(This column originally appeared in The Inquirer)
Almost three-quarters of small businesses in the United States reported a cyberattack in the past year, with the number of first-time attacks against small businesses jumping by 18% from 2022, according to a recent report from a nonprofit that provides advice and assistance to consumers and businesses affected by cybercrimes.
“Small and mid-sized leaders are more focused on data security and privacy protection than ever,” said Eva Velasquez, CEO of the Identity Theft Resource Center, who wrote the report. “That’s great news, but we still have a tremendous amount of work to do. We are going to set an all-time high for data breaches this year and more than likely will experience a tsunami of identity fraud in the months and years to follow.”
By now, you’ve heard of these threats. Ransomware attacks can encrypt or steal your data. Phishing e-mails and websites can entice unknowing employees to click on links or download documents that spread malware. Deepfake calls and e-mails from phony supervisors can fool unsuspecting users into revealing passwords, usernames, or other confidential information and even processing unapproved transactions. Personal information can be pieced together from various sources to create a synthetic identity that bad actors can use to infiltrate networks and steal data.
All of this adds up to big dollars. In 2023, the average cost of a data breach reached a record high of almost $4.5 million, according to a recent report by IBM. This cost takes into account business interruptions, lawsuits from irate customers, and the internal costs to restore systems to normal.
What should your business do to protect your data in 2024? Some strategies have remained constant, but new ones have emerged.
Zero trust
Brian Martz, who owns IT consulting firm TechGuides in Swarthmore, urges every client to have a “zero trust” policy, a growing strategy in the IT world that incorporates never trusting, always verifying, and minimizing the impact of a breach if it occurs as its core principles.
A strong zero trust policy — which requires ongoing oversight by your IT team — involves installing software, providing policies to secure a user’s identity through strong multi-factor authentication password controls, and keeping computers and devices updated with the latest security and operating system. Martz says that the policy involves configuring every application, router and device to their highest level of security, and implementing strict rules for remote workers.
“For example, you can’t let your kids or other family members use your work device while at home,” Martz said. “It’s got to be used solely as a work computer so that it’s secure.”
Framework
Jeffrey Lauria, a cybersecurity expert at iCorps Technologies, agrees with a zero trust approach and also recommends having cyber insurance. But he warns that insurance companies are looking more to their customer’s security and IT framework in case of a breach. A framework he recommends is the Critical Security Controls from the Center for Internet Security — a nonprofit organization that publishes best practices for securing IT systems and data.
“Cybersecurity insurance companies, along with some states are using this framework,” he said. “There are 18 things they call control points. And it gives a small business a security road map. If you can’t show your following best practices and you do have a cyber-event, your insurance company may not pay for it.”
Fire wall security
Your company’s fire wall — a security layer that inhibits malware from getting into your network — should be checked for data that is also leaving your network.
“By default, fire walls let everything out, but that’s no longer good because when a threat actor gets on the network, there’s nothing that restricts them from getting your data out of your company,” Lauria said. “Putting rules and securing ports on outgoing data will also mitigate your risk.”
Managed services providers
As security threats proliferate, it’s becoming increasingly difficult for many small businesses to protect their data affordably. Consider a managed services provider (MSP), which for a monthly fee will take responsibility for the security over all of your company’s data and applications.
Ryan Coleman, who owns Dayspring Technology Inc. in Hatboro, said a good MSP will do the core tasks like backing up data, implementing strong passwords and multifactor authentication, installing security software, and managing software updates and patches.
“People that get hacked because they’re using older systems without updates,” he said. “A good MSP will ensure that doesn’t happen.”
Training
All IT experts will tell you that ongoing training is key to a secure network. Why? As much as 88% of data breaches are caused by human error. Martz’s firm, for example, provides regular training to its clients so that employees are updated to the most recent threats and what’s changing and to increase overall awareness.
“Users are the first line of defense against any data breach,” he said. “We wouldn’t as much be worried about security if people never clicked on a bad link.”
Of course, implementing these strategies in 2024 will not eliminate your exposure to a data breach. But they will certainly help reduce the chances that it will happen. And that could save you a lot of money, time — and even your business.
