Are you vulnerable to a hack? How to shore up your online business against cyber threats

Is your small business vulnerable to a cyberattack?

Well, not to be the bearer of bad news, but the answer is probably yes.

The reality is that all companies that have an online presence are susceptible to hacks, regardless of their size. Large corporations may be more tempting targets for hackers but they also have better cybersecurity infrastructure. With less resources at their disposal, small businesses are less likely to have dedicated cybersecurity budgets and adequate protection from cyberthreats. As a result, hackers often target small businesses and their relatively unprotected IT networks.

In fact, according to Verizon’s 2022 Data Breach Investigation Report, 43% of all cyberattacks target small businesses, and the consequences can be dire. In 2021, the National Cybersecurity Alliance reported that 60% of small businesses that are victims of a data breach close their doors within six months of the attack. Remote working has added to the challenge of securing networks, as employees use remote desktop protocols to access files from home.

Compounding the issue, many small businesses don’t believe that they might be victims of a cyberattack, reasoning that hackers may not have much to gain from a small company. But once hackers have infiltrated a small business’ network, they can easily manipulate emails, scam customers, make bank transfers, expose credit card details or hold client data hostage in a ransomware attack. Small businesses are also less likely to realize they’ve been hacked until significant damage has been done. Unfortunately, the bottom line is that no business is immune to cyber threats.

So that’s quite a bit of scary news. Luckily, there are some simple steps that small business owners can take to improve their chances of warding off hacking attempts. Let’s dive in.

1. Educate your team

   Good cybersecurity isn’t just about technology – it starts with your company’s culture.

   The vast majority of cyberattacks, and the easiest to perpetrate, start with what’s known as “phishing”. Phishing is an attack where a scammer tricks an employee, usually via email, text or social media, into clicking a malicious link and downloading malware or sharing sensitive information.

   To protect your organization from phishing attacks, implement these steps:

   • Train your employees on the risks of phishing attacks: employee cybersecurity training should be ongoing, and continuously updated to reflect new potential threats and security vulnerabilities. Employees should be trained to recognize, avoid and report scams, create strong passwords, and protect sensitive customer and company information.
   • Establish protocols and procedures: employees should have protocols they can follow to verify suspicious communications and report potential phishing attacks.

2. Use strong user authentication

   Two-factor or multi-factor authentication should be the default for all company accounts, especially for shared company media accounts.

   Many small businesses have embraced “bring-your-own-device” policies. Employees using their own devices for work should be trained on how to protect their device, how to safely use public Wi-Fi networks, and how to use virtual private networks (VPN) to protect both personal and company data.

3. Use (and update) cybersecurity software

   Companies should utilize firewalls, anti-virus software and anti-spyware programs to help protect sensitive information. The Government of Canada’s Canadian Centre for Cyber Security (CCCS) recommends using software that aligns with the Domain-based Message Authentication, Reporting, and Conformance (DMARC) policy and keeps a list of reputable software providers

   Security programs should be updated regularly to keep them free from vulnerabilities, so be sure that all new security patches are installed.

4. Consider a security audit

   A cybersecurity audit or assessment involves a comprehensive analysis and review of the IT infrastructure of your business.

   Once you’ve taken the basic cybersecurity steps above, consider hiring a professional security audit team that can identify the gaps in your system and give you recommendations on how to address them.

5. Protect and backup your data

   Many data breaches are a result of human error, so staff should only have access to information that’s vital to their tasks. If your data is stored on-premise, ensure it’s backed up frequently, or even better, automatically.

   Ensure you have copies of critical information and applications in one or more secure locations, such as the cloud or an external hard drive.

   Record retention policies should require employees to regularly purge or archive critical information.

6. Develop an incident response plan and consider insurance

   An incident response plan will help you act quickly if you detect a breach in your network. Being hacked is bad, but nothing is worse than discovering you’ve been hacked and not knowing what to do next. Ensure you have a business continuity plan and update it regularly.

   Verizon’s Data Breach Incident Report found the majority of cyber attacks on small businesses cost over $500,000. Cyber insurance can protect small businesses from these extreme costs and lessen the impact of any liability arising from a cyberattack on your business.

7. Consult online resources

   The Canadian Centre for Cyber Security maintains a guidance document for small and medium-sized businesses that includes resources for:

   • Incident response plans
   • Security software
   • Secure device configuration
   • Strong user authentication
   • Employee training
   • Data backup and encryption