In the past few years, we have seen a tremendous increase in cyber-attacks on public and private organizations, resulting in severe financial, economic, and security-related consequences.
There were 900 cyber-attacks per organization in Q4 of 2021, making it the highest attack frequency ever recorded. Attacks targeted subjects using data breaches, ransomware, phishing, SQL injections, and more.
Ransomware attacks cost around $20 billion in damages in 2021.
In the wake of these increased cyber-attacks, governments and organizations are now taking extreme cyber-defense measures. Alone, Microsoft spends $1 billion on cloud security. In comparison, the US military spends about $3 billion on cyber-defenses. These investments are the necessary and bare minimum response to the growing threat. Experts predict that global spending on cyber-security will exceed $1.75 trillion by 2025.
Big businesses are taking the steps and making investments necessary to keep ahead of cyber-attacks.
Unfortunately, awareness is lacking massively for small business IT staff and managers. As a result, they often fall prey to cyber-attacks, losing valuable data and facing severe financial loss. 54% of businesses say that their IT teams are not qualified to handle advanced cyber-attacks.
Many small- and medium-sized businesses don’t pay adequate attention to cyber-security needs. They often only realize it when it’s too late.
This article will provide key cybersecurity insights small businesses should be paying attention to. We recently interviewed experts to share their knowledge and thoughts on how small businesses can improve their cybersecurity defenses and protect their business assets.
We asked the experts featured in this post the same question:
What is the biggest mistake you see small businesses making when it comes to cybersecurity?
Here’s how they answered.
1) Menny Barzilay | Partner & Co-Founder at Cytactic
There are many mistakes that small businesses make when it comes to cyber security, from not investing enough, to investing too much on the wrong things.
But if I had to choose the biggest mistake, I’d choose – holding a false belief that hackers will not invest time and resources in attacking them. Many small businesses’ owners think that their business is not interesting enough for hackers to notice, or that they don’t hold any valuable assets that hackers would like to compromise. Which is obviously wrong.
People should strive to be optimistic, but not in cybersecurity. In cybersecurity they should be realistic. And in real life, every computer, network, or business is an asset that hackers would be happy to compromise. Sometimes hackers take control over small businesses’ email accounts to conduct fraud attacks against the company or its customers and suppliers. Or maybe the hackers will threaten to leak the information from the email system and extort the company or its employees (no one wants their entire inbox to be leaked to the internet). Hackers might also steal and encrypt your files and destroy your backups. Or they could use your systems to gain access to your customer’s networks and then attack them (who do you think your customers blame first?). Sometimes competitors hack businesses for the sole reason to destroy their reputation and steal their customers.
Remember, small businesses are constantly being targeted and attacked. Many of them never completely recover from such attacks. Some go under and close shop. Because of the false belief that “everything will be ok”, organizations do not invest in cyber crisis readiness. They fail to devise a plan for the day that the cyber crisis will eventually happen. Yet, it is crucial to ask the hard questions now, before something bad happens. We should play the “what-if” game. And try to devise a response plan to various attack scenarios. This is not (just) an IT issue. It is first and foremost a business issue.
Small businesses owners should understand that a cyber crisis creates a myriad of issues outside the IT realm. An effective crisis management plan should address these various potential issues including business issues, legal issues, PR issues, Insurance issues, operations issues, and others.
So to summarize – Hackers constantly try to attack you. An incident will eventually happen and at an unexpected time. Have a response plan in place. It could save your business.
About Menny Barzilay
Menny Barzilay is an internationally known cyber security expert. He is a strategic advisor to leading enterprises around the world, as well as States and Governments. He sits on the advisory board of several startup companies. Menny is a partner and co-founder at Cytactic, a cyber crisis management & resilience services company, catering enterprises and governments globally. Additionally, he is the CTO of the Blavatnik Interdisciplinary Cyber Research Center at Tel-Aviv University. Menny also founded THINK:CYBER – a successful cyber security newsletter with subscribers from all around the world.
Menny is a former CISO in the intelligence services of the Israeli Defense Force (Capt. Res.) and held several tech-related managerial positions in the largest Israeli banking group.
2) Ann Marie Fred (@DukeAMO) | Software Engineer & Security Lead
One big mistake I see from small businesses is that they read the news about the fast-changing cybersecurity landscape, and they think that it’s impossible to win; that their best defense is hope. Yet, there are several simple, small changes that even small businesses and volunteer organizations can make in less than 1 week.
Here are a few that I mention to my friends and family, and even my teenagers:
- Use a password manager app to store your passwords. We’ve all heard that the best passwords are ones that are hard to guess, and that we should be using a different password for every website. But if you’re like most people, and you have accounts for dozens of different websites, making up a new password for every website and remembering so many is impossible… UNLESS you have a password manager! A password manager app will generate strong passwords and store them for you, so you can easily copy and paste them into login pages. I’ve used 1Password and Bitwarden myself, and both are good. These apps let you set up different password vaults for work, family, and private information.
- Now that you can easily use good, strong passwords, make sure that your router and WiFi network have good passwords too, and don’t share those with customers. If you want to offer free WiFi to your customers, set up a different guest network and password for them. Your Internet provider should be able to help with this.
- Make sure you’re keeping your software up to date with the latest security fixes. Most modern software (for example, your operating system) will have an option to automatically download and install updates. Turn that on! If your software is so old that it’s not a “supported version” any more, and you can’t upgrade it, it’s time to get new software. You might even move to a cloud-hosted solution where you don’t have to worry about the updates yourself.
- Speaking of new software, be careful what you install. Look for popular software with good ratings from a number of reputable sources. Uninstall software that you don’t need.
- Use antivirus and firewall software on all of your computers, even at home. For example, Windows comes with Windows Defender for free, so make sure it’s enabled. Be very suspicious if any website, software installer, or “support representative” tells you to disable those features.
- Learn about the most common cyberattacks and how you can stop them. In 15 minutes you can watch these videos about Phishing (7 minutes) and Cybersecurity (7 minutes).
- In the longer term, set aside some training time for yourself or some of your employees to learn more about Cybersecurity. For example, IBM offers a free six-hour Cybersecurity Fundamentals course.
About Ann Marie Fred
Ann Marie Fred has been a software engineer for more than 20 years, including 3 years as a manager and 4 years as a security lead. She’s worked in research, consulting, web portal development, IT systems management, cloud computing, hybrid cloud, deployment automation, web platform development and operations, and most recently, developer tools for Kubernetes and DevOps.
Her specialties are DevOps, cybersecurity, cloud computing, distributed systems, agile development, automation, and high availability / disaster recovery for IT services. She is an international conference speaker and has many publications, listed at: https://www.linkedin.com/in/amfred/
In her free time, she enjoys reading, scuba diving, travel, games, and having fun with her family.
All statements here are her own opinion and not an official statement of her employers.
3) Mike Kail (@mdkail) | CTO of PrimaryIO
The overarching mistake that small companies make with respect to Cybersecurity is not having a comprehensive strategy in place that is composed of tactical procedures such as software update maintenance, weak authentication methods and no formal business continuity/disaster recovery plan.
About Mike Kail
Mike is a seasoned C-Level Executive with 30 years of experience helping companies scale, undergo digital transformation, implement cybersecurity strategies and create high-performing, cohesive cultures. He has held CxO positions at Palo Alto Strategy Group, Everest.org, and Yahoo! He is currently CTO of PrimaryIO developing a DR as a Service platform. Mike has been widely recognized for his insightful industry commentary on social media and has been recognized by the Huffington Post as one of the “Top 100 Most Social CIOs on Twitter.” He holds a B.S. in Computer Science from Iowa State University and also serves on several Advisory Boards.
4) Christopher Foulon (@chris_foulon) | Senior Manager & Cybersecurity Consultant at F10 FinTech
One of the biggest mistakes that small businesses make is overestimating the security of the vendors which they use for services. When using software as a service, they might not read and understand the terms and conditions of those services. As a business owner, they would always be responsible for any data which they might be storing in the cloud.
About Christopher Foulon
Christophe Foulon, senior manager and cybersecurity consultant at F10 FinTech, brings over 15 years of experience as a CISO, vCISO, information security manager, adjunct professor, author, and cybersecurity strategist with a passion for customer service, process improvement, and information security. He also has spent more than 10 years leading, coaching, and mentoring people.
5) Scott Schober (@ScottBVS) | President & CEO of Berkeley Varitronics Systems
I am often hired to privately present to companies and discuss their cybersecurity posture so I receive the gamut of questions and reactions. It’s disconcerting to see that the majority of small business owners I speak with seemed overwhelmed by cybersecurity to the point of doing nothing. Perhaps the unique jargon of phishing, black hats and bitcoins intimidates them. I can somewhat relate to this when I visit my physician and they rattle off a list of antibiotics I never heard of for a possible prescription. I try to relate to my clients and small business owners by sharing practical tips that might take some time to implement but generally don’t cost anything. One of the biggest offenders in small business is that employers and employees do not create and manage passwords properly. They continue to use simple, short, guessable passwords. They further admit to reusing the same weak password across multiple logins which is also very common and dangerous for data integrity. I am all too familiar with common tropes such as ‘time is money’ so it pains me to see fellow business owners ignore simple security measures such as multi-factor/two-factor authentication simply for their own convenience.
I find that when I help business owners clearly identify their assets and what they are trying to protect, they are more attentive to the possibility of losing everything and then allow for some small security concessions into their daily work routine. After so many years of educating business owners, I decided to author a book that could be used as a tool to help the ones I will never have a chance to speak with directly. I wrote ‘Cybersecurity is Everybody’s Business’ with that simple premise in mind.
About Scott Schober
Scott Schober is the President and CEO of Berkeley Varitronics Systems, a 50-year-old, New Jersey-based provider of advanced, world-class wireless test and security solutions. He is the author of three best-selling security books: Hacked Again, Cybersecurity is Everybody’s Business, and Senior Cyber.
Scott is a highly sought-after author and expert for live security events, media appearances, and commentary on the topics of ransomware, wireless threats, drone surveillance and hacking, cybersecurity for consumers, and small business. He is often seen on ABC News, Bloomberg TV, Al Jazeera America, CBS This Morning News, CNN, Fox Business, and many more networks.
Scott also serves as the CSO and Chief Media Commentator for Cybersecurity Ventures and sits on several cyber advisory boards for various companies.
6) Sean Wright (@SeanWrightSec) | Experienced Application Security Engineer
A common mistake that I see many companies make, is not appropriately triaging and prioritizing issues. This affects smaller companies even more since they will have limited resources (both human as well as financial) when it comes to cybersecurity. So, ensuring that they focus on the areas that matter the most, is extremely important. I’ve seen some companies trying to resolve everything, while admiral is likely not going to succeed given the limited resources at their disposal (even larger organization with a much larger pool will likely not be able to accomplish this). On the other hand, I’ve seen organizations not pay any attention to security issues, often with the mindset of “we are too small, it’ll never happen to us”. By triaging and prioritizing issues, you ensure that you evaluate security vulnerabilities and flaws in context of your organization. This then helps you identify the items that carry the most risk to your organization, being able to focus on these items first. The good news about this, is that this is a relatively low effort and cost exercise to carry out.
About Sean Wright
Sean is an experienced application security engineer with an origin as a software developer. He is primarily focused on web-based application security with a special interest in TLS and supply chain related subjects. He is experienced in providing technical leadership in relation to application security, as well as engaging with teams to improve the security of systems and applications that they develop and maintain. Sean is passionate to be a part of the community and giving back to the community. Additionally, he enjoys spending personal time performing personal security-related research. Follow Sean’s blog here.
7) Marc-Roger Gagné MAPP (@OttLegalRebels) | Privacy Advocate, Cybersecurity, and Director at Interfima
As much as we love the powerful tech world, like all things, with pros come cons, and here, tech has its drawbacks. We often underestimate it as we believe that we created tech and the cyber world, so we have control over it, but we often tend to forget that there is always a bigger person in the picture (Hackers and tech experts here).
Most small businesses are amateurs when it comes to cyber security, although it is the one thing that should be taken much more seriously and worked on consciously. Hence in this world and time, we must acknowledge that we require much more information and techniques to take care of our business and keep it safe from cyber-attacks.
In a recent report by Forbes in March 2022, they also declared that small businesses are more likely to come under the influence and attack of cybercrime.
Small businesses are always looking for more ways to build themselves and go higher as they are smaller in size; they tend to concentrate just on constructing themselves at first, sometimes making them more vulnerable to cyber-attacks. A point of vulnerability is a weakness in your foundation, processes, programming, or networks. And that creates an opening through which a hacker can get close enough to your information and sensitive data.
Not to scare you, but to give you a heads up, according to a report, it is estimated that around 6% of businesses tend to shut down after six months of hackers breaching their data; hence it is a significant concern and reason why you should not take it lightly.
Cyber security is always at stake and can occur overnight, but it may take days, if not weeks or months, to catch the criminal and the crime. Hence, we should first know that we should never underestimate cyber-attacks power of cyber-attacks. Now with the tech world-leading, it is not even the point IF any business will face cybercrime; it is WHEN they will because at some point they will. However, precaution is better than cure.
Cybercrime is a threat to all kinds and sizes of businesses, but smaller firms are more likely to be affected because of some common mistakes they make. Here we have made a list of things you could miss out on regarding cyber security to protect your business. Working on them and making them your priority can help you build a more robust business foundation and help you keep your data and business safe.
First, the most basic rule is NOT to have an easy-to-guess password. It could be troublesome to remember complex passwords, which is why people tend to have passwords that are easier to remember. Still, by doing that, you’re just putting your data out to be hacked and giving easy access to the hacker’s personal information.
Also, it is tough to remember passwords of multiple places but do yourself and your business a favor, have a little tough-to-catch password and have different passwords for different places.
NOT Backing up your data
Most businesses often tend to rule out that cyber security is essential and that this should be one of the most important things on their mind. Hence they also tend to forget that they must back up their data in case anything goes downhill; they could clear out their software as soon as possible, clean it up and still have all the information saved.
And soon be back on track with all the essential information and data still close and saved up. Hence this way, it will take you less time to get your business back on track and less time and energy wasted on copying data if your software has been hacked. Or else remaking the files and bringing them back can be time-consuming.
Forgetting antivirus software
Martin Luther King, Jr. said, “Darkness cannot drive out darkness; only light can do that. Hate cannot drive out hate; only love can do that.”
Likewise, in this time and age when we depend on the tech world, we must also know how to protect ourselves from it by using tech itself.
When all our data is saved on this software, we must know how to watch over ourselves, our network, and our data. We must also use technology in our defense to protect our computers and data from cyber threats, including malware and ransomware. Hence we must use and download antivirus software too.
Ignoring multi-factor authenticity
We did say you should use a solid and difficult password, but that certainly does not guarantee that your data will be protected and that the ‘difficult, strong’ password won’t get into someone else’s hands.
Cybercriminals have their ways of getting into your data with their alluring tactics. Using Multi-factor authentication, also known as two-factor authentication, the user would be sent an alert after each login through their specific chosen ways to see if they are logging in and protect their account from intruders.
Not getting qualified experts
We know that understanding tech is not everyone’s cup of tea. This mistake is most commonly repeated, especially by small business owners; they don’t hire anyone regarding data protection or underqualified people in this area.
In any other aspect of business, the company makes sure to hire the best of the best in that department, but they tend to miss this department.
Not keeping your software updated
With our rush and busy lives, we want everything to happen as soon as possible. Therefore while we are working and if our computer or network shows a notification about a software update, we tend to quickly press the ‘not now’ or ‘later’ button on every software update. We forget how they might be helping us; these updates help your software create a block against intruders to its best capability.
The more you plan, the safer your business’ digital and online presence will be. Digital crimes and cyber attacks are an undeniable and sobering danger to private companies.
Fortunately, these crimes can end with instruction, planning, and the right devices. You live to execute one more day on the off chance that you follow the tips in this aide.
About Marc-Roger Gagné MAPP
Marc-Roger Gagné is a prolific Privacy and Data Governance Advocate who resides in Ottawa, Canada. Throughout the span of nearly two decades, Marc-Roger has been dedicated to providing top-notch policy advice for government and corporate clients alike. He is a member of the Board of Directors of the Privacy and Access Council of Canada since 2010 and a Member of the International Association of Privacy Professionals (817631). Additionally, he holds membership at the Compliance, Governance & Oversight Council, the Law Society of Upper Canada, and the Information Systems Audit and Control Association (ISACA), contributor Irish Tech News.
Marc-Roger’s accreditations are many. In 2011 he was recognized as a Master Access and Privacy Professional (MAPP), the highest designation in the Access to Information and Privacy community. He also holds accreditations as a CIPP, CIPP/G, CIPP/C,CCTA CCII,CTFI. His key competencies lie in Privacy, Cyber Security, Breach Management and associated Training Programs, Policy Development, Information Management, Informational Technology, Data Analytics and Litigation.
Combining his vast knowledge-base along with his integrity, Marc-Roger is a well-recognized and respected professional who has integrated numerous innovative strategies into everything that he does in the privacy, data protection, and information management fields.
8) BONUS: Mat Zoglio (@zoginc_IT) | Owner & CEO of Zog, Inc.
The issue is not so much a mistake, but a global small business issue. We are finding that many organizations are not creating plans or budgets for cybersecurity. As an IT provider of cybersecurity solutions and IT service solutions, our clients are struggling with having to create a budget where one never existed. In a very short period of time, the cybersecurity plan went from having a firewall, backup and antivirus to now having a complete set of cybersecurity tools, policies, procedures and training that the small business market was not prepared to financially absorb. The proactive clients are moving quickly to add in new budgets so they can build this cost into their go to market pricing for their products and services when possible. Some industries have prices that can’t be changed and are being forced into absorbing these new costs.
Industries, such as government, finance and medicine were the early adopters of cybersecurity through their respective compliance requirements. After a decade of watching ransomware events increase in frequency, insurance claim payouts for ransomware increase exponentially, the insurance companies finally reached a point where their policies are now requiring a more thorough cybersecurity underwriting process. They are sending complex questionnaires to their clients with new IT requirements. These requirements need to be met for the insurer to be willing to underwrite the cybersecurity policy.
While the industries requiring compliance all had a head start, many of the average small businesses have been left scrambling to understand how to plan and budget for cybersecurity. While I understand waiting to see how new things play out as far as what is needed for cybersecurity, failing to plan for an event at all is a big mistake. Without having a cybersecurity plan moving forward, a small business may soon find they are being excluded from competing for contracts that once were theirs to win.
About Mat Zoglio
Mat Zoglio is the CEO of Zog, Inc., and has spent the last 23+ years providing IT support to local businesses. Zog has been named a fastest growing company on the INC5000 and Philadelphia100.
Zog is a fully managed and co-managed IT services, support, and zero-trust cybersecurity solutions provider headquartered in Montgomeryville, PA with another office in the Orlando area.
Zog supports and helps protect growth-minded, small- to medium-sized businesses with or without internal IT staff. Zog provides custom and relationship-oriented support, helping simplify IT and maximize efficiency by taking time to understand your business. We’ll help you examine your current network infrastructure, its potential, and how to get there.
Learn more about Zog’s services and connect with Mat on LinkedIn.