Small Business Cyber-Security Risks

On this episode of #TheMoneyFactor, CEO of Eagle Business Credit Ian Varley and CEO of ASC Group Alan Adcock discuss cyber security and top risks to small businesses. There are IT issues that can cost your business and cyber security risks that a small business owner needs to be aware of.

 

Will Anti-Virus Software Protect My Business?

Often, small business owners wonder, “I have antivirus software installed on my computer. Do I have any need to be concerned?” That’s a great question. Everybody pretty much gets antivirus software pre-installed nowadays on their laptops. But do they keep it up-to-date? Are they looking at what happens when it’s actually intercepting a virus? Personally I think there are a lot more risks out there these days. Not just from viruses that can hit your computers, but from malicious emails. We hear about ransomware, malware, all those sorts of things.

What should you be aware of even when you use antivirus software?

The antivirus is the traditional antivirus that’s out there. It’s mostly definitions based. Which means that there is a file that’s created when a piece of malicious code is identified. There’s a definition that’s written for that, it’s updated. The problem with this is there are so many threats today out there on the internet that those definition files can’t keep up anymore. So the traditional antivirus really doesn’t protect you from modern threats like the ransomware. So, there is a completely different model in that anti-malware software space. Which is all behavior based. The software watches behaviors on the machine rather than looking for specific code. It’s kind of a next generation of antivirus. And I recommend everybody will take a look at that.

For monitoring that stuff, it used to be we’d rely on the end user to get a pop-up window on their machine. We don’t recommend that any more. People have got a lot of popups coming up, you don’t really know what to do with it. So we recommend that those solutions be monitored 24/7 by a cyber security operation. It’s really scary. One of the things that concerns me almost every day is the types of emails that come in that look as though they’re from somebody you know, but really they’re not. And they have links in them that people might click on or attachments. Sometimes the people open and before you know it you’ve got something bad on your machine.

Will antivirus software stop malicious email attachments or links from affecting your business?

The problem is that AV software and a firewall’s rules and all that are designed to keep stuff that you didn’t ask for out of your network. If you go in and open those links and download those files through an email. You’re not actually asking permission, you’re actually giving permission for that code to run on your network. So at this point 74% or so of ransomware attacks come in via email. And it’s exactly as simple as the embedded links that aren’t correct and the files that are infected.

How can you protect your business from ransomware files in emails?

It’s more than antivirus software these days.There are a number of security protocols to take. The best advice is if it’s from an email that you’ve received and you’re not expecting it, it’s from someone you don’t know, or if it appears to be a little bit strange don’t open it. Don’t click on the link. It’s just common sense not to do that. Because believe it or not, these really can cost your business. Ransomware is scary. You hear of government agencies that have to pay millions of dollars to try and fix these things. And it can happen just to an average ordinary business. If you’re not taking just some common-sense approaches to checking your emails. But it’s not a bad idea to keep an IT company on hand to help you with that. You can get out of date so quickly. You think you know what to do but the the cyber criminals out there are way more clever than average users of machines.

woman typing on laptop with text overlayed saying 74% of ransomware attacks come through email

Top Tips to Create and IT Security Policy for Small Business

As a small business owner, it’s hard to invest an awful lot of money in this unless you have an expert on your side. You don’t know enough about IT and on what to do. You have to rely on an expert. Because you know really you need these policies in place to be able to scale your business and keep it safe. Again, always looking to what’s the trade-off between how much to spend to prevent an issue and how much is it going to cost to fix an issue. You would much rather spend your dollars on prevention.

  • Outsource IT roles and cyber security to a third party
  • Even if you have an IT employee, expecting cyber security from them can leave vulnerabilities in your policy
  • Spend on prevention efforts, not recovery efforts

The cyber security industry has changed a lot over the years. It used to be IT for small business consisted of you would call a company to come in they’d come in spend a couple hours setting up something fixing an issue for you and then that are gone. And you would wait until you have another issue to call them again. Today, really it’s more of an outsourced IT department model. To where most small businesses don’t have enough funds or it’s not that feasible to have an IT department on staff. And IT really has grown to the point now where a single IT person in a small business really can’t be an expert on everything. So outsourcing IT to a company can do a lot of for small business owners. Somewhere around 50% of small businesses have no internal IT department at all. Partnering with a third party can create an IT department at lower cost for a small business.

I have an IT professional on staff. Do I still need to outsource cyber security to a third party?

Even if you have an IT employee on staff, a third party could augment what that person does with specialized skills particularly around security. It’s very difficult for one person to keep up. So the third party company becomes the policy fora small business and basically helps them out no matter what comes up. An IT person can handle part of that regular maintenance that
needs to happen. There are a lot of  the desktop maintenance type of issues that that person can perform. Typically, a outsourced IT services will handle all the server type issues, the firewall, and monitoring of antivirus solutions. If using an outside IT resource for your business that doesn’t have anybody inside, there are strict monthly and annual maintenance processes that our IT company does to make sure that everything stays up to date. The single machine that nobody’s looking at is the access point. So cyber security has to be right 100% of the time. The bad guys just have to be right once. It’s about the weakest link in your system, and that can be a user or an old PC that’s not being kept up-to-date.

Cyber security has to be right 100% of the time. The bad guys just have to be right once.

All these things are very hard for business owners to do when their focus is growing their business. So using an expert lessens the burden and worries of a business owner. You are expected to be an expert in your field, not an expert in the field of cyber security. It’s a good idea to get hold of somebody that can come in and build those protocols for you and help establish some of those weak areas that you may not be thinking of or aware of. So again, spend the money, prevent the issue.

What Are the Main Areas I Need to Watch Out For?

The main areas in terms of IT risk really depends on your business and what you’re trying to do. So you know if you’ve got an environment that has servers or if you’ve just got remote workers. It can be so many different things. For me and and Eagle Business Credit one of the things we’re constantly worried about is the threats that come in via email. And having somebody accidentally click on a link or open an attachment, then before you know it now we’ve got something that’s sitting on a machine we don’t even know.

There are horror stories in terms of people that can download stuff and it tracks every key that you press. So if you’ve gone into your personal bank account, now all of a sudden they’ve got everything they need to open that. The key issues vary from industry to industry, but only an expert can help locate and protect against the areas of cyber crime that your industry is targeted. That person can come in and help you find what those issues are.

Don’t let small business financing stand in the way of affording a cyber security team. It is better to pay for protection than it is to scramble to recover control over your business. Cyber crime can happen instantly and send you out of business. Finding business funding during or after bankruptcy can be a hassle. Improving your cash flow now to afford security policies is the best course of action.

What kind of threats are common for small business owners?

There are a lot of different threats in the IT environment today. The biggest threats recently are around wire fraud. Many people are being compromised via email, via malware that then sits quietly on a system and watches for an opportune time. There is a horror story about a closing attorney whose email had been compromised. The cyber criminals were watching those emails coming back and forth. Somebody sent wire transaction instructions via email. (You should never do that.) It was intercepted, and the criminals did a transfer out of that account prior to the real estate closing. It’s a really bad day when you’re trying to trying to close a real estate transaction.

This is where those things really turn into a cost to your business now. It’s really hard to prevent, but you’ve got to have somebody on site that will make you focus on it. Don’t just focus on your business and hope to pray that everything is going to be okay. You have to have somebody really helping you drill into to those kind of issues.

We’ve had situations where emails come in that look as though they’re from me or from somebody else and they’re really not. Again, be aware of the kind of threats that are out there. Because someone somewhere is probably going to try and hit your company at some point. You might think you’re a small business and that you’re insulated from it. You’re not. Every business that has an internet connection is continuously being probed by these actors on the Internet. So it’s not that you’re being specifically targeted in most cases as a small business. They’re looking for weaknesses just as a general course, and they’re going to look for that lowest low hanging fruit to try to come in and either use your company as a launch point for another attack or go directly for your company.

image of computer coding with text overlayed saying 50% of small businesses that get hit by ransomware are out of business in the next 12 months

What can you do to protect your small business from ransomware?

The main thing now is ransomware. So the cyber criminals are just going to come in once they’ve got a foothold. They’re going to encrypt all of your machines and all of your data and force you to pay a ransom if you want that data back. The latest statistics is about 50% of small businesses that get hit by ransomware are out of business in the next 12 months. It’s really serious. Particularly if it’s a company that you’re doing business with, you want them to be stable moving forward. So it’s a big risk for both you and the company that’s going to potentially get hit. End-user training for those emails is huge. There’s more and more training content out there. Our cyber security company has training content that they deployed to our business. An IT company can actually test employees. Criminals can do what’s called a phishing attack where you’re trying to send a email that’s not legit. So your employees can go through the task, watch the videos, and take the test. Then your IT company can wait a little and then test in real life to see if your employees learned not to click on phishing attacks.

Small Business Cyber Security Methods

Business owners are continuously surprised to read the horror stories of cyber attacks. The reality is that cyber crime is harder and harder to prevent, but an expert security team on your side can significantly reduce the risk to your business. It’s better to prevent becoming a statistic rather than facing ransomware, phishing attacks, or viruses without protection. Train your employees to be very careful about emails they do not recognize or expect. Establish a firewall and security policies when searching the web, and if you have the resources, outsource your IT to an expert. If you need business financing to smooth over cash flow to afford cyber security practices, give us a call at Eagle Business Credit.

Have Any Questions?

If you have any more questions on cyber security, small businesses, or growing your business then reach out to Ian Varley or Eagle Business Credit. We are on LinkedIn, Twitter, Facebook, and YouTube. Use #TheMoneyFactor to send in your questions, and we will answer them!

Want to Share This?

Leave a Reply