Technology offers plenty of business benefits, from driving productivity to transforming operations to optimizing workflows. But it also has a downside: It opens up companies to cyberattacks — a threat that, in most cases, companies are not equipped to handle.
Small and midsize businesses are particularly at risk of a cyberattack, says Cynthia James, CEO and principal consultant at Cyberus Security. “The biggest problem is that 80 percent of CEOs are non-technical,” she says. “As a result, they haven’t learned to manage a risk that, right now, is bigger than any other financial or legal risk.”
James, who is also a speaker for executive coaching firm Vistage, notes that small and midsize businesses are at risk for two types of cyberattacks in particular. The first type is business email compromise (BEC) attacks, in which cybercriminals spoof or hack the email address of an executive, and the second type is ransomware attacks, in which cybercriminals hijack data and hold it for ransom. “More than 85 percent of attacks come from someone clicking on something they shouldn’t.”
To protect your company from these attacks, our latest report includes the following precautions:
1. Watch out for suspicious requests in emails.
Train your team to look out for unusual requests in emails. Cybercriminals may pose as employees of the company and send requests for money or sensitive information. If you receive an email with an urgent request that involves money and asks for confidentiality, confirm it’s legitimate before taking any action.
“Walk into the CEO’s office and ask them, ‘Did you really send this?’” says James. “Send the note to IT and ask them ‘Is this real, or is this spoofed?’ And scroll over the email address to see if it really came from thatcompany.com.”
2. Don’t store backups on your own network.
When backing up your files, store them in the cloud or some other place that isn’t connected to your company’s network. That way, even if your network is compromised, you’ll still have intact copies of your information.
This is crucial to protect yourself against ransomware attackers, who will likely encrypt your network backups as well as your local files.
3. Create separate IT and cybersecurity teams.
Your IT team should not be managing cybersecurity. In fact, IT and cybersecurity teams have very different goals.
An IT department gives people access to computers and technological assistance. By contrast, cybersecurity experts control access to technology and networks. They also work to prevent breaches and find vulnerabilities in a company’s security systems and processes.
“It doesn’t make any sense to have the people that might make security mistakes be responsible for figuring out what mistakes are made,” says James. “Yet that’s what CEOs expect when they ask their IT people to manage their cybersecurity.”
4. Consider the trade-offs.
Cybersecurity solutions can be cheap, easy or secure — but they can’t be all three of those things at once, James says. When she’s teaching CEOs about cybersecurity, she asks them to pick two of the above.
“You can’t have cheap security that’s easy. You can’t have easy security that’s cheap. There are trade-offs.”
5. Train employees to recognize phishing attempts.
About 90 percent of company breaches are caused by a phishing attempt. In these kinds of attacks, a cybercriminal often poses as a co-worker — or a trustworthy organization such as a bank — and tricks people into handing over sensitive information like passwords or credit card numbers.
Phishing attacks can be sophisticated, so it’s important to train employees to recognize the signs of phishing. These signs could include unusual requests for money or information, fake website addresses or suspicious email attachments.
If you’re a small or midsize business, it’s especially important for you to be vigilant about cybersecurity. Take proactive steps with these suggestions to avoid making your business vulnerable to the cybercriminals looking for their next target.