5 tips for small businesses to prepare for cyberattacks

October is Cybersecurity Awareness Month, and, unfortunately, cybercrime is only getting worse as technology advances and becomes more interconnected.

Since the COVID-19 pandemic began, more than 80% of global organizations saw an increase in cyber threats, according to McAfee Enterprise and FireEye’s latest report. The report found that daily cybercrime complaints increased from 300 to 400, and the severity and frequency of cybercrime is expected to increase from $3 trillion in 2015 to $10.5 trillion in 2025.

Another report from Positive Technologies found cybercriminals can penetrate 93% of company networks and take an average of two days to make the breach. According to Accenture’s research, companies experienced an average of 270 cyberattacks in 2021, 31% more than the year before. Of those attacks, 29, or less than 10%, were successful in gaining access to data, applications, services, networks and devices.

Given the statistics, there are cybercrimes to be aware of in 2022 targeting computer and network misconfigurations, poor maintenance, unknown company assets and human error.

The cybercrimes include increased attacks on work-from-home computers and networks and on a company’s supply chains, plus a long list of other crimes, such as:

Ransomware

Security holes in cloud-based systems, like email and online platforms

Advanced persistent threats (APT)

High-profile IoT (internet of things) hacks

Social-engineering scams

Small businesses can prevent these and other crimes by implementing a cybersecurity strategy, which is now a necessity. They don’t need a large security budget or require a large input of staff time to begin the implementation.

Cybersecurity training

After creating a strategy, train staff on basic security practices and policies for computer and network usage.

Training can focus on requiring strong passwords, tips for handling and protecting customer information, and awareness of how to avoid particular crimes, such as phishing scams. These are a type of social engineering attack as a way to steal login credentials, credit card numbers and other user data.

Training is best conducted when employees first start and as a refresher course at least twice a year. Outline the risks and the defenses employees can use, plus keep them up to date on the latest threats and solutions.

Also, assign roles to each employee through RBAC, or role-based access control, by giving specific permissions based on their roles within the company. This controls access to the systems and data they need to do their jobs and prevents them from accessing data they don’t need, reducing their risk of becoming a victim of data theft.

Protect information

Protect computers and networks by keeping machines clean – install the latest security software, web browsers and operating systems to defend against viruses, malware and other online threats.

Be sure antivirus software runs a scan after each update and install firewall security for internet connections. This is a set of programs that prevent outsiders from accessing data on the network, and it is especially important for home systems.

For mobile devices, require password protections, data encryption and security apps that prevent information leaks on public networks.

Make backup copies of important business and customer data and information. Backups should be done on a regular basis of documents, spreadsheets, databases, financial and human resources files, and any accounts receivable/payable data. Store copies offsite or in the cloud, making sure backups and data recovery are automatic.

Multi-factor authentication

MFA adds another layer of security by requiring users to provide information beyond a user name and password to prove their identity when they access company data and systems.

This can be used for online accounts, applications, and VPNs, or virtual private networks, that serve as an alternative to internal networks at the site of the business.

To implement a MFA, employ one-time passwords through a text or email, generated periodically or each time an authentication request is submitted. Or require personal data, such as answers to security questions, a biometric-like fingerprint or voice recognition, or access badges, smart cards or fobs.

Secure Wi-Fi

Secure your Wi-Fi network by encrypting it and keeping it hidden, so that employees connect to a safe network when they access the internet, especially when they’re off-site.

Set up a wireless access point or router that prevents connection data from being broadcasted to the public, and be sure to password protect the access. Use a VPN to encrypt internet traffic passing through the access point, using a firewall for additional protection and a host intrusion prevention system to detect and block any cyberattacks.

Encourage employees to avoid using public Wi-Fi when they’re accessing anything on the work network or working with customer accounts, which are prone to hacking attacks, even for highly protected devices.

Control physical access

Make sure only authorized employees use business computers, phones and tablets, and create a user account for each employee.

Laptops are easy targets for theft or can be lost, so require employees to lock them up when they are unattended. Limit administrative privileges to IT staff and key personnel.

For desktop computers, ask employees to lock the screen or shut down the system when not in use. Flash drives and external hard drives also should be locked and encrypted, and work computers should be kept separate from anything used at home.

With these steps, you can make cybersecurity a priority, with the BBB here to help. Making sure your business is safe from cyberattacks is worth the time and money, considering that the cost can be more expensive later on. It also builds trust with your customers, knowing that you’re watching out for them and your company to avoid cyber and other crimes.

Shelley Polansky is president/CEO of BBB Serving Northern Colorado and Wyoming.