Cybercrime: The Event That Could Shut Down Your Business in 6 Months

For small businesses who are focused on selling their products or services, maintaining cash flow, and making payroll; something as daunting as “cybersecurity” may get pushed to the bottom of the priority list.   Business owners may feel they don’t have the time or resources to invest in preparing for what seems a remote event.  Understandable logic perhaps, but potentially dangerous in practice.  Increasingly, cyber-criminals are targeting small companies, and about 60% of small business victims of cyberattacks close within six months.

Small businesses need to take note and protect themselves and their customers.  The facts are that the threat is growing, these businesses are at an increased risk, detection is too slow, and the cost is great.  Consider these statistics:

  • Small companies – those with fewer than 100 employees – were the target of 71% of cyberattacks in 2011.
  • In 2012, the largest growth in targeted attacks involved small companies with less than 250 employees.
  • In 2013, 30% of targeted spear phishing attacks were aimed at small businesses with less than 250 employees.  One in five small businesses received a spear phishing email in 2013, and the number of spear phishing campaigns rose by 91 percent that year.
  • Eighty percent of organizations learn of a breach to their data through law enforcement or other third parties.
  • The median amount of time from a cyberattack by an intruder to detection by the victim is 205 days or almost seven months.
  • In 2010, the average annual cost of cyberattacks to small and medium-sized business, per incident, was $188,242.
  • In 2013, the federal Internet Crime Complaint Center (IC3) received over 260,000 consumer complaints for an adjusted loss of almost $782 million, which is a 48.8% increase in reported losses since 2012.

Given these facts, where should a small business begin when tackling cybercrime?

Defend Against Non-technical Threats

Physically lock away your server and other technical equipment to eliminate unauthorized access.  Password protect computers and other network equipment. Train your staff to recognize malicious attempts to gain information that might allow network access. This type of assault is referred to as Social Engineering, which we will cover in another blog.  Insure that you are shredding all sensitive documents that contain access information.  Known as “dumpster diving” many cybercriminals seek out this physical information to enable their cybercrimes.

Defend Against Electronic Attacks

Use proper networking equipment, such as firewalls, to impede network access. Delete all unused email accounts or other types of accounts when employees leave or services change.  Enforce strict password guidelines and enforce restrictions on personal devices. (This is your BYOD policy).  Also, consider performing “penetration tests” on a regular basis.  This is where you, or your advisor, attempts to penetrate your network to test your defenses.

Defend Against Electronically Undirected Threats

Be sure to have up-to-date software, malware and spam filtering services on all computers and servers.  Also, consider using some type of external monitoring to identify potential network breaches.  Lastly, plan for an independent security review at least once a year, depending on the size and scope of your technology.