5 SMALL BUSINESS CYBERSECURITY MYTHS: EVOLVE OR DIE
Written by Jacob Owens
Small businesses, including private organizations, are the backbone of most economies. According to data from the IDC analytics agency, there are estimated to be approximately 80 million companies with up to 10 employees and a couple more million with 10-20 employees worldwide.
In most cases, these companies are not too concerned about hiring information technology specialists for objective and subjective reasons. According to B2B International survey results, only 35% of small businesses have an IT specialist on their team, and 20% hire freelance system administrators. Other 20% rely on their personnel’s expertise, a risky approach.
Small businesses faced many challenges in 2020 and 2021: lockdown, financial losses, layoffs, mass teleworking, threats of recession, and a significant spike in cybercrime.
Cybercriminal hacking groups now have access to more sophisticated malware. Terabytes of data collected from open and private sources and social media allow hackers to identify users, their medical records, credit card numbers, and bank details. Large companies are not the only victims of data breaches, with over one-third of the attacks directed at small businesses. Ironically, many of these attacks could have been prevented.
Business automation with modern security tools and mechanisms such as cloud technology and DevSecOps practices allow small organizations to improve cybersecurity without breaking the bank. Specialist advisor and DevOps Kanstantsin Zalialetdzinau shared 5 myths about cybersecurity in small businesses based on his own works and scientific projects. Debunking these myths will help small business leaders improve their security planning.
Myth #1: Cybercriminals Only Target Large Businesses
There is a common misconception that small companies are not the desired target for cybercriminals. This could not be further from the truth since, nowadays, cyberattacks are mostly automated.
Network scanners and botnets used to identify all possible network vulnerabilities sweep up all unprotected businesses, regardless of their size. Any company can be targeted, regardless of size. In most cases, small enterprises are the easiest target since they don’t keep up with cybersecurity best practices and oftentimes don’t have qualified technicians maintaining security, which increases their probability of being attacked. Small and midsize businesses also fall victim to targeted attacks since cybercriminals are aware of their poor cyber protection.
Myth #2: Small And Large Businesses Face Different Threats
According to 2021 statistics, the most daunting threat for a business of any size is ransomware, which can compromise any company, no matter its size. In most cases, both large and small companies were completely paralyzed for up to several days after a ransomware attack.
However, there are certainly some differences. Large companies have better protection against phishing, which poses a real threat to small businesses. However, large companies are more heavily targeted by DDoS attacks, which, on the contrary, don’t affect small businesses as much. Leaks of confidential data and a standstill in operations almost inevitably lead to reputational damage.
Myth #3: It’s Enough To Protect Company Devices
The practice of employees using their own devices (smartphones, tablets, or laptops) in working environments might pose a threat to your company’s security. Moreover, statistics show that two out of three employees access company networks and applications through their personal devices, even if it goes against company regulations.
Employers have two options in this case: either take all preventative security measures or totally ban the BYOD (Bring Your Own Device) practice and ensure compliance with regulations. For most companies, it makes sense to adopt the BYOD practice and make use of its benefits while ensuring cybersecurity measures to mitigate the risks. Network security policy must cover all devices with Internet access.
Myth #4: Taking Cybersecurity Measures Is A One-Off Objective
Despite what some people think, cybersecurity can’t be achieved once and for all. It’s not a one-off objective and instead entails constant, holistic work beyond upgrading equipment or purchasing an advanced antivirus license. Cybercriminals use multiple methods and constantly evolve their techniques.
No single antivirus program can protect a business from all threats, and strong passwords might only be a small fraction of the overall security measures of a company. Businesses must correctly develop a cybersecurity system, with the first step being a security risk assessment. In addition, measures against cybercrime must include regular discussions with staff members or training meetings.
Myth #5: Cybersecurity Is Expensive
The misconception about the cost of cybersecurity tools and measures being too high is by far the most dangerous one. On average, ransomware attacks cost companies $210,000. Recovery of encrypted data has proven to rarely be successful. Even paying the ransom does not guarantee that the attacker will communicate the correct decryption key or not carry out another attack.
Despite forced standstills in operation, which paralyzed one-third of the attacked companies for up to eight hours or more last year, and the damage of compromising the data of clients and partners, some small business leaders still rely on luck, neglecting basic cybersecurity measures. Investing in company security is far less expensive than paying a ransom for stolen data or recovering information after a cyberattack. A well-organized cyberattack might have devastating consequences for small businesses.
Evolve or Die
When working with small businesses, Kanstantsin Zalialetdzinau, a renowned expert in business information security, suggests applying the following principles:
– Increase the basic security level of all devices. For example, use antivirus software and regularly update the systems of small companies.
– Enable multi-factor authentication for cloud services for all company employees.
– Organize regular staff training on basic security measures. Implemented and documented information access policy will additionally motivate employees.
– Establish a basic backup and recovery plan. Subsequently, this will allow you to choose an IT insurance contract with the best terms and keep monthly insurance costs down.
– Ensure backup of important business data. It is the most crucial component of any cyber attack recovery plan. Backups must be as frequent and automated as possible.
– Regularly perform IT audits according to an established schedule. This will allow you to identify issues in the early stages and make the right decisions.
By following these simple recommendations, small businesses can significantly increase their cybersecurity.