Small-business owners are increasingly turning to digital tools to streamline their operations, but this trend comes with a growing risk of cyber attacks and security breaches. According to a 2023 report by Hiscox, exposure to cyber attacks is now the top concern for small-business owners, surpassing worries about economic issues like inflation. The impact of these breaches can extend beyond just financial losses, affecting a business’s brand and reputation, as well as its ability to attract new customers.
It’s crucial for businesses of all sizes to understand the evolving landscape of digital security. Even the smallest businesses are at risk, with cyber attacks on firms with fewer than 10 employees increasing by 13% since 2020. Hackers target businesses for their money and data, regardless of their size or industry.
Preventing a digital security breach is often easier than fixing one. Proactive measures, such as implementing internal policies for system maintenance and security, can help mitigate the risk of human error, which is a common cause of breaches. Businesses should also prioritize investing in proper digital security systems to avoid costly consequences.
Responding effectively to a cyber attack requires a well-thought-out plan. This plan should include steps such as contacting cyber security specialists or legal counsel, notifying insurance companies, and reaching out to clients and customers. Having a response plan in place can help businesses recover more quickly in the event of a breach.
Even the smallest businesses are at risk
While it may seem more lucrative for cyber criminals to go after big corporations and larger firms, the Hiscox report indicates that smaller businesses are increasingly under threat. Cyber attacks on firms with fewer than 10 employees have risen 13% since 2020.
“Hackers don’t care how small your business is or what you do,” Shawn Waldman, CEO and founder of Secure Cyber Defense, a cybersecurity consulting company said in an email. “They want your money and your data. Often, they have no idea who you are in the first place.”
Although cyber attacks can happen to any business, certain industries may be more likely to be targeted — particularly those that access or store a lot of sensitive client or customer data or information. Shavon J. Smith, a Washington, D.C.-based business attorney and founder of SJS Law Firm, works with small management and IT consulting firms that contract with big businesses and are therefore given access to their information, but are viewed as less secure because of their size.
According to Smith, medical offices may also be a target due to their small staff sizes and access to a lot of personally identifiable client information.
It’s easier to prevent a digital security breach than fix one
Businesses should prioritize proactive measures they can take to prevent an event from happening in the first place. It’s uncommon to find your attacker or recover stolen money or data once it’s gone, according to Smith. Once a cyber attacker has what they want, they are “lost in the wind.”
Studies indicate, however, that 95% of breaches in digital security can be traced to human error, which means they are preventable through internal and employee policies. This starts with policies that promote ongoing system maintenance and security. Smith recommends an initial review to pinpoint your overall vulnerabilities.
“The first thing you want to do is just kind of assess, ‘Where are our open ports? Where are our opportunities for things to go wrong, for people to hack into our system, for employees to lose data?’” she says.
If your employees have company-issued devices, for example, then your employee policy should lay out parameters on how they are to handle those devices, Smith says. That might mean forbidding employees to vacation with their laptops or prohibiting them from taking their computers home entirely.
An employee policy should also dictate who has access to confidential company or client information, which Smith says can help to decrease the chances of a security breach.
Cheap solutions can cost you down the road
Building digital security into your business budget can be expensive, and there’s certainly no one-size-fits-all solution, but failing to invest in proper systems can also be costly. In 2023, the median cost of a cyber attack for businesses with 10 to 49 employees was $9,500, according to the Hiscox report.
A common mistake both Waldman and Smith see small businesses make is relying on free or disreputable antivirus software and failing to update that software regularly. On top of that, Waldman warns against transitioning to cloud email providers without enabling security controls or multi-factor authentication. Email was the single weakest point of entry for cyber attackers, ahead of cloud or corporate servers, according to the Hiscox report.
A response plan can determine how quickly you recover
Any actions you take in the event of an actual cyber attack or digital security breach are typically about trying to cover your losses. According to Smith, your business’s response plan should cover some key steps:
-
Contact a cyber security specialist or legal counsel. Better yet, consult with specialists or lawyers when you first create your plan, so you already have a point of contact if an event occurs.
-
Notify your insurance company of a possible claim. When you purchase cybersecurity insurance, it’s important for your broker to understand your business and what it does, according to Smith. That can help them understand the scope of a breach and what it means for your clients or customers.
-
Contact law enforcement. Although it’s unlikely they’ll be able to do much right away, law enforcement may have investigations open, and any information of new attacks could be helpful to them.
-
Reach out to clients. In many cases, you may be contractually obligated to notify the businesses your company works with of a data breach, Smith says.
-
Alert your customer base. If you are a consumer-facing business, you should plan to alert your customers as soon as you have the full scope of the breach, and be prepared to offer compensation or free credit monitoring.