“No business is ‘too small’ for a hacker,” said a representative of HSB, a specialty insurance company headquartered in Connecticut.
No kidding.
A study by HSB and Ponemon Institute showed that more than half of all small businesses have experienced a data breach.
According to a Deluxe.com, National Cyber Security Alliance numbers showed that one in five small businesses experience a cyber attack every year, and 60% of those companies will close within six months as a result of the incident.
While there’s a lot of focus in the news on large data breaches, cyber criminals are increasingly targeting small businesses.
Symantec research shows that targeted attacks against small businesses almost doubled in 2013 – they were up 91% and lasted three times longer compared to 2012.
What is it about small businesses’ data security that draws cyber criminals?
- Easy targets. The level of unpreparedness in small businesses is an epidemic, according to New York based security expert Vikas Bhatia, who was quoted in a Forbes blog. Furthermore, more than 40% of small businesses don’t have an adequate IT security budget, according to a 2013 Ponemon study.
- Great information. Personally identifiable information stored by small businesses ranges from customers’ credit card numbers to employees’ personal data. It’s important to identity all the confidential information in a company’s keeping – and protect it.
- Stepping stone. A small business data breach is often just the first step to larger targets in the company’s network.
- Lack of security policies. Symantec research last year showed that investment in IT infrastructure (11%) and improving online security (3%) is low on small business owners’ agenda. Also, 83% have no formal cyber security plan, according to the National Cyber Security Alliance.
- BYOD. Mobile devices are often misplaced or stolen. Train employees about the risks of BYOD (bring your own device) and implement encryption technologies.
- Social media. Sites such as Twitter and Facebook are great marketing tools for small businesses – but they provide opportunities for cyber criminals too. Create a written data security policy and continuously train staff. For example, use strong passwords and keep antivirus software up to date.
- Constant change. Small businesses must stay up-to-date about privacy laws and legislation as well as cyber attack trends. One way to do this is to partner with security-minded suppliers (for example, your document shredding company).
- Employee negligence. The 2012 Trend Micro-sponsored Ponemon Institute study identified negligence (small business employees’ tendency to open attachments to or click links embedded in spam, to leave their systems unattended, and to visit restricted sites) as the top reason for data loss. Employee education is key.
- Other opportunities. Many small businesses need to improve the physical protection of information. For example, Shred-it’s 4th Annual Security Tracker showed that almost half of small business owners don’t dispose of hardware containing confidential information. Hard drive destruction is the only way to guarantee information is destroyed.
Check out this digital security checklist for easy-to-implement – but commonly overlooked – information security practices for small businesses.