You’re probably not paying attention. Sure, as a responsible small business owner, you skim the Wall Street Journal and keep up with trade journals relevant to your industry. You’ve undoubtedly noticed that major corporations like Target, JP Morgan Chase, Wal-Mart, Home Depot, Neiman Marcus, and even Apple have been victimized by cyber-criminals in the past year.
But what does this have to do with you? These large companies are data-rich gold mines sparkling with terabytes of valuable customer information worth millions of dollars, right? What would a sophisticated hacker want with your small to mid-size company’s electronically stored data?
According to the security company Symantec, cyber-attacks on small to mid-size businesses have risen more than 300 percent in the past two years.
A recent study cited by the U.S. House of Representatives Small Business Subcommittee on Health and Technology chaired by Buffalo Congressman Christopher Collins reports that nearly 20 percent of all cyber-attacks strike businesses with 250 or fewer employees.
Alarmingly, this report indicates that roughly 60 percent of small businesses close within six months of a cyber-attack.
Why are cyber-criminals increasingly targeting small to mid-size businesses like yours? For one thing, your company may be viewed as an easy entry point to your larger customers’ sensitive data. As the Fortune 500 companies continue increasing their cyber-security budgets to keep hackers out, online criminals are turning to smaller companies like yours in greater numbers. And because you’re probably doing more business than ever online using cloud services without the strongest encryption technology, hackers may view your small business as the weak lock to a door leading to a wealth of your customers’ financial and other private data.
An even more common threat exists from your employees. Many small to mid-size businesses make their critical data available to management, employees, vendors, and clients on a multitude of platforms - including high-risk platforms such as mobile devices and the cloud - without implementing adequate safeguards against intentional or even negligent misuse of that data by their own people. One recent report cited by Forbes claims that in-house employees commit about 40 percent of all reported cyber-security breaches.
Some of these breaches are caused by disgruntled workers or former employees, but often these breaches are caused by good workers without proper training. In this regard the issue is more of a “people problem” than it is a “technology problem.”
So what, as a small or mid-size company owner, can you do to minimize your risk? Here are few low-cost, easy-to-implement suggestions:
- Educate your people. Employees who understand the risk facing your company are much less likely to engage in risky behavior than those who do not. You do not have to provide advanced technology training to everyone – just teach them the basics. Remind them to not click on suspicious links within strange emails from unknown sources (“Click here to win some cash!").
Explain how hackers constantly run scripts across the Internet to find unprotected computers and then use tool kits to launch attacks on those weaknesses. Teach them how to recognize scams and phishing schemes, emails, or phone calls from purportedly trustworthy groups that try to get access to your credit cards and financial accounts.
- Implement a written policy on the use of company hardware and technology. Your employees should be told how and when they are allowed to use your business’ devices and company networks. Track any changes to your company’s network and log them. If your business uses Wi-Fi, make sure your company’s firewall accounts for this use. If you allow your employees to use their own personal devices, make sure that those devices contain encryption technology sufficient to protect the data on your network. You should also consider implementing a “kill” feature on any device used in connection with your business. In the unfortunate event such a device is lost or stolen, you should be able to remotely wipe it clean.
- Follow through. Speak frequently with your team about current events and data breaches in the news. Routinely check to ensure that policies are being followed. Audit computers and network log-ins for suspicious activity. Remind people to routinely change their passwords. Tell them to stay away from suspicious email and Websites.
The data shows that the question is not Will your business become the target of a cyber-attack. Rather, the question is, When your business is attacked, will you be ready?
Following these simple steps will go a long way toward preventing your small to mid-size business from being one of the 60 percent of businesses shuttered when that cyber-attack comes.
Attorney Kevin Burke is a partner in the Civil Litigation and Labor and Employment Practice Groups at Lippes Mathias Wexler Friedman LLP in Buffalo. He can be reached at firstname.lastname@example.org