A few months ago, Rokenbok Education, a Solana Beach, Calif., maker of educational toys, was facing perhaps the quintessential nightmare of the 21st century. Cyber criminals had encrypted the company’s computer files, rendering them useless.
The hackers were deploying ransomware. If Rokenbok wanted the data unlocked, it would have to pay a ransom. As the New York Times reported, the company ultimately managed to find a creative way out, sidestepping the ransom by laboriously reconstructing its key systems.
This was, in fact, the company’s second cybersecurity battle, and it underscores a fact that doesn’t get much attention: Small and mid-sized businesses are being breached more than big businesses, notwithstanding the apparent lack of motive and certainly a lack of widespread attention.
Studies and surveys show that 60 percent of cyber attacks on business target small and medium-sized businesses. About 40 percent of small businesses have been victims, at a cost averaging $9,000 to $36,000, depending on which survey you believe. These estimates don’t include reputation damage.
Many small businesses believe that cyber criminals are interested only in data from big companies, which obviously isn’t true. What they don’t take into account is that they have more digital assets than individuals, who are also commonly attacked, and sometimes inferior protection.
All too often, small businesses don’t update antivirus software, update firewalls or strengthen passwords. They could also put data in the cloud, rather than on company servers, but they usually don’t bother.
Cyber theft typically involves employee and customer data, bank account information, and access to the business’s finances. Small business also often provide access to supply chain networks.
Small and medium-sized businesses are most typically breached through malicious software delivery via email. People click on links from malicious email all the time. Chief financial officers and accounts payable employees are often sent well-worded emails falsified to look as though they were sent by the company’s owner, ostensibly approving wire payments to falsified bank accounts.
Among those increasingly concerned about the trend is the U.S. Small Business Administration, which says America’s 28 million small businesses create about two out of every three new jobs in the U.S. each year. Like all businesses, the SBA says, small businesses are increasingly reliant on information technology to store, process and communicate information. Protecting this information better is critical, the SBA says.
What should small businesses do? For starters, they should seriously consider hiring a cybersecurity specialist. They can make application recommendations for encryption, scanning, malware and safe browsing. They can also show a small business which digital information systems require enhanced protection, create and manage backup databases, and block the installation of external applications that make a small business vulnerable.
With or without a cybersecurity consultant, all small and mid-sized businesses must proactively adopt measures to mitigate cybersecurity threats. Here are eight tips from the Small Business Administration about what to do:
- Protect against viruses, spyware, and other malicious code: Make sure each of your business’s computers are equipped with antivirus software and antispyware, and updated regularly. All software vendors automatically provide patches and updates to correct security problems and improve functionality.
- Secure your networks: Safeguard your internet connection by using a firewall and encrypting information. If you have a Wi-Fi network, make sure it is secure and hidden. To hide your Wi-Fi network, set up your wireless access point or router so it does not broadcast the network name, known as the Service Set Identifier (SSID). Password protect access to the router.
- Establish security practices and policies to protect sensitive information: Establish policies on how employees should handle and protect personally identifiable information and other sensitive data. Clearly outline the consequences of violating your business’s cybersecurity policies.
- Educate employees about cyber threats and hold them accountable: Educate your employees about online threats and how to protect your business’s data, including safe use of social networking sites. Employees should be educated about how to post online in a way that does not reveal any trade secrets. Hold employees accountable.
- Require employees to use strong passwords and to change them often: Consider implementing multifactor authentication, which requires additional information beyond a password to gain entry. Check with your vendors that handle sensitive data, especially financial institutions, to see if they offer multifactor authentication for your account.
- Make backup copies of important business data and information: Regularly backup the data on all computers. Critical data includes word processing documents, electronic spreadsheets, databases, financial files, human resources files, and accounts receivable/payable files. Backup data automatically if possible, or at least weekly, and store the copies either offsite or on the cloud.
- Control physical access to computers and network components: Prevent access or use of business computers by unauthorized individuals. Laptops can be particularly easy targets for theft or can be lost, so lock them up when unattended. Make sure a separate user account is created for each employee and require strong passwords. Administrative privileges should only be given to trusted IT staff and key personnel.
- Create a mobile device action plan: Mobile devices can create significant security and management challenges, especially if they hold confidential information or can access the corporate network. Require users to password protect their devices, encrypt their data, and install security apps to prevent criminals from stealing information while the phone is on public networks. Set reporting procedures for lost or stolen equipment.
Small business should act today—not tomorrow—to improve their cybersecurity. A breach in security can put a small business at great legal liability. And a single attack, such as one that compromises a customer’s financial information, can freeze operations or even put an organization out of business. It makes no sense for any business to take such avoidable risks.
Robert Ackerman Jr. is founder and managing director of Allegis Capital, a Palo Alto, CA-based early stage venture capital firm specializing in cybersecurity.