Expert Insights from CMIT Solutions of Roanoke
Not Worried About Online Threats? It’s Time to Reconsider ⚠️
Many small to medium-sized business (SMB) owners assume that cyberattacks only happen to bigger companies. But many cybercriminals view SMBs as easy targets—and may try to test their scams on susceptible mom-and-pop shops before scaling them up to larger targets.
According to the 2022 Verizon Data Breach Investigations Report, small to medium-sized businesses accounted for nearly half of the 23,896 security incidents and 5,212 confirmed data breaches documented in the report. Nearly all of those breaches came via system intrusion— breaking into computers, laptops, or servers—or social engineering—tricking users into sharing credentials or critical financial information.
Ransomware was the main tactic used in 25% of those 2021 breaches, nearly doubling since 2020. Unsurprisingly, 100% of the motivation for such breaches was financial: hackers trying to strong-arm companies into paying a ransom for the return of their stolen data.
What Do These Numbers Mean?
Maybe you’re thinking, “It’ll never happen to me.” Maybe you’re running through scenarios for how you’ll respond. Those two camps are nearly evenly represented by the results of another report, the CNBC | Momentive Q3 Small Business Survey.
Conducted last year with nearly 2,000 SMB participants, the report revealed that 56% were not concerned about falling victim to a hack—while 42% said they were concerned. Shockingly, an equal portion of the survey sample, 42%, said they had no plan in place to respond to a cyberattack. Another 11% said they weren’t sure if a plan was in place, and just 28% said their business did have a plan in place.
Considering that cybercriminals are becoming increasingly sophisticated in their attacks, those contradictory numbers are scary. Today’s ransomware infections can worm their way into the farthest reaches of a company’s system in mere minutes, encrypting years of data with one illicit click and bringing day-to-day operations to an immediate halt.
It might sound scary to consider, but most cybersecurity experts assume a “not if but when” approach to system intrusions and online attacks. Gone are the days when you could ignore the threat of data breaches, password compromises, financial schemes, and email-based infections. Doing so today is tantamount to leaving your office without locking the front door—then leaving your house and car unlocked, too, so that thieves can have their way with all of your possessions.
You Can Protect Yourself
The 2022 Verizon Data Breach Investigations Report includes several straightforward strategies for SMBs to avoid becoming a target:
- Use two-factor (2FA) or multi-factor authentication (MFA)
- Do not reuse or share passwords
- Use a password keeper/generator app
- Change the default credentials of hardware/software
- Install software updates promptly so that vulnerabilities can be patched
- Ensure that built-in cybersecurity protections are turned on for user devices such as laptops and desktops
- Use antivirus software for all your devices
- Do not click on anything in an unsolicited email or text message
- Make sure the computer used for financial transactions is not used for other purposes such as social media or email
- Use email services that incorporate phishing defenses and use a web browser that warns you when a website may be spoofed
Beyond these tips, CMIT Solutions recommends the following four strategies to minimize the threat your business might face from phishing, ransomware infections, and other cyber attacks:
- Provide cybersecurity training that addresses specific threat vectors. Many of the most common cybersecurity problems occur due to human error: clicking on a malicious web link, accidentally opening an infected attachment, or providing confidential information to a hacker posing as a co-worker or executive. Targeted employee training that’s updated regularly to address evolving cyber tactics can keep your employees informed enough to serve as the first line of cybersecurity defense. That includes identifying phishing or social engineering attempts as soon as they arrive, flagging or reporting junk emails, and alerting IT staff to older computers or suspicious online activity.
- Implement reliable, remote, and redundant data backup. Without this key IT service in your toolbox, your business could be at significant risk. Many of the most egregious cyberattacks are successful simply because companies don’t have access to extra copies of relevant data and feel they must make a desperate payment of thousands of dollars of ransom to retrieve stolen or encrypted information. With reliable backups executed regularly and stored remotely, your company can survive anything: malicious attacks, hardware failure, and even natural disasters. The investment is worth it, too, as only one or two days of significant data downtime can negatively impact your company’s bottom line.
- Extend protection to all mobile devices used by employees. With remote work increasingly common and everything from laptops to tablets to smartphones to hard drives being used at home and on the road, more and more devices are at risk of cyberattack. Hackers will often target a company’s least-protected machine and try to attack that first, exploiting any vulnerability to gain a foothold in an overall IT system. As a business owner or manager, you’re responsible for extending extra layers of IT security to those devices, protecting company data no matter where it resides, and continually scanning for vulnerabilities that can occur with something as simple as a public Wi-Fi connection.
- Partner with an IT support staff that understands your business. A part-time employee who handles computer issues in his or her free time probably won’t be able to stop a sophisticated ransomware attack. As threats evolve and online dangers increase, your business deserves dedicated IT support that addresses short-term cybersecurity needs while developing a long-term strategy for business success. All of the tips outlined above work best when integrated into an overall plan for comprehensive protection that’s managed and executed by a trusted IT provider.