Does My Small Business Need Cybersecurity?

As a small business owner, you might think you're too small to matter to cybercriminals. The facts say otherwise. A small business cybersecurity plan should be an essential element of your operations.

What Is Cybersecurity?

If you owned a brick-and-mortar store, you'd probably use security measures like keeping your most valuable merchandise under lock and key and stashing your day's receipts in a locked safe. You might even keep a guard at your entryway to make sure no one walks out with your goods.

Cybersecurity for small businesses isn't much different. It aims to protect your computing devices, systems, data, and digital financial assets from unauthorized access and criminal use.

The cybersecurity industry breaks down cyber threats into two general categories:

• cyberattacks, sometimes called "security incidents," and
• data breaches.

A "cyberattack" is a deliberate attempt to compromise servers, computers, or mobile devices. The result can be (and often is) data theft for financial gain. But some cyberattacks are committed for the purpose of damaging or disrupting a system, rather than stealing data.

A "data breach" occurs when sensitive or valuable data is exposed to unauthorized individuals or groups. Data breaches can result from vulnerabilities in computer systems or networks—using unencrypted emails to transmit customers' credit card information is one example. They can also occur when employees are careless or don't understand the importance of protecting digital data.

Here's an example of how a data breach can result from human error: Suppose an employee takes a company laptop home and leaves it in the car. A thief breaks into the car overnight and steals the laptop. The laptop contains valuable customer data that's now exposed to outsiders and can potentially be distributed and sold to bad actors.

As you'll see discussed later, it's important to understand the ways data breaches can occur to plan a cybersecurity strategy and insure your business against liability from cybersecurity incidents.

Why Do Cybercriminals Target Small Businesses?

According to a research study by the Identity Theft Research Center, 73% of small businesses reported they were targets of cybersecurity incidents. Those numbers have been growing annually. Small businesses are even more vulnerable to some types of cybercrimes than large enterprises.

Despite their size, small businesses pose greater opportunities for cybercriminals than their larger counterparts. Small businesses typically have fewer security measures in place than large enterprises so they're easier to access. But they nonetheless store valuable customer data like credit card information and social security numbers that cybercriminals can sell for profit.

Small businesses can also serve as a gateway to the bigger fish that cybercriminals can't normally reach directly. Because large corporations do business with smaller businesses, their computer networks are often connected. By accessing a small business's network, cybercriminals are often able to use the connections to sidestep security measures and infiltrate the networks of larger companies.

What Kinds of Cyber Threats Do Small Businesses Face?

Small businesses are subject to the same cyber threats that larger businesses face. Small businesses are even more likely than larger businesses to be the targets of certain cybercrimes, like phishing.

Some of the cybersecurity threats to small businesses include:

Malware: "Malware" is an umbrella term for software used to infect computers with a virus, ransomware, or spyware. Malware typically infects computers when a user downloads content, clicks on an ad that looks legitimate or opens an attachment that's embedded with the malicious software.

Phishing: Phishing can infect your system when a user receives an email that appears legitimate but is fake. The user is persuaded to click on an attachment in an email or a link to a URL that contains a virus. By clicking the link, the user inadvertently downloads the virus to the company's computer system.

Ransomware: In a ransomware attack, an individual, group, or even a nation-state, gains access to a computer system and usually either locks legitimate users out of the system or threatens to expose the data in the system. The embezzlers then demand payment in exchange for releasing the system back to its rightful owners.

DDoS: "DDoS" is an acronym for "distributed denial of service." The criminals intentionally overload an email system or website with so many requests that the system shuts down.

Inside attack: These attacks are usually committed by disgruntled former employees. They use their former administrative privileges to access confidential information by sending users in the system fake messages that appear to be coming from a legitimate source.

Password attack: Just like they sound, password attacks are used to enter computer systems by obtaining passwords. Bad actors can obtain passwords by guessing a password, either by trial and error or using applications designed to try numerous passwords. More sophisticated password attacks use electronic programs that track a user's keystrokes to uncover passwords.

Man in the middle (MITM) attack: This tactic involves a third party who gains access to a digital exchange between legitimate parties. It usually occurs when you're using an unsecured public Wi-Fi network.

Scareware attack: In a scareware attack, a pop-up appears on the computer notifying the user that the system is infected with a computer virus. In reality, no infection exists. But the user is then directed either to a link or a website to repair the problem, and the phony solution is actually the method for transmitting the virus.

The above are just some of the ways bad actors steal information, and it's safe to say that new methods are discovered regularly.

Impacts of Cybercrimes on Small Businesses

Cybercrimes can have serious financial fallout. They can also hurt your business's reputation and expose your business to regulatory penalties and legal action.

Financial consequences. Cybercrimes can cost a business anywhere from a few hundred dollars to millions of dollars. Depending on the type of attack, a business might incur costs to make repairs to its IT systems, restore critical data and software, compensate customers for their losses, and pay regulatory fines. An attack also often leaves your business's computer systems inoperable for a period of time, so you can't process any sales and you lose business.

Damage to your business's reputation. Cyberattacks and breaches often make headlines. News of a cyber incident can spread quickly to your customers, eroding their trust and affecting their willingness to do business with you.

Legal repercussions. Your business can be hit with civil lawsuits following a data breach. Depending on the scope of the problem, you can also face class action lawsuits that can result in multi-million-dollar settlements. Regulators such as the Federal Trade Commission (FTC) and the Consumer Financial Protection Bureau (CFPB) can also impose sizable fines on businesses that fail to notify customers of data breaches.

Tips and Tools for Protecting Your Digital Data

There's no shortage of technology available to protect your small business from cybercrimes. But technology alone won't offer all the protection you'll need. Some preventive measures simply involve instituting good practices and procedures, and others involve just plain common sense.

Here are some cybersecurity strategies to consider:

Use anti-virus software and hardware. Software like firewalls will help keep unauthorized users from accessing your computer systems. Anti-malware software can identify malicious traffic and alert you when intruders have gained access to your systems.

Consider encryption software. Encryption software scrambles data you store or transmit and makes the information unreadable to anyone but those authorized to receive it. Encryption software can be especially helpful in preventing data theft in businesses that receive and send sensitive data (like financial or medical information).

Back up your data. Use a reputable cloud-based storage solution or external hard drive to keep a copy of your important data so that you can still access the data you need if your system is compromised.

Employ strong password requirements and multi-factor authentication. Passwords are the keys to the information stored on your computers. Boosting your password security will help ensure that those keys don't fall into the wrong hands. Require passwords with at least 12 characters including upper- and lower-case letters, numbers, and symbols. Consider adding a second authentication method, such as requiring users to insert a code that's sent to their phone or email, to gain access to certain information.

Secure your Wi-Fi network. Keep your router hidden and password-protect access to your network.

Don't forget remote workers. If your employees work remotely, make sure that the network they use is secure as well. A virtual private network (VPN) can keep your employees connected to your business without compromising security.

Provide cybersecurity training for employees. Training is essential to help both reduce the human error that can cause breaches and reinforce the cybersecurity systems you put in place. Focus on instruction related to handling sensitive data, spotting malicious emails, avoiding suspicious websites, and exercising caution when browsing the internet. Some businesses choose to block access to non-work-related websites altogether.

Keep mobile devices under lock and key. Securely store laptops, company phones, and other mobile devices when not in use.

Consider dedicated computers for payment processing. If your business regularly takes payments online, consider using dedicated computers for processing payments. Implementing this measure prevents these single-purpose computers from being compromised by other activities such as browsing the internet.

Conduct regular access audits. Make sure you promptly remove former employees from your systems, deactivate their passwords, and retrieve all company-issued electronic devices.

Many of the tools listed above come with a cost, usually a monthly subscription charge. But the cost of installing cybersecurity tools can far outweigh the expense of repairs, lost business, and legal settlements if your system is breached.

Consider Buying Cyber Insurance

Cyber insurance policies help pay for financial losses from cyberattacks and data breaches.

Cyber insurance policies vary, and most companies build a policy based on their particular risks. It's a good idea to conduct a risk assessment to understand the coverage your business needs before shopping for a cyber insurance policy.

Consider the types of data you store and your business's vulnerabilities. Insurers offer first-party coverage that covers losses to your own business and data, and third-party coverage to protect your business from losses that involve customers, vendors, and others.

Like other insurance policies, cyber insurance policies have limits. Consider your business revenue to assess the potential financial impact of a cyberattack or data breach to determine the coverage limits you'll need.

Cyber insurance policies can include coverage for:

• loss of income due to cyberattacks and data breaches
• costs to recover or replace data
• costs to investigate the cause of a cyberattack
• payments of ransom or other extortion payments
• costs to notify customers of an attack or data breach
• costs to repair damaged software or systems, and
• crisis management expenses such as hiring a public relations professional.

Check your business policy to determine whether it offers any cyber coverage. Business policies typically offer only minimal protections for cyber incidents. But your business policy coverage will help you determine the supplemental coverage you'll need.

Know Your Privacy Rights Obligations

International, federal, and state laws regulate what personal information your business can collect, how you can use that information, and your obligations to report data breaches.

Laws in the U.S. are a patchwork of regulations, so it's important to familiarize yourself with the laws that apply specifically to your business. Check your state's regulations as well as federal legislation and industry-specific rules and standards. (If your business collects personal information with the help of AI, you should also be aware of the evolving data privacy laws around AI.)

All 50 states impose notification requirements for security breaches and impose financial penalties for failing to do so. A number of states have their own privacy laws, and you can expect more states to follow.

Keep in mind that online privacy has become a hot-button issue among consumers. Consider creating a privacy policy for your company and posting it on your website and in other digital communications.

Existing privacy laws can offer some guidance for conducting business online and crafting a privacy policy:

• The California Privacy Rights Act (CPRA) requires businesses to tell consumers what personal information they're collecting and allows them to opt out of the sale or sharing of their personal information.
• The Children's Online Privacy Protection Rule (COPPA) requires businesses to disclose information they collect from children under the age of 13 and to obtain parental consent.
• The General Data Protection Regulation (GDPR) imposes sweeping privacy regulations on businesses in the European Union (E.U.) and those that do business with the E.U.

If you're not sure where to start, you can always consult a local business attorney about the steps your business should be taking to protect itself and its customers. A lawyer can identify the privacy laws relevant to your business. They can also review your company's privacy policy and help you come up with best practices for your small business.