Only 8% of businesses with fewer than 50 employees have a dedicated budget for cybersecurity, says a recently released report from Corvus Insurance. Their survey found many of those small businesses lump cybersecurity into IT or another department’s budget, and 47% have no cybersecurity budget at all. The numbers don’t get much better when you look at slightly larger small companies, either, with only 14% of companies with 50-249 employees claiming a dedicated cybersecurity budget.
It can be easy for smaller companies to fall into the trap of pushing cybersecurity to the side. Most breaches that receive wide media attention are those that happen to gargantuan corporations, but there are plenty of bad actors out there targeting small and medium businesses (SMB), as well.
According to the Verizon 2021 Data Breach Investigations Report, in companies with fewer than 1,000 employees they saw 1,037 cyber incidents in 2021; 263 with confirmed data disclosure. The report mentions that in 2020, small organizations experienced less than half of breaches of large organizations (1,000+ employees), but the difference in the 2021 the numbers shrunk dramatically — with large companies reporting 307 breaches with data disclosure, compared to 263 in small organizations.
Verizon found that system intrusion, miscellaneous errors and basic web application attacks were the most common, accounting for 80% of breaches in SMBs. When it comes to compromised data, they reported 44% of attacks compromised credentials, 39% targeted personal information and 17% of breaches compromised medical information.
To really drive the point home, it’s important to note a 2021 IBM study found that 60% of businesses with fewer than 500 employees go out of business within six months of a cyberattack. So, these aren’t small threats; they can greatly affect the livelihood of SMB owners and employees.
With these numbers, it’s clear SMBs are quickly becoming hot targets for would-be hackers. Corvus suggests these smaller organizations implement a dedicated cybersecurity budget. Just the existence of this budget, even if it’s modest, can help force conversations about cybersecurity investments and allow the company to make more informed decisions about cyber security.
So, what steps should SMBs take to properly protect themselves against cyberthreats? The U.S. Small Business Administration (SBA) suggests the following:
Many data breaches happen when an employee accidentally falls for a phishing email or a shady download prompt. To prevent this, companies should implement training on how to spot a phishing email, using good browsing practices, avoiding suspicious downloads, protecting sensitive customer and vendor information and what it means to practice good cyber hygiene.
Not only should you use antivirus software and antispyware, but you must keep it updated. These programs regularly release patches for their products to improve functionality and correct any security problems that emerge, so the best thing to do is configure your protective software to automatically install updates.
Firewalls and encryption are great ways to keep your internet connection secure. You should also make sure any Wi-Fi networks your organization has are password protected and hidden, so no unauthorized individuals can gain access.
It’s a good idea to choose a different password for each account you possess, and each of these passwords should meet the following criteria in order to make them harder to decipher: 10 characters or more, at least one uppercase letter, at least one lowercase letter, at least one number and at least one special character.
Even the strongest passwords aren’t fool-proof, so many organizations are opting to implement multifactor authentication, which requires extra information in order to log in. This usually involves sending a code via an app, email, text or phone call to double-check that the person accessing the account is who they say they are.
Back up data on all computers regularly, including word processing documents, electronic spreadsheets, databases, financial files, human resources information and accounts receivable/payable files. The easiest way to stay current on this is to have your data automatically back up at regular intervals (weekly, at the least). The backed up data should be stored offsite or in the cloud.
It’s good practice to conduct payment processing on a separate computer than you or your employees use for general internet purposes. It’s also a good idea to speak with your card processor to ensure anti-fraud services are being used, along with other trusted and validated security tools.
Laptops are great in the era of hybrid work, but their portability makes them especially vulnerable. You should only allow access to business computers for authorized individuals, and any laptops should be locked up when unattended to prevent theft or loss. All authorized users should have a separate user account (with a strong password) to log on to company devices. Administrative privileges should be conservatively distributed.
