The novel coronavirus has changed everything in 2020 and beyond for executives of small and medium-sized businesses. Previously unexpected challenges are coming into focus, and with these challenges comes another increasing concern for governments, municipalities and business at large: ransomware.
This past October, an SMB called the Heritage Company was hit by a ransomware attack. It was told to pay if it wanted to get its systems back online.
After weighing its options, the Arkansas-based telemarketing firm paid the ransom. But that wasn’t the end of its nightmare. Its system had been trashed, and two months later it still hadn’t succeeded in its data recovery efforts.
The Heritage Company restructured to staunch the bleeding while struggling to repair the damage, but it had to shut its doors. The company had suffered a particularly damaging form of cybercrime. Paying the ransom seemed like their best option. It just wasn’t good enough.
Other SMBs hit with cyberattacks have simply shut down. How often do attacks like this occur? How concerned should you be, given all the things to worry about, that your SMB’s defenses are inadequate and that this could happen to your company?
According to a recent study conducted by Zogby Analytics, 28% of SMBs surveyed experienced data breaches last year. Not just cyberattacks — those, unfortunately, are routine. These were successful attacks that broke through the companies’ defenses, and as a result, most of the companies were taken offline for a time. But more than one-third of them suffered financial losses from the attacks, and a significant percentage of them had to declare bankruptcy or close their doors permanently.
Cybercrime is having a serious impact on SMBs.
It’s not that SMBs are not taking steps to protect themselves. According to the Zogby Analytics study, 88% of small business decision-makers report that they consider themselves targets for cybercriminals. They are not unaware of the risks. And most SMBs today make cybersecurity a priority. That, in itself, is good news. Yet despite this vigilance, many SMBs are likely to experience serious data breaches this year.
How To Develop A Layered Approach
Your approach to cybersecurity should be layered. In my experience, here are the most important considerations for an SMB cybersecurity plan:
• You cannot assume you are immune.
You need to be prepared for different degrees of damage. You might experience a brief outage in service that you can manage quickly. You might suffer some real financial pain, but be able to deal with it. Or you might be threatened with going out of business. You need to be prepared for each level of impact and have a plan to minimize its effect on your business.
The size of your business and the degree to which you are exposed to risk will have a lot to do with the resources you can and need to bring to cybersecurity, of course.
You might have an in-house cybersecurity team, or you might outsource part of your cybersecurity. But hopefully you have a formal cybersecurity plan that you update regularly. There are publicly available frameworks to help you develop your cybersecurity plan, like the NIST Cybersecurity Framework, the Center for Internet Security (CIS) Controls, or the Payment Card Industry Data Security Standard (PCI DSS).
Your plan should cover tools and practices to minimize the risk of a data breach. Redundant security is part of that. A layered security defense will ensure that if one security measure is bypassed, another will at least slow the attack, buying time to counter it. It turns the intruder’s attempt at a smash-and-grab into a gauntlet to be run.
• Develop a security culture.
Your plan should also support a security culture. Having the best locks won’t help you if someone forgets to lock them. Unless you create and maintain a culture of security in your business, your employees are likely to be your weakest security link.
Some policies will help, such as requiring employees to use a password manager, lengthy and unique passwords for every account, or two-factor authentication, or requiring them to perform updates promptly or run antivirus software. But you also need your employees to be proactive, for example, in reporting suspicious emails. You need a security training program that goes beyond training new employees, but also keeps current employees up to date on threats and best practices.
Endpoint security is a particular concern. Every device that connects to your network — be it a laptop, phone, tablet, wearable or some device not yet invented — is an endpoint over which an attack can come. At the very least, an endpoint protection plan must include antivirus protection, investigation, and response to both traditional and modern threats.
• Plan the recovery.
Remember that despite your best efforts at prevention and at creating a culture of security, you may experience a data breach. Here is where you need recovery strategies.
Your cybersecurity program needs to include a post-breach response plan. At a minimum, this should include immediate actions and initiation of manual or backup procedures to continue operating your business. You'll also need a plan for limiting the impact.
Final Thoughts
The ideal is not to suffer a cyberattack at all. But by implementing a layered strategy that incorporates security training, prevention, detection and mitigation controls, SMBs might just avoid the personal and financial distress no one should suffer.
You aren't immune to data breaches, but you can be prepared for them when they happen.
