Cybersecurity should be top of mind for small businesses. One well-engineered attack can ruin an entire small business, lock owners out of their income stream, and cause them to be fined by the FTC
A cyberattack comes with physical losses, fiscal losses, and the loss of customer and employee trust. With such high risks to their livelihoods, small business owners must take cybersecurity seriously, whether their company is a start-up or further along its growth journey.
Did you know that your small business could be fined for a cybersecurity violation? Did you know that you must have a reasonable cybersecurity posture and policies? Did you know that you must protect not only your customers but also your employees? Many small business owners do not.
“I have a lot of friends that have small businesses. None of them were concerned about cybersecurity, and none knew what to do about cybersecurity,” explains Rustin Scott, Director of Information Security and DevOps, Markaaz. “If you do not have proper cybersecurity protections for your business, employees, and customers, you could face a hefty bill if a cybersecurity breach happens. The FTC has full regulatory oversight permissions to fine any business that does not have adequate cybersecurity protections.”
What is a social engineering attack?
Social engineering attacks are some of the most expensive and damaging problems, even in small businesses. A social engineering attack is a cyberattack by someone from the outside or even within the organization with malicious intent to steal data or money from you. The attack can happen through phishing emails, text messages, and even phone calls.
“They’ll have an excellent story, or they’ll call you. Or they’ll be impersonating your organization’s IT-managed support services and say, ‘Give me your password or login here to this site,’ Or, ‘I’m going to send you a link to our secure platform, and you’ll need to go ahead and reset your password from there’,” explains Scott.
They will send a link or get private information directly from your employee, leaving your business exposed and in danger.
These types of cyberattacks are the most successful and the most damaging of any hack. The days of your company getting breached from the outside are getting less and less because it’s easier to make the social engineering attacks work.
However, it is easy to protect your small business from some of these cybersecurity attacks. There is a lot that a small business can do to boost its cybersecurity that doesn’t necessarily involve malware detection or ransomware.
How can a small business start its security journey cost-efficient but effective manner?
A small business’s insurance is a driver of how you approach cybersecurity for your business. So the first thing a small business owner should do is look into the cybersecurity requirements for their insurance policies.
Once you are clear on the insurance requirements, you should start looking for free online tools to help a company assess the types of tools they might need to implement.
“There’s a lot of free tools available. For example, at Markaaz, we partner with security organizations that can produce an inexpensive and comprehensive analysis for your security posture based on a brief questionnaire, and that’s a great place to start,” notes Scott. “It’s where even the larger organizations and corporations with hundreds of employees start. They get a comprehensive high-level, top-down view of their security posture. From there, you can drill in and get a more specific view of an area that might draw attention.”
Once that is done, Scott recommends hiring a cybersecurity professional to analyze what your company needs to implement. These measures will often be based on your company’s IT requirements. Hiring outside IT help can maximize your company’s cybersecurity without massive spending.
“As a small business owner, you can’t just bury your head in the sand and keep your fingers crossed that you’re not going to have an issue with the availability, confidentiality, or integrity of your data. It is incumbent upon the business owner and the business to be able to provide that for the customers and their employees,” says Scott.
Get into the cloud
A simple way to ensure your company is protected is to get your applications and data into the cloud. Get your company off locally installed applications and use cloud applications instead. This way, they are far more secure, and if your data is hacked on an endpoint, your applications and data are still secured in the cloud.
“Put your business applications and information on a cloud solution where it’s written into the policies that the cloud company will take care of your backups and recovery. But don’t just assume that it’s going to be there for you, don’t make that mistake. You need to know whom you call if everything goes down, whom you contact, and what you do to make support cases. Don’t be afraid of it. Ask questions and jump in with both feet. So, if you need urgent assistance, there are no questions,” Scott states. “For example, AWS guarantees the security of the cloud, but we have to guarantee and secure our data in the cloud. There are some fine lines that you would probably want to reach out to either legal counsel or IT experts on some of this to get real customized solutions. However, for the most part, getting stuff off your local drives and local resources and onto comprehensive cloud technology is good. It’s cheap, and the security is built into it.”
With cloud applications, you can ensure the security of your data, your client’s data, and your backups at a far cheaper rate than storing it locally with hard copy backups.
Security training
One spoofed URL, bad email, or phone call from a bad actor pretending to be a company employee asking for a bank transfer could destroy your company. Billions of dollars are lost every year in these kinds of attacks. Cybersecurity training is a must-have for small businesses, and you must find a training solution that can train employees using simulated phishing attacks.
“The bad guys are out there, and they’re international, but you’d never know it because they’re spoofing their IP address for it to look like the United States, or they’ve got what looks like a legitimate .com. You can register for a .com address, and it looks almost exactly like, for example, your domain or maybe a service provider domain for just $10. Just a $10 investment for a hacker for a $40,000 payoff? That’s a pretty good, easy win for them,” explains Scott.
There are many ideal cybersecurity training platforms available.
Small business cybersecurity is not scary
Cybersecurity doesn’t have to be a scary thing. Measuring a security posture does not have to be a black box anymore.
“Much of your cybersecurity can be measured. If an organization is curious about it, it’s only time and effort to fully understand your security posture or get a security assessment that can be comprehensive. It can be an external and internal security audit, and they can test many different aspects of your organization,” explains Scott.
A lot of highly competent and potent information can be attained from a full security audit that it’s actionable. A company should also conduct vulnerability scans every quarter so that there’s factual information that the company can promptly address.
“I would encourage anyone, don’t be afraid. Jump in there. It does not have to cost an arm and a leg to get cyber secure. For example, with insurance and cloud services, it makes a lot of fiscal sense for small businesses, and I think people sleep better because of it – especially if you’re a small business,” explains Scott. “Don’t be scared of cybersecurity. It’s not the monster in the corner anymore.”
Join the Markaaz newsletter here and access the latest small business news, tips, and education to help you grow your business.
Rustin Scott
Director of Information Security and DevOps, Markaaz
Technology enthusiast with 20+ years’ experience in infrastructure architecture, Cloud, DevOps, and security. Results driven leadership and passion for people centered solutions are the primary focused initiatives for working towards a brighter future, together.
