There have been numerous reports of rising threats to small businesses at the hands of cybercriminals. It’s a growing problem as small businesses struggle to protect themselves, mitigate breaches and, in some cases, remain functional.

What the statistics show

A recent survey found that only 9 percent of business owners admit their business was a cyberattack victim, but when given a list, 50 percent say their business has experienced at least one type of harmful cyber activity. Also troubling is that 64 percent do not have a dedicated employee or vendor in charge of detecting and combating cyberattacks. Clearly, this needs to change.

A report by FireEye and Marsh & McLennan Companies found that, on average, businesses take 146 days to detect a cyberattack. Think of the damage that can be done in that time.

Why small businesses are uniquely vulnerable

Small businesses are vulnerable because they simply don’t have the resources that large corporations do. The big companies can afford the best protections and dedicated staff to ensure that systems and data are safe, but this can prove to be much more challenging for a small business — especially one struggling to keep the doors open.

Cybercriminals understand this and target small businesses as a result. It’s often much easier for them to penetrate a small business’s security or move on and find the next one with its guard down. As security solutions provider TrendMicro notes , “For many SMBs, watching the budget is necessary to keeping the lights on and ensuring the business lives to operate another day. This leaves very little room for other initiatives or unexpected costs. Unfortunately, this lack of funds shows often in the security solutions that SMBs implement. Some organizations have the basics while others don’t have anything at all, relying on their size to avoid the attention of cybercriminals.”

Scot Ganow, co-chairman of the Privacy and Data Security practice group at Taft Stettinius & Hollister LLP, thinks companies simply don’t understand why cybercriminals target small businesses. “They mistakenly think they do not have the data the bad guys would want, are not big enough, or are not located in a big city where such hacks occur,” he says. “A company’s size and location are often irrelevant to why an attack is launched.”

What cybercriminals target within small businesses

A recent survey found that half (50 percent) say their business has experienced at least one type of harmful cyber activity: computer virus (27 percent); phishing (25 percent); Trojan horse (9 percent); ransomware (7 percent); hacking (6 percent); unauthorized access to customer information (6 percent); unauthorized access to business information (6 percent); issues due to unpatched software (6 percent); and data breach (6 percent).

A CloudNexus report indicates that the data at most risk within small businesses include: authentication data, personal health information, credit card information, proprietary data, social security numbers and financial transactions.

How to protect your small business from hackers

Regardless of how insignificant you think your company is to a criminal’s plans, you never know what kind of data they may be seeking from you or what they plan to do with it. But there are steps you can take to prepare against hackers, including:

• Educating employees on the proper protocol when opening attachments or sending sensitive information
• Performing background checks on employees to ensure that they do not have a cybercriminal history
• Backing up data so that any lost information can be recovered
• Ensuring your computers, servers, and other electronics are secure with the right firewalls and virus protection programs
• Protecting your business with security solutions and cyber liability insurance

What is a cybersecurity breach?

It’s an unexpected, unintended, and/or unauthorized interference with an organization’s technology systems or the data the organization maintains. Today it’s been redefined in simpler terms:

It’s the risks businesses are exposed to by their very existence.

Costly? Yes. And not surprisingly, some companies don’t even realize they have suffered a cybersecurity breach:

• 76% of business owners report that they believe it’s important to establish security practices and policies¹
• But only 47% say they have established security practices and policies¹

Who causes a breach?

When we think of cyber attacks, we usually think of a hacker inserting a virus or malicious code into a computer system or network. But data breaches can be caused both intentionally and unintentionally by various types of users:

• 52% of all data breaches (for small, medium, and large companies) are due to malicious or criminal attacks
• 48% of all data breaches are due to system glitches (non-employee errors) and employee errors

What could a breach cost you?

• It’s possible that a data breach could cost your business as much as $225 for each lost or stolen confidential record
• Small- and medium-sized businesses ended up spending over $1 million on average in 2017 on damage or theft of IT assets or infrastructure
• They also spent an additional $1.2 million due to disruption in business operations

That totals over $2 million on a single incident.

Could it happen to you?

Small businesses can be a target for hackers because they tend to be more vulnerable:

• 61% of small- and medium-sized businesses reported experiencing a cyber attack in the past 12 months, up from 55% in 2016
• Only 21% of small- and medium-sized businesses rated themselves a 7 or above on a 10-point scale when it came to their IT security effectiveness

What can I do to help protect my company against cyber attacks?

Here are some best practices:

Security and defense systems

Put multiple, overlapping security and defense systems in place. These include firewalls, data encryption and antivirus security software.

Alerts

Receive alerts for new vulnerabilities in vendor systems and platforms, and be sure to install any patches.

Password security

Implement a password policy to ensure the security and confidentiality of data.

Employee education

Educate employees on good security practices, and teach them how to spot phishing emails.

Disaster recovery plan

Develop a formal, well-tested disaster recovery plan. Update it regularly and make sure everyone involved in the plan understands his or her specific responsibilities.

Formal data retention, archive and destruction plan

Implement a formal data retention, archive and destruction plan and be sure to monitor it closely to ensure that it is followed.

Potential benefits of having cyber liability insurance:

• Cover legal fees and expenses associated with a data breach
• Pay for a professional information technologies review to determine the extent of personal data compromise
• Notify customers about the breach
• Restore control over customers’ personal identity, within the constraints of what is possible and reasonable
• Pay an outside firm to research, re-create and replace data lost or corrupted

Learn more about how cyber liability insurance can benefit your business from attacks and data breaches.

Will we be more susceptible in the future?

Cyber threats continue to grow as the Internet of Things (IoT) and the number of devices used by businesses continue to increase. Automated equipment, machinery, components, appliances, sensors, control panels and mobile devices increase the vulnerability of a computer system or network in several ways:

• They often utilize unsecured or poorly secured wireless or cellular networks to transmit data
• Mobile devices such as a land surveyor’s GPS equipment or an EMT’s mobile monitor are more susceptible to theft, allowing thieves direct, physical access to a network
• Connected equipment and devices can be hijacked and used to launch dedicated denial of service (DOS) attacks, allowing the attacker to hide behind someone else’s IP address and computer
• Connected equipment and devices that are widely manufactured and distributed, such as baby monitors, alarm systems and streaming devices often use the same security protocols on every device manufactured

Every business is susceptible to fraud. That’s largely because there are so many different kinds of fraud.

Cybercriminals adapt their methods almost as quickly as cyber-security firms create new products and services. It’s nearly impossible to protect against every type of attack.

However, there are some measures to take to help safeguard your business against hackers, cybercriminals and identity thieves. Here are five techniques you can incorporate into your business practices.

1. Protect your bank accounts

If you haven’t created separate bank and credit card accounts for your personal life and business, do so now. If hackers get their hands on one account, they won’t have access to the other, and vice versa. Look into the security systems your bank uses for online banking to be sure things like automatic logout are available.

Create a well-monitored reimbursement policy for employee expenses and stick to it. If you’re going to give credit cards to employees, ensure that the card provider has suitable fraud protections in place, such as automatic alerts if an employee spends over a certain amount.

Handle bills online so there are as few paper bills lying around an office as possible. The more paperwork there is, the more likely that a bill with banking information could fall into the wrong hands.

2. Safeguard your computer systems

Hackers are experts at cracking computer systems. A sturdy firewall can help protect your company data, while antivirus software can help detect breaches early on. There are several well-regarded cyber-security vendors. Find the product that best addresses your needs.

Set up strict protocols that require employees to create passwords that are difficult to decipher. Have employees change their passwords every 60–90 days, and set password requirements to help ensure they generate strong passwords.

Consider backing up your files on a daily or weekly basis, and store them offsite. If something happens to your system, you’ll be able to restore the files you need without much downtime.

3. Do employee background check

When expanding your workforce, it’s crucial to find people who are not only qualified but who are also trustworthy. Don’t rely entirely on references and work history. Conduct a thorough background check.

There are companies that can provide this service for you. Most charge between $30–$50 per report. When you narrow down a list of potential hires to one or two people, you can run a check on the finalists before making your final decision. Make sure you obtain proper permission to run the check.

4. Create a secure entry

A secure entry system can keep out unwanted visitors. Some key-card systems provide time-stamped records of an employee’s entries and exits from your offices.

In addition, management can limit access to specific areas to certain people. For instance, you can use a key card system to only let the IT managers inside the server room. Limiting access to sensitive areas keeps you and your business safer.

5. Purchase insurance

While there are many precautions you can take, no measure is foolproof. If a fraudulent attack occurs, having insurance is crucial.

Consider Identity Theft Insurance to mitigate loss should an attack occur. Although it can’t prevent the attack from happening, ID Theft Insurance makes it easier to return to day-to-day life in the event of an attack. Depending on the provisions of your policy, it may report the problem to creditors and reimburse you for the money taken.

In a recent online survey among 1,000 business owners with between 1 and 499 employees, found that while as many as 76 percent of business owners believe it’s important to establish security practices and policies to protect sensitive information, just 47 percent have actually established security practices and policies.

Having best practices and policies in place, properly training employees, and holding them accountable can be the difference between running a successful business and courting disaster in the digital age. These ten tips can help keep your business safe.

1. Make following protocol a priority

The number one priority when it comes to employee training should be making sure they understand that they are a part of what keeps business data secure. If they don’t follow protocol and ensure that the devices they use are protected, they could be the weak link in an otherwise secure network, giving viruses or other malicious code a backdoor into the system. Make sure they have the proper security software and tools on their machines and that they understand how it works and any efforts required of them.

Ideally, any software in use will receive automatic updates, but employees should be able to spot if there are any issues and know who to talk to (such as someone in the IT department) in the event that something goes wrong.

2. Have policies in place that keep sensitive data safe

You need to have formal policies written out, and you need to share these documents with all employees. But it’s not enough just to share the documents and expect employees to read them in their entirety and absorb all of their contents. It’s a good idea to have discussions about all aspects during the training process. It may even benefit you to give trainees tests about the content to ensure they really are absorbing it.

3. Teach employees about cyber threats and accountability

Employees must understand the serious nature of cyber threats and proceed accordingly. Make sure they understand how cyberattacks can damage businesses and that they know that if they violate protection policies, they will be held accountable for doing so.

4. Create strong passwords and change them regularly

Everybody knows that strong passwords help to keep accounts safe, but how many people really adhere to this common advice? Go out of your way to ensure trainees know that they must use a strong password and that they must change their password on a regular basis for increased safety. It may even be best to assign them passwords (on a regular basis). Just instruct them to keep the password safe from public accessibility, both online and off.

5. Enforce policies around payment cards

Work with your banks or card processors to ensure the most trusted and validated tools and anti-fraud services are being used. You may also have additional security obligations related to agreements with your bank or processor. Isolate payment systems from other, less secure programs and do not use the same computer to process payments and surf the Internet.

These are good tips to keep in mind, especially when training employees. Once again, be sure they understand that they are accountable if they use company cards and/or devices on which cards are used.

6. Require backup of all important data

Trainees need to understand that the data they create and/or deal with belongs to your company, and that this data needs to be kept safe. That doesn’t only mean that it needs to be protected from attacks, but it needs to be backed up in case of any type of disaster, including something as simple as hardware failure. Make sure they know how to back up data using methods described in your policies.

7. Only allow devices to be used by authorized individuals

Any computers, tablets, mobile phones or other electronic devices should only be used by employees who are authorized to use those specific devices. During the training process, stress the importance of obtaining authorization to use any device. Make sure trainees know that they should not use any device without authorization and that they should not let anyone else use their devices without authorization.

8. Create web content securely

Attackers frequently look for code on websites to exploit, and that means that anyone who may be creating or updating web pages should know how to do so securely and how to avoid allowing any backdoors for cybercriminals to exploit. Of course, only those authorized to do so should be updating any company websites. This is even more important on any pages that connect to sensitive information.

9. Prohibit unauthorized software

It should go without saying that unauthorized software should not be allowed on corporate devices, but you may need to make a point to discuss this during the training process, because even if there is no ill intent, employees may not think twice about adding software to their machine. They must be made aware that this is unacceptable.

10. Train on proper email use

Last, but far from least, you should discuss email use. As you know, email is a common avenue for criminals to take. Educate trainees on spam and phishing, and help them understand how to identify illegitimate emails.