The most common mistake small businesses make when it comes to cyber security is believing they’re too small to be a target. In fact, cyber security experts say small businesses may be at greater risk than larger firms precisely because hackers count on them to have lax security.
Most digital criminals use a scattershot approach that exploits vulnerabilities anywhere they can be found. Malware is designed to operate in the background, stealing passwords and other data. Ransomware is even more aggressive: hackers cut off access to your own data and demand money to get it back.
So, how can you protect your company and your customers’ sensitive data? Here are the top five cyber security mistakes small businesses make and what the pros say you should correct now:
1. Not updating software
The first line of defense for any business network is a good firewall and current antivirus and malware software, says Steve Weisman, an attorney who writes about cyber security for USA Today and on his own blog. But a surprising number of companies don’t update their security software or hardware, which exposes them to hackers. Weisman also recommends that sensitive records be kept on a computer that is not connected to the company network or Internet. “If somebody does fall prey to malware, then they’ve segregated what the hacker is going to get,” he says.
2. Not training your staff
Email is the Achilles’ heel of cyber security, according to small business security consultant Jim Stickley. “When you look at every major security breach in the last two years, almost every one of them started with email,” Stickley says. One service of his firm, Stickley on Security, is to educate a company’s employees on security practices. They learn how to inspect every email to ensure it’s really from a trusted sender and to detect phishing attacks. Phishing emails are designed to look like they’re from a trusted party, but they contain attachments or links designed to steal passwords or unleash malware. Stickley even writes his own malware at his clients’ request to test the security of their network—and their employees’ training.
A stolen laptop or smartphone can expose internal emails, account numbers, customer data and more. But many company devices aren’t even password-protected, says Frank Bradshaw, president and CEO of Ho’ike Technologies, which provides outsource security services to small businesses. Bradshaw says every company should use mobile device management, which encrypts all data and can track a lost or stolen device. He also recommends that firms limit the kind of data employees can access remotely.
4. Overlooking internal threats
As soon as an employee leaves the firm, his or her email account and logins should be deleted, Bradshaw says. His firm uses a cloud-based program to instantly revoke access on all devices connected to that person. And while it’s difficult to imagine, current employees’ activity should also be monitored if there’s reason to believe that sensitive customer information or documents are being accessed without sufficient reason. At a law office where Ho’ike provides data loss and leakage prevention, Bradshaw says, their software detected that one attorney downloaded dozens of files in just two minutes. When confronted, he admitted he was leaving the firm and attempting to take client files.
5. DIY security
If your business can’t afford a dedicated IT person, consider outsourcing the work of setting up and monitoring your security infrastructure. Bradshaw says it’s an insurance policy you can’t live without. And Weisman says there are many affordable options today for small business owners. “It’s doable at a good price, particularly when compared to the price of failure,” he says.
Bank of America, N.A. engages with Touchpoint Media Inc. to provide informational materials for your discussion or review purposes only. Touchpoint Media Inc. is a registered trademark, used pursuant to license. The third parties within articles are used under license from Touchpoint Media Inc. Consult your financial, legal and accounting advisors, as neither Bank of America, its affiliates, nor their employees provide legal, accounting and tax advice.
Bank of America, N.A. Member FDIC.
©2015 Bank of America Corporation