Small Business Cybersecurity: How to Protect Yourself Against Hackers

By Dr. Jerry Craig | June 21, 2022
Jerry is Ntiva’s Sr. Director of Security and CISO, offering more than 20 years in the IT and cybersecurity industry. Certified CISO, CISSP and CCSP, Jerry also serves part-time as Adjunct Professor in the University of Maryland Global Campus.

By the time you get to the end of this sentence, a cybercriminal will have successfully attacked a business and infected it with ransomware. According to Cybercrime Magazine, ransomware attacks happen at a rate of one every 11 seconds.

If you operate a small business, the question you should be asking yourself isn’t, “Will we get hacked?” It’s, “When will we get hacked?”

The next question? “Are we prepared?”

You’re certain to get attacked sooner or later, by ransomware, a virus, malware, or a simple data breach, because hackers attack small businesses for only two reasons: their vertical and their vulnerability.

Certain types of businesses and industry verticals are more attractive targets to hackers. If you operate in the health care vertical, for example, or work with the Department of Defense, hackers will target you specifically.

If you operate in the public sector, whether on the left side or right side of the political spectrum, you also have a target on your back. If you’re a manufacturer, you have intellectual property that cybercriminals want to get their hands on.

Then there’s your level of vulnerability. First, they find you. Then, they decide if you’re worth attacking. Hackers go after exposed companies, exploiting businesses that have weak defenses.


How Are You Putting Your Small Business at Risk?

Hackers prefer to target companies that are in valuable verticals and that are vulnerable. After all, some organizations, such as the CIA, are valuable but next to impossible to hack. Other organizations, such as your local pizzeria, are vulnerable to attack but offer hackers little by way of value.

What criminals most desire is businesses that offer both value and vulnerability. If your small business offers both, you’ll want to pay attention to next two sections.

Because you can’t do much about being a valuable target to hackers (short of getting out of the sector you’re in), you must focus your attention on reducing your risk with managed vulnerability testing services. Here are the four top ways that business owners put their companies at risk.

1. Inadequate training

Your top weakness as an employer is your people: A whopping 91% of cyberattacks begin with a spear-phishing email, according to Trend Micro.

Because your employees are your weakest link, employee training is where you must invest a large portion of your resources.

And this training can’t simply be a 30-minute security video that you require your staff to endure once each year. Cybersecurity training must be both comprehensive and continual.

You also must ensure that your training is always up-to-date. You can’t afford to regurgitate the same training modules repeatedly. Your enemy isn’t just hackers — it’s employee apathy.

2. Insufficient investment in security

If your small business is vulnerable to cyberattacks, one reason might be that you’re not spending enough money on security in general. Whether it's tools, services, people, or training, cybersecurity requires an adequate investment.

The trouble, of course, is that your IT budget faces constraints. The money you spend on security is also money that you could be investing in marketing, sales, IT, and a whole raft of other things. This makes outsourcing your security a viable option. But more of that in a minute.

3. Misunderstanding the impact of an attack

Roughly 6 in 10 small businesses close their doors within six months of a major cyberattack, according to the National Cyber Security Alliance. They go out of business because they cannot afford to pay the costs associated with ransomware attacks and data breaches. Successful cyberattacks impact just about every area of your business, from legal to financial, from customer satisfaction to brand reputation, from competitive position to regulatory sanctions.

One reason small businesses leave themselves vulnerable is that business leaders who aren't focused on security fail to understand the consequences of breaches in business terms. They see attacks primarily as technical events that target servers and applications, not as business events that harm a company’s bottom line.

Business leaders who aren't focused on cybersecurity fail to understand the consequences of breaches in business terms.

4. Thinking cybersecurity is only about technology

Some small businesses think cybersecurity is all about firewalls, antivirus software, and robust passwords. They think their best defense against attack is found in a piece of hardware, software, or the latest app.

But the reality is that many of the most successful attacks on small businesses don’t even involve hacking. The criminal penetrates zero networks, compromises no servers, and hacks into zero databases.

Instead, the criminal simply sends an official-looking email that purports to come from a legitimate source (the recipient’s boss, for example). They request the victim do something they do every day, such as pay an invoice or transfer funds between two accounts. Businesses continue to get attacked because employees continue to fall for social engineering, phishing, and plain old-fashioned conman tricks.



How to Protect Your Small Business Against Ransomware Attacks

The greatest threat you face as a small business is ransomware, so here are some concrete steps you should take to ensure you’re as protected as possible.

1. Balance security and user experience

Which is more important: security or user experience? As customers demand an increasingly seamless user experience, any detectable security measures — no matter how necessary — can add friction and risk the relationship. On the other hand, always allowing UX to trump security means taking on a much higher level of risk … which could affect those very same customers. It’s important to find a viable balance and communicate to users that security measures are for their protection.

2. Reduce risk through investment

Invest more money in tools, people, and training. Make security a larger share of your budget. (We know having a small business often means never having the budget to do everything that’s necessary, but a successful cyber attack can erase everything you’ve worked for — in an instant.)

3. Test your backups

The key to recovering from a cyberattack isn’t having a backup — it’s having a good backup. That means having a backup that reliably works when you need it to (not all do). To ensure you have insurance against those “Noooooo!” moments, go to the trouble of testing your backups periodically to ensure they work as intended.

4. Segment your users and networks

Another effective line of defense against ransomware attacks is segmenting your users and networks. That way, when attackers penetrate one part of your organization, the attack is confined and contained to a single person, device, or network, instead of being free to run rampant throughout your entire organization.

5. Buy cyber insurance

Finally, protect your company with cyberinsurance. If you get attacked and suffer losses, cyberinsurance offsets your financial costs. Yes, you will take a hit on your reputation in the marketplace, and insurance won’t help you there, but insurance will prevent your business from going out of business. That’s a premium worth paying for.


Why You Should Consider Outsourcing Cybersecurity

When it comes to protecting your business against cyberattacks, you have two options. There’s the do-it-yourself model, and there’s the done-for-you model. You can manage all your security yourself, in-house, using your own staff. Or you can outsource your security to a Managed Security Services Provider (MSSP) like Ntiva.

The primary benefits of outsourcing your security are on the technology and cost-savings side. MSSPs offer you economies of scale when it comes to technology, personnel, knowledge, experience, certifications, and licensing costs. You get volume discount licensing for things like endpoint detection and response, multifactor authentication, intrusion detection and response, and phishing prevention training.

Even if you can afford all the cybersecurity tools and technology you require, you likely cannot afford the people, resources, and training needed to implement those tools and technology. But with an MSSP, you can. This lets you focus on what you’re good at rather than worrying about security.


Ready to Close Your IT Security Gaps?

Explore Our Managed Security Services


Tags: Cybersecurity