While many small business owners take measures to keep their physical office secure, unprotected company data stored on a computer poses a grave threat - and that data is getting more and more difficult to shield.
Cybercriminals are increasingly targeting American small businesses. According to Symantec.com's 2013 Internet Security Threat Report, companies with one to 250 employees were the victims of more than 30 percent of all cyberattacks last year, up from about 18 percent in 2011. And while 77 percent of small business owners surveyed by Symantec said they think their company is protected against cybercriminals, 83 percent of respondents lacked any official security plan.
Chris Collins, R-N.Y., chairman of the U.S. House's Subcommittee on Health and Technology, says many small business owners aren't adequately prepared for an online attack because they assume cybercriminals only target large corporations. "I think, by and large, most small business owners go to work every day worrying about paying their bills, where their next order is coming from or how they're going to grow their business, where cybersecurity is so far down on the list it often gets overlooked," says Collins, who led a subcommittee hearing in March on how small businesses can mount defenses against complex cyberattacks.
The ramifications of a successful cyberstrike can be crippling, as roughly 60 percent of small businesses close within six months of a cyberattack, according to Symantec. Once the data is infiltrated, a perpetrator may be able to steal money and intellectual property, view contact information for the company's customer base and plant viruses. One of the most egregious types of assault is a "watering hole" attack, in which the criminal installs a virus so when people visit the company's website, the virus spreads to their computers, too.
To protect your small business, employees and customers from cybercriminals, experts suggest taking these measures:
Install anti-virus software. Anti-virus software can detect a large number of perpetrators, whereupon the system typically notifies the owner of the breach and takes steps to eradicate the issue. But, like a flu shot, there's no guarantee anti-virus software can keep a machine clean, as some viruses are well-disguised and difficult to pinpoint, says Michael Hicks, director of the University of Maryland--College Park's Cybersecurity Center. Therefore, he says a small business owner should use anti-virus software as one component among many to protect the company.
According to security experts, Macs are generally well-protected from viruses, but anti-virus software products are available for those users.
Keep computers up to date. Making sure your operating system, Web browser, anti-virus software, programs and plug-ins (e.g., Adobe Reader or Java) are updated is crucial, says Michael Kaiser, executive director of the National Cyber Security Alliance. Users of most big-brand security software like McAfee products can enable an automatic update feature.
Andy Steingruebl, who oversees customer security at PayPal.com, says the major Web browsers - namely Safari, Firefox, Internet Explorer and Google Chrome - are relatively safe if kept up to date.
Train employees. According to cyber analytics firm CyberFactors.com, in-house employees are responsible for 40 percent of small business breaches. Some are targeted attacks by disgruntled workers, while others are due to employees engaging in behaviors they don't realize put the company at risk of a cyberattack.
That means it's critical to educate employees about how to create strong passwords for both work-related and personal accounts. Cybercriminals who hack an employee's personal account can find their way into the company's database. "Just one bad password used by an employee can lead to a breach that affects the entire company," Kaiser says.
Many security experts recommend using passwords of eight or more characters that include letters, numbers, punctuation and special characters like a dollar sign. It's also prudent to create different passwords for every account. Kaiser says people who reuse the same one are at a greater risk because if one password is stolen, a cybercriminal can use it to access the person's other accounts. For added protection, consider implementing a system requiring employees to change their work password on a regular basis (e.g., every 60 days). You can test the strength of a password using Microsoft.com's password checker.
Some programs offer two-step authentication. Gmail.com users, for example, can select this extra layer of security, which means when signing into Google, they must enter their username and password and then provide a code that was sent to their phone via text message.
Secure the office Wi-Fi network. Changing the password to the office's wireless network periodically can help protect against cybercriminals, Kaiser says. A number of companies also periodically rename the network for security purposes. (A rule of thumb: Don't call it the company name.)
Hicks advises small businesses to use Wi-Fi with Wireless Protected Access 2 technology for up-to-date encryption. With older technology like Wired Equivalent Privacy, he says "almost anyone can go online and find software that will automatically break into [the network]."
Don't fall prey to phishing email. Threatening emails sometimes slip through spam blockers. Some of these messages look identical or close to a company's real email format. "You have to assume the adversary knows something about you," Hicks says.
Small business owners can adjust their behaviors to account for this threat using simple verification. When you receive an invoice from a vendor, consider calling the supplier directly to confirm the email is legitimate. It's an extra step, but it could prevent your system from being hacked.
Purge sensitive data periodically. Steingruebl says small businesses shouldn't continue storing sensitive information they no longer need. For example, an employer may have pulled a worker's credit report when he or she applied for the job, but Steingruebl says most companies have no further use for such information. However, that information can fall into the hands of cybercrooks if not properly disposed of.
Keep a watchful eye. Implementing these practices across company machines and devices, including desktop computers, laptops, cell phones and tablets, and frequent monitoring for suspicious activity is vital to protecting your small businesses from cybercriminals.