By Art Gross, President and CEO, HIPAA Secure Now!
Twitter: @HIPAASecureNow
Small businesses are often thought to be a forgotten entity when it comes to cybercrime. On the surface, it seems like a fair assumption that hackers wouldn’t target small businesses when there are large enterprises with much greater assets. Unfortunately, many small business leaders fall for this “I’m not a target” mentality, when in fact, they are just as attractive of a target as large corporations.
Hackers don’t care about how big or small a business is. They care about financial gain, which is easier to obtain from a small business with weak security practices than a large corporation with a dedicated IT team and robust security measures.
Despite security experts preaching this theory that hackers target businesses of all sizes, small and midsize businesses (SMBs) continue to carry on as if they’re immune from falling victim to a cyberattack.
A recent report from Switchfast Technologies found that 51% of SMB leaders are convinced their business is not a target for cybercriminals, while 35% of employees shared the same view.
How can we expect SMBs to improve their cyber hygiene when we can’t convince them that they’re a target to begin with?
Perhaps it is a lack of resources keeping SMBs from really acknowledging the need to improve their security measures, but internal disagreements regarding the severity of cyberattacks is another top reason for a lax security approach.
With over half of surveyed SMB leaders not seeing their business as a target for cybercriminals, the question becomes, what security measures are in place for those businesses?
Many small businesses believe that following the initial setup of their network their security is guaranteed, requiring no further follow-up. This a tragic mistake that has become all-too-common and relies heavily on employees to make the right decisions, often without appropriate security awareness training.
As a result, employees often make decisions they feel are harmless, such as connecting to their company’s server over public Wi-Fi or opening a malicious email attachment they thought was from a legitimate source.
Small businesses who rely solely on their employees to protect their assets by not falling victim to cybercrime are taking a huge risk.
Here are a few ways SMBs can improve their security practices:
Security Awareness Training: In their report, Switchfast found that 21% of organizations provide their employees with no security training. Employees cannot adequately defend their organizations without the knowledge of how to do so. Staff should understand basic security measures, be kept up-to-date on current threats, and know how to respond in a breach or suspected breach situation.
In addition, employees should understand the dangers associated with poor cyber hygiene. Switchfast revealed that 22% of SMB leaders and 19% of employees share their passwords with their co-workers or assistants. Password sharing, password reuse, and weak passwords can lead to detrimental consequences for individuals as well as businesses. Employees should be aware of how compromised passwords can be bought and sold on the dark web.
Phishing Tests: Switchfast reported that ninety-one percent of cyberattacks originate with a phishing email. With an alarming statistic such as this, companies must train their employees on how to spot a phishing attempt before they fall for one. Phishing tests contain links to track which employees fell for the scam, allowing management to see who needs additional training.
Prepare for an Attack: It is often said that cyberattacks are a matter of “when” and not “if.” SMBs must be prepared and ready to handle an attack in the event one does occur. Having a robust cybersecurity plan in place is crucial to ensuring an organization can stay afloat after an attack occurs. An appropriate backup procedure should also be in place to guarantee data is recoverable if the network is compromised.
SMB leaders must learn to acknowledge that their organization is in fact, at risk of a cyberattack. Understanding the dangers organizations face by not putting security as a top concern, will help them see that there is value in protecting themselves before it’s too late.
This article was originally published on HIPAA Secure Now! and is republished here with permission. HIPAA Secure Now offers annual online subscriptions to help covered entities and business associates keep up with compliance. Learn more here.