Cyberattacks and Your Small Business: A Primer for Cybersecurity

Why cyberhackers go after small businesses

According to Verizon‘s 2021 Data Breach Investigations Report, 46% of breaches impacted small and midsize businesses. Surprised? Don’t be. When it comes to starting a small business, new owners have many decisions to make and often leave cybersecurity measures by the wayside. Unless they focus on shoring up their defenses, they may inadvertently end up leaving points of entry wide open for hackers. That can be a major problem. 

A joint report by IBM and the Ponemon Institute found that the average cost of a data breach increased by 10% in 2021, and Verizon’s data indicates that the cost of 95% of incidents for SMBs fell between $826 and $653,587. What’s more, these businesses often lack the resources to defend themselves successfully from attacks.

Stephen Cobb, an independent researcher and consultant who studies technology and risk, said that small businesses fall into hackers’ cybersecurity sweet spot, since they “have more digital assets to target than an individual consumer has but less security than a larger enterprise.”

Couple that with the costs associated with implementing proper defenses, and you have a situation primed for intrusions. Since security breaches can be devastating to small businesses, owners are more likely to pay a ransom to get their data back. SMBs can also merely be a stepping stone for attackers to gain access to larger businesses.

Cyberattacks to look out for

Regardless of their target, hackers generally aim to gain access to a company’s sensitive data, such as consumers’ credit card information. With enough identifying information, attackers can then exploit an individual’s identity in any number of damaging ways.

One of the best ways to prepare for an attack is to understand the different methods hackers generally use to gain access to that information. While this is by no means an exhaustive list of potential threats, since cybercrime is a constantly evolving phenomenon, you should at least be aware of the following types of attacks.

• APT: An advanced persistent threat, or APT, is a long-term targeted attack in which a hacker breaks into a network in multiple phases to avoid detection. Once an attacker gains access to the target network, they work to remain undetected while establishing their foothold on the system. If a breach is detected and repaired, the attacker may have already secured other routes into the system so they can continue to plunder data.
• DDoS: A distributed denial-of-service attack occurs when a server is intentionally overloaded with requests until it shuts down the target’s website or network system. 
• Inside attack: An inside attack occurs when someone with administrative privileges, usually from within the organization, purposely misuses their credentials to gain access to confidential company information. Former employees, in particular, present a threat, particularly if they left the company on bad terms. Your business should have a protocol in place to revoke all access to company data immediately when an employee is terminated.
• Malware: This umbrella term is short for “malicious software” and covers any program introduced into the target’s computer with the intent to cause damage or gain unauthorized access. Types of malware include viruses, worms, Trojans, ransomware and spyware. Knowing this is important because it helps you determine the type of cybersecurity software you need. [Related article: How to Tell if Your Computer Is Infected and How to Fix It]
• Man in the middle (MitM) attack: In any normal transaction, two parties exchange goods – or, in the case of e-commerce, digital information – with each other. Knowing this, a hacker who uses the MitM method of intrusion does so by installing malware that interrupts the flow of information to steal important data. This is generally done when one or more parties conduct the transaction through an unsecured public Wi-Fi network, where the hacker has installed malware that sifts through data.
• Password attack: There are three main types of password attacks: a brute-force attack, which involves guessing at passwords until the hacker gets in; a dictionary attack, which uses a program to try different combinations of dictionary words; and keylogging, which tracks a user’s keystrokes, including login IDs and passwords.
• Phishing: Perhaps the most commonly deployed form of cybertheft, phishing attacks involve collecting sensitive information like login credentials and credit card information through a legitimate-looking (but ultimately fraudulent) website that’s often sent to unsuspecting individuals in an email. Spear phishing, an advanced form of this type of attack, requires in-depth knowledge of specific individuals and social engineering to gain their trust and infiltrate the network.
• Ransomware: A ransomware attack infects your machine with malware and, as the name suggests, demands a ransom. Typically, ransomware either locks you out of your computer and demands money in exchange for regaining access, or it threatens to publish private information if you don’t pay a specified amount. Ransomware is one of the fastest-growing types of security breaches. [Related article: Ransomware Attacks Are on the Rise – Is Your Business Protected?]
• SQL injection attack: For more than four decades, web developers have been using Structured Query Language (SQL) as one of the main coding languages on the internet. While a standardized language has greatly benefited the internet’s development, it can also be an easy way for malicious code to make its way onto your business’s website. Through a successful SQL injection attack on your servers, bad actors can access and modify important databases, download files and even manipulate devices on the network.
• Zero-day attack: Zero-day attacks can be a developer’s worst nightmare. They are unknown flaws and exploits in software and systems discovered by attackers before the developers and security staff become aware of any threats. These exploits can go undiscovered for months or even years until they’re discovered and repaired.

How to secure your networks

As more companies grow their businesses online, the need for robust cybersecurity measures grows in lockstep. According to Cybersecurity Ventures‘ 2022 Cybersecurity Almanac, worldwide spending on such products will increase to a cumulative $1.75 trillion for the period 2021 to 2025, up from $1 trillion cumulatively for 2017 to 2021.

Small businesses looking to ensure their networks have at least a fighting chance against many attacks should be open to installing basic security software.

Antivirus solutions are the most common and will defend against most types of malware. A hardware- or software-based firewall can provide an added layer of protection by preventing an unauthorized user from accessing a computer or network. Most modern operating systems, including Windows 10 and 11, come with a firewall program built in. [Consider these five free (and legal) antivirus solutions for small businesses.]

Cobb, the security consultant, suggests businesses invest in three additional security measures along with those more surface-level tools.

1. Data backup solution: This will ensure information compromised or lost during a breach can easily be recovered from an alternate location. [Learn how to back up your computer to the cloud.]
2. Encryption software: To protect sensitive data, such as employee records, client/customer information and financial statements, businesses should consider using encryption software. Learn more in our small business guide to computer encryption.
3. Two-step authentication or password-security software: Use these tools with internal programs to reduce the likelihood of password cracking. 

As you begin considering your options and the security measures you’d like to implement, it’s generally a good idea to run a risk assessment, either by yourself or with the help of an outside firm.

Cybersecurity best practices

In addition to implementing software-based solutions, small businesses should adopt certain technological best practices and policies to shore up security vulnerabilities. Your IT manager will play a significant role in all of these, so make sure this team member is up to the challenge.

1. Keep your software up to date. Hackers are constantly scanning for security vulnerabilities, Cobb said, and if you allow these weaknesses to linger for too long, you’re significantly increasing your chances of being targeted.
2. Educate your employees. Teach your employees about the different ways cybercriminals can infiltrate your systems. Advise them on recognizing signs of a data breach, and educate them on how to stay safe while using the company’s network. [Learn how to mitigate the damage of a data breach on your business.]
3. Implement formal security policies. Putting in place and enforcing security policies is essential to locking down your system. Protecting the network should be on everyone’s mind since everyone who uses it can be a potential endpoint for attackers. Regularly hold meetings and seminars on the best cybersecurity practices, such as creating strong passwords, identifying and reporting suspicious emails, activating two-factor authentication, and not clicking on links and downloading attachments in emails.
4. Practice your incident response plan. Despite your best efforts, there may come a time when your company falls prey to a cyberattack. If that day comes, it’s crucial your staff can handle the fallout. By drawing up a response plan, an attack can be quickly identified and quelled before doing too much damage.

The state of cybersecurity

Even though cybercrime is getting more sophisticated, so are the solutions. There are more than a dozen ways to secure your business’s devices and network and an increasing number of methods for secure file sharing. Even if you’re hacked, you can recover from a data breach. As threats continue to evolve, so will ways to combat them. By no means should you be complacent or take a lax approach to protecting your business, but as the word implies, cybersecurity is designed to keep your business digitally secure. So rest assured that if you follow the best practices, your company will likely be better off.

Jeremy Bender, Andreas Rivera, Sammi Caramela and Nicole Fallon contributed to the writing and reporting in this article. Source interviews were conducted for a previous version of this article.