Perhaps the most important single thing that small businesses need to know about cyber threats right now is that cybercriminals are actively targeting smaller firms. This can be hard to imagine or accept. After all, the security breaches we hear about on the news involve big brand names, like Target, Home Depot, Sony Pictures, and Anthem.
The fact is, many breaches of smaller firms simply go unreported. There are many business owners who are still wondering what on earth cybercriminals could want with their company's computer systems and the data they handle. There are several answers to this.
The "small business cybercrime sweet spot"
For a start, many small businesses have personal information about customers and employees that data thieves can sell on the black market. And although your small business might not have huge bankable profits at the end of the year, depending on your line of work you may handle a lot of money (for example, deposits and payments from customers that are not immediately spent on raw materials). But perhaps the easiest way to picture the current reality is something called the "small business cybercrime sweet spot".
Small businesses generally have more assets worth looting than consumers (whether it is bank funds, personal identity data, or intellectual property in digital format). Furthermore, small businesses generally have less maturity than large enterprises when it comes to cybersecurity. Simply put, small businesses often have a lot to lose, but a lot less protection in place than larger firms. Naturally, that combination is very appealing to some sectors of the cybercrime industry.
While cybersecurity can be intimidating, a methodical approach to addressing cybersecurity can be very effective in reducing your risk profile.
ESET security experts offer advice on what precautions small businesses should be taking to protect themselves and keep vital data from falling into the wrong hands.The small business cybersecurity survival guide
lays out an "ABC" approach that goes like this:
· Assess your assets, risks, resources - know what you need to protect, understand the threats, and identify resources.
· Build your policy - spell out your organisation's approach to security as policy and ensure leadership prioritises security.
· Choose your controls - decide what controls and tools are most appropriate to enforce your security policies.
· Deploy controls - put controls in place.
· Educate employees, execs, vendors - gain security buy-in from the full team and let folks know: cybersecurity is everybody's responsibility.
· Further assess, audit, test - stay on top of security trends, conduct tests of your security, and make sure new projects are included in policy.
As you can see, getting a handle on cybersecurity is a multi-stage process, and this process is ongoing: at stage F you go back to A. This is the only way to keep up with emerging threats and the many ways in which your growth as a small company changes your exposure to cyber risks. For example, cybersecurity risk changes as you go from running the company as a one-person operation, to maybe a few trusted co-founders, to an employer of people you never met before they applied for a job with you (and when you reach the point where an employee leaves your organisation, the right security policies become especially important).