Top Tips for Improving Your Cybersecurity Practices
May 24, 2022
We hear about the worst or most high-profile cyber attacks, but the reality is that attacks occur thousands of times a day. These cases don’t make the news partly because they are smaller in scale but mainly because it would take endless stories to cover all of these attacks. As a result, we often underestimate how serious the issue of cyber security has become.
We also fail to understand who the actual targets are. A 2016 study found that 50% of all small businesses were cyberattacked. The following year, that figure rose to 62%. Another 2018 report showed that more than half of all companies attacked by malware were small businesses. Such attacks rarely make the news, but they profoundly impact victims.
Tracking cyberattacks through small businesses
Hackers, like all criminals, look for the easiest and lowest risk targets they can find, which often means small businesses. Companies with limited resources can afford to invest a lot of time, money, and energy into cyber security; the cyber defenses of many small companies are pretty simple.
Sophisticated and motivated hackers have little difficulty circumventing these defenses, meaning that a hacker can attack small businesses almost at will or trap them in massive random attacks.
Minimizing damage is difficult without robust tools, and some small businesses may not even be aware of infections on their networks.
Scarce resources also make responding to an attack a challenge. Detecting and resolving an attack requires technical expertise that many small businesses lack. Customer service may not be possible, resulting in a long-term loss of revenue and reputation.
Cleaning up after an attack is no easier. Expensive information technology may be destroyed, confidential data may be lost, and large sums of money disappear from accounts. Small businesses may face lawsuits, loss of customers, regulatory fines, and other costly sanctions.
When you add up all of these consequences, it’s clear why most small businesses close their doors after a cyberattack. Instead of treating cybersecurity as an isolated IT issue, it should be seen as an existential threat.
An additional risk for small technology companies
Limited cybersecurity is half the reason hackers attack small businesses; the other half is that these businesses are profitable targets despite their size.
Data is the most important asset for any company, even more important than a physical storefront or home office. Losing or destroying data can lead to disaster, and getting it into the wrong hands can have even more severe consequences. Because data is so valuable to small businesses (and everyone else), it is also helpful to hackers.
Any company potentially can be exploited, but some targets are more valuable than others.
For example, small technology companies often collect and process megatons of data. This data can include customer account information, proprietary algorithms, valuable intellectual property, or information about other companies, which have tremendous value, especially in the wrong hands.
Technology companies are somewhat aware of this risk. One study found that 58% of small business executives consider a cyberattack a severe security threat. Broken down by industry, 62% of technology CEOs rated this risk highly. That’s an improvement, but technology companies need to show a greater sense of urgency.
The problem is compounded by the fact that, paradoxically, smaller tech companies may have fewer cyber defenses than companies in other industries. Working quickly and unhurriedly in the technology sector is common, focusing only on maximizing progress towards the most immediate goals. In such an environment, it is easy to neglect cybersecurity. And when cybersecurity is in the spotlight, it’s often about protecting the technology product or customer data, not the company itself.
For all these reasons, technology companies are more likely to be attacked – and suffer more damage. Going out of business is a real risk, but cyber attacks can create severe obstacles to growth even if the situation is not as difficult.
The connection between trust, security, and growth
We must recognize that the frequency and severity of cyber attacks will only increase.
Companies of all stripes embrace digital initiatives as an essential part of their growth strategies. But the same technologies that allow companies to interact seamlessly with consumers – artificial intelligence, machine learning, big data – also present new targets for hackers and new tools to exploit. As the digital landscape evolves, the threat landscape inevitably grows as well.
This is alarming for all companies because consumers are tired of being victimized repeatedly. Most people have already compromised their data, even if they are not directly affected. Disgruntled consumers are rightly tired of being put at risk by companies they patronize, so they will increasingly turn to companies they can trust to keep them safe.
Keeping data secure will be an advantage for those companies that do it well.
Any data breach will erode trust for those who don’t, alienating existing customers and scaring away potential new ones. Companies that don’t protect data may survive the immediate consequences, but they face an uphill battle to regain growth. Instead of a quick death, they face a slow slide towards insolvency. Neither of these options is desirable.
Enabling growth through cybersecurity
We have already found that small companies in technology and other industries have limited funds to invest in cybersecurity. This means that every investment needs to be impactful. Focus on these three pillars to effectively and inexpensively improve your cyber security:
Small businesses are often focused on maximizing value or increasing revenue. Since you already understand your company’s primary asset, take the time to plan security around it. Too often, small businesses try to address cybersecurity in the most general way without focusing on the assets and threats that matter most. Figure out what those assets are, and then focus your efforts on them.
Working in the cloud is the best option for small businesses as it provides a higher level of security at a lower cost. The cloud provider handles patches, updates, and maintenance, ensuring that security risks are dealt with immediately. The cloud is also flexible and scalable in nature, which helps businesses adapt to new threats or changing regulations. Implementing the same capabilities on-premises would be costly.
The only risk of the cloud is when companies are locked into a single cloud ecosystem. The price structure may change, and the quality of service or security may decrease, but data cannot be moved elsewhere because of contractual agreements. When a business moves to the cloud, make sure your assets can be moved between clouds at any time.
Improving cyber security expertise
Cybersecurity is a confusing and complex topic that is constantly evolving. Companies can only keep themselves safe if they are constantly on guard, like animals in the wild. In reality, this means having a cybersecurity expert on your side who understands the threat landscape and existing defenses.
Ideally, such an expert should be on staff, but hiring an in-house cybersecurity expert isn’t easy or cheap. As an alternative, many companies turn to managed security service providers – third parties who manage cyber security for you. These companies can assess current security, make necessary improvements and maintain protection in the face of new and emerging threats. In the best cases, MSPs provide world-class cyber security at a fraction of the cost of new hires, making them the obvious choice for cautious small businesses.
Matching security budget to the level of threats
No company is looking to spend more on cyber security, but isn’t the investment worth it if it keeps the doors open? All companies need to periodically review the size of their security budget in the context of their current threat environment. Best practice recommends allocating at least a few hundred dollars a year per employee. This money goes towards things like email security, MSP services, and possibly remediation technology.
Small business decision-makers should open their wallets, but remember that increased investment does not automatically mean increased security.
As discussed earlier, the most critical and vulnerable assets require the most attention. If you choose to spend more, focus it on the front lines of defense.
One of the many misconceptions in cyber security is that attacks are an all-or-nothing proposition – you either survive, or you don’t. But staying is not the same as getting back to full strength. And for a small business, especially a technology start-up with big ambitions, even a minor setback can have long-term consequences. Instead of planning for recovery, focus all your efforts on avoiding cyberattacks altogether.