and expeditious recovery. Consider having incident response services (e.g. law firm, forensic specialist, ransomware negotiator, etc.) on retainer in the event of a cyber incident. Refer to the FCC Cybersecurity Planner and FTC Data breach Response Documents for additional information on BCP/DR preparation.
The FTC offers factsheets which provide additional information on the topics reviewed.
- FTC Vendor Security factsheet has additional information on vendor security.
- FTC Cybersecurity Basics factsheet and the FCC Cybersecurity Planner offers additional information on cybersecurity controls.
- FCC Cybersecurity Planner and FTC Data Breach Response documents provide information for Business Continuity and Disaster Recovery preparation.
- FTC Cyber Insurance factsheet has more details on cyber insurance.
Links to these factsheets can be found below:
FTC Cybersecurity Factsheets:
https://www.ftc.gov/business-guidance/small-businesses/cybersecurity
FCC Cybersecurity Planner:
https://www.fcc.gov/cyberplanner
CISA Cyber Resilience Review:
https://www.cisa.gov/uscert/resources/assessments
DHS Vulnerability Scans:
https://www.cisa.gov/cyber-hygiene-services
Free Cybersecurity Services and Tools:
https://www.cisa.gov/resources-tools/resources/free-cybersecurity-services-and-tools
FTC Data Breach Response:
https://www.ftc.gov/system/files/documents/plain-language/pdf-0154_data-breach-response-guide-for-business-042519-508.pdf
