Almost weekly you see an announcement about yet another major corporation that has experienced a data breach. Do you find it scary? It seems so to businesses and their customers alike. And it gives people pause about doing business with the impacted company in particular. But it also makes them reluctant to work with other businesses affected by cybercrime attacks. Small businesses become particularly vulnerable. They lack the technology infrastructure of larger enterprises. So, check out what small businesses should do to protect themselves and their customers?
How to Handle Cybersecurity
I recently talked with Chris Wayne. Wayne serves as Chief Technology Officer at Yahoo Small Business. He shared essential advice for small businesses in managing cybersecurity.
Rieva Lesonsky: What are the biggest cybersecurity threats small businesses typically face?
Chris Wayne: Ransomware and phishing attacks are certainly two of the most dire threats facing small businesses every day. A staggering 71% of ransomware attacks targeted small businesses last year. With an average cost of $200,000, many small businesses simply don’t have the resources to withstand a cybersecurity attack once it’s already happened.
Lesonsky: Are certain businesses/industries more vulnerable than others?
Chris Wayne: I believe every business needs to keep cybersecurity top-of-mind in order to prevent an attack. That said, there are certain industries that are targeted more than others. Healthcare is appealing to cybercriminals due to the highly sensitive information some seek out. Another industry is hospitality/hotels. The sheer number of people in their databases present an attractive target for cybercrime. And, unfortunately many breaches aren’t discovered until after the fact—96% of all accommodation breaches aren’t discovered for several months according to a 2018 Verizon Data Breach Investigations report
Sometimes Employees are the Real Problem
Lesonsky: Employees often are the culprits, correct? Unwittingly, they make businesses more vulnerable. How can business owners better educate their staffs?
Chris Wayne: It’s an unfortunate reality, but yes, employees often play a role in a cyber breach or attack. Many times it is unwittingly, and these mistakes can be mitigated through proactive efforts like mandatory cybersecurity training with regularity. The landscape changes so quickly that it’s important to have semi-regular training sessions—quarterly ideally—to bring the team up-to-speed on the latest risks.
Lesonsky: Given that small businesses lack the staff and the budget bigger businesses have, how can they protect their companies? Are there technologies that are particularly useful?
Chris Wayne: As the saying goes, the best defense is a good offense. Prevention is key. Taking measures such as auditing software, implementing staff-wide security trainings, and having a clearly defined crisis plan are critical to prevent an attack or mitigate the fallout once it happens.
Lesonsky: Do you recommend small businesses outsource their cyber protection? If so, what should you look for in a vendor—how do you best vet them?
Chris Wayne: I believe a healthy balance of outsourced protection coupled with in-house knowledge and best practices is a winning combination. Nobody knows your business better than you do and implementing some of these best practices can go a long way toward helping to stop an attack before it happens.
When looking at an outside vendor, I believe it’s always important to ask about their audit and compliance processes. Map out a plan and work together to identify both the strongpoints and weak spots of your organization’s security system. Constant communication and moving in lockstep with each other will prove to be invaluable, especially when an attack does occur.
What Are the First Steps to Address a Breach
Lesonsky: What are the first actions a small business owner should take if they are breached?
Chris Wayne: Immediate actions following a breach are by far the most crucial—as they can mitigate or worsen, the effects. Some of the most important steps a small business owner can take are:
- Contact law enforcement agencies and disclose the breach.
- Contact your IT department or cyber protection provider to begin first steps on your breach response.
- Run a full investigation of the breach to determine possible origins, causes, weak spots and more. This step should be in full collaboration with your IT department or cyber protection provider.
- Once the scope of the breach is determined and the attack is controlled, notify customers about the data breach.
Lesonsky: Is there anything important I didn’t ask you?
Chris Wayne: I think we just about covered it all! I can boil everything down into this—protecting your small business is no easy task, but preventative measures can go a long way toward safeguarding for the future.
Cybersecurity breaches loom as a constant threat to businesses. And this applies not only to big businesses. Small businesses face significant risks too. Protect your small business with some of the tips above.