The myths around cybercrime are common: “Hackers don’t bother with small businesses.” “A virus is a nuisance but we can take that risk.” “We’d cope with a data breach so it’s not worth putting precious resources into preventing it.”
Those myths are wrong. And those myths are dangerous.
Take ransomware: it’s often that only the big companies only make the news, but small businesses are still vulnerable. A 2017 survey by Intermedia found that 40 percent of businesses hit by ransomware had fewer than 100 employees.
Meanwhile Symantec notes scammers aren’t just after data or cash. It reported an 8,500 percent increase from 2016 to 2017 in attacks designed to hijack the victims’ computer systems to ‘mine’ for cryptocurrencies. That brings physical problems such as systems being slowed down or even overheated, as well as financial problems if the scammers start using a business’s cloud-based storage and processing, racking up its bills.
It’s also increasingly clear that malware scammers are platform-agnostic. Sophos notes a triple threat across the systems with attackers:
- Continuing to exploit major Windows bugs, with two specific vulnerabilities in Office responsible for half of attacks;
- Challenging the theory that Macs either don’t get viruses or don’t interest cybercriminals; and
- Getting 32 malware-ridden apps through the Google Play Store’s vetting process in eight months, something that’s particularly worrying for small businesses that let staff use Android devices to work on the move.
The Harsh Reality of Cyber Threats
One of the reasons many small businesses underestimate the costs of data breaches and loss is that the pain comes in many forms:
- Staff downtime: with computer systems out of action, staff may be simply unable to work, wasting time and money. That could mean missed deadlines, contract breaches, and even overtime payments as the business struggles to make up the delays when it’s back online.
- Reputational loss: if customers, suppliers or partners take a breach as a sign they can’t trust a business with their information, they could jump ship.
- Financial penalties: as we detail below, numerous regulatory requirements on data handling mean a business is fined for a breach. Just as importantly, clients such as government agencies may be unwilling or even unable to deal with a business that hasn’t followed the rules.
- The ultimate loss: while statistics vary dramatically, it’s clear that bankruptcy or liquidation is a genuine risk for businesses hit hard by malware, data breaches and other severe data-related disruption.
Remember also that cybercriminals aren’t the only cause of data loss and breaches. Businesses must factor in data loss caused by disgruntled insiders, the threat of corporate espionage through spyware, and even losses from accidents, whether technical or physical.
Cyber Security is Now the Law
Even without factoring in a business’s own risks, properly addressing data security may be a legal necessity. Here are just four of the most important sets of regulations.
Defense Federal Acquisition Regulation Supplement (DFARS)
DFARS is a requirement for any Department of Defense contractors handling controlled information. It’s a wide-ranging set of security measures including on-site and cloud based data storage. As well as complying with the rules, contractors are responsible for checking their subcontractors are also compliant, and for reporting breaches within 72 hours.
Federal Information Security Management Act (FISMA)
FISMA requirements affect any business contracting for the federal government. The comprehensive requirements aren’t limited to security controls but also include risk assessments, security reviews and certification, and even a complete inventory of all information systems an organization uses, categorized by risk level.
Health Insurance Portability and Accountability Act (HIPAA)
Simply put, HIPAA covers any organization with access to patient information; this includes healthcare providers and administrators and their subcontractors and business associates. The requirements for data handling are very detailed and specific, with key points including both physical and technical safeguards covering access, storage and transfer of data, along with audit reports and measures to confirm data has not been destroyed or altered.
Payment Card Industry Data Security Standard (PCI DSS)
PCI DSS affects any organization that accepts, stores or transmits cardholder data, whether in person, over the phone, or online. Even taking a single payment in a year means the business must follow the rules, though the requirements are more detailed if it processes large numbers of payments. Breaching the rules could not only mean financial penalties, but losing the ability to take card payments at all.
Work with a Cyber Security Expert
To deal with the threats, a business must address two issues: what to do and how to do it.
The real key to the former is understanding that data protection is as much about procedures and planning as it is the specific steps the business takes. The old line about prevention being better than cure certainly applies to cyber-security. Establishing good data practice and procedures among staff is less about making sure they know how to do it right and more about making sure it’s impossible for them to do it wrong.
It’s all about making sure systems and networks are set up in the right way and the business plans for every risk scenario. It’s vital to thoroughly and repeatedly test your systems to at best spot threats early enough to mitigate them and at worst spot breaches early enough to limit the damage.
As for how to do it, getting professional help is the way to go for most small businesses. It’s not just that cybersecurity specialists have the technical knowhow and tools to protect and maintain your systems. They also have the outside perspective and experience to identify the threats and risks that a business’s own staff might never think about because they are so familiar and comfortable with their existing set-up.