As a small business, you may be under the impression that you are at low risk for data breaches, cybersecurity incidents, and privacy complaints.
However, the truth is that small businesses often collect a fair amount of personal data such as names, emails, phone numbers, IP addresses, and even payment details from their customers.
You should know that 46% of all cyber breaches impact businesses with fewer than 1,000 employees and that employees of small businesses experience 350% more social engineering attacks than those at larger enterprises.
In addition, cybersecurity incidents can be costly, ranging from $826 to $653,587 on average.
In this article, we will discuss the types of cybersecurity risks that small businesses face and will analyze the New York Attorney General’s guidance for small businesses on how to protect their customer’s personal information so that you can implement low-cost cybersecurity measures to protect you and your customers.
Types of Cybersecurity Risks
While many imagine cybersecurity risks as a lone hacker sitting in an airport yelling, “I’m in”, the truth is that there are many different types of cybersecurity risks that small businesses face:
- Malware: Malware is when a user is asked to take a particular action, such as clicking a link or opening an attachment. Once the link is clicked or an attachment is opened, malware is installed. It can monitor user activities, send data to the attacker or even penetrate other targets within the network. Malware includes trojan viruses, ransomware, worms, and spyware;
- Social engineering attacks: these attacks manipulate users into performing actions desirable to an attacker or releasing confidential information. Social engineering attacks include phishing, malvertising, vishing, whaling, and diversion theft;
- Software supply chain attacks: these attacks take advantage of a weak link in a trusted software supply and update chain. Software supply chain attacks include compromise of devices or accounts managed by third-party vendors, malicious code being deployed on hardware, and malware pre-installed on devices such as cameras;
- Advanced persistent threats: these threats are caused by an individual gaining unauthorized access to a network and that access not being discovered for an extended period of time. Examples of advanced persistent threats include new account creation, abnormal activity in legitimate user accounts, and odd database activity;
- Distributed denial of service (DDoS): these attacks involve overwhelming a system’s resources, causing it to stop functioning. Examples of DDoS attacks include botnets and smurf attacks;
- Password attacks: these attacks include a hacker gaining access to a password by using social engineering, guessing, or gaining access to your password database;
- Cyber threat actors: these attacks include state-sponsored attacks, hackers, hacktivists, and malicious insiders.
Finally, it is essential to note that even though most cybersecurity risks come from outside actors, inside actors can also inadvertently cause a cyber incident by, for example, accidentally sending client personal information spreadsheets to an incorrect email address.
Small Business Cybersecurity Risks
As stated above, small businesses are not exempt from the risks above. In addition, not implementing basic cybersecurity measures can be costly.
The following is a list of low-cost cybersecurity measures that small businesses can quickly implement to reduce their risk:
- Use a secure method of authentication – set up multi-factor authentication on your accounts. Multi-factor authentication helps increase security because it relies on two measures to authenticate a user before allowing them to log in to an account. For example, if you set up multi-factor authentication, you would have to input a password and a code that was sent to your phone;
- Require lengthy and secure passwords – use passwords that are at least 12 characters long (as they are much harder to crack), do not use easy passwords (such as 12345 or Password1), and refrain from using context-specific passwords such as your name, your company name or your date of birth;
- Secure passwords against attack – do not store passwords in plain text documents or on your desk. Instead, research password management solutions such as LastPass that hash your password so that they are not susceptible to password cracking attempts;
- Encrypt sensitive customer information – do not store sensitive customer information in plain text documents. Instead, encrypt data so that it cannot be read by an attacker even if the information is breached;
- Conduct vendor due diligence – if you use any third-party service for storing customer data (e.g. your WordPress website stores customer information or the information is stored in an email), make sure to conduct vendor due diligence to ensure that the vendor has reasonable security measures in place to protect that information;
- Know where you keep consumer information – create an inventory that lists where you store customer information (e.g., in the cloud, in your emails, or in Excel spreadsheets). Knowing where you keep your data will help you implement appropriate measures to secure that data, and no data will be left unprotected;
- Guard against data leakage – if you collect credit card information, make sure that the entire credit card number is not visible and instead shows only the last four digits. Ensure that all information is sent through encrypted networks;
- Protect customer accounts impacted in data security incidents – if a hacker has compromised a customer’s account, you should ensure that you take action to secure the account and protect your customers from further harm. This can be accomplished by resetting the account password and alerting customers that their accounts are at risk;
- Delete or disable unnecessary accounts and data – the more data you keep, the more at risk you are of a cyber incident and the more costly a cyber incident will be. If a customer is no longer using your services, make sure to delete their data and their account so that it cannot be compromised in the future;
- Guard against automated attacks – automated attacks, such as credential stuffing attacks, involve repeated attempts to log in to online accounts using usernames and passwords stolen from other services. You can prevent these types of attacks by using bot detection software such as reCAPTCHA, using passwordless authentication, and monitoring customer activity;
- Provide clear and accurate notice to consumers – if you were subject to a cyber incident, make sure to provide clear and precise notice to your customers, including how customers can protect themselves after the attack.
If you do not currently have any of the above security measures in place, print this article and use it as a checklist to create a plan to implement reasonable security measures that will reduce your risk of falling victim to a cybersecurity incident.