Information security often takes a backseat to other issues that small business owners face. With more immediate concerns, such as shipping products or pursuing overdue accounts, business owners can likely dismiss information security concerns as applying only to larger organizations.
It’s easy to think that a small business can remain below the radar of attackers and neglect security controls. Unfortunately, the facts do not support that idea.
When it comes to information security, no business is too small. Small businesses increasingly find themselves the focus of attacks directly targeted against them and designed to steal funds, information and customers.
In the 2016 Internet Security Threat Report, Symantec found that spear phishing attacks targeted small businesses at an alarming, and growing, rate. In 2011, attacks against small businesses accounted for 18 percent of all spear phishing attacks. Last year, that number more than doubled to 43 percent.
Many small businesses operate in cutthroat industries with low margins and intense competition. This type of environment can foster illicit activity.
Take the case of two linen companies in New England with nearly the same exact name: General Linen Services Co., Inc. of Newburyport, Mass., and General Linen Services, LLC of Somersworth, N.H.
This past March, the New Hampshire company was found guilty of hacking into the computer systems of the Massachusetts company to steal client information, as Fosters reports. The company then used that information to contact their competitors’ customers, attempting to lure them away.
How did one family-owned linen company manage to hack into the system of its competitor? The two businesses both used the same third-party vendor to store customer records. It turns out that the vendor used a common default password for both companies, allowing the New Hampshire company to easily gain access to the Massachusetts company’s account.
Knowledge is the most effective weapon any small business can wield against cybersecurity risks. In the great linen hack of 2016, General Linen Services Co., Inc. could easily have protected itself by changing the vendor default password. That simple precaution might have prevented the breach of more than 1,000 customer records and avoided a drawn-out legal battle with their competitor.
Similarly, small business owners and employees must be aware of the risks posed by social engineers, who use highly targeted spear phishing attacks to fool employees into revealing sensitive information. Modern attacks are quite sophisticated and leverage internal information, branding, and industry knowledge to manipulate unwitting targets into believing the legitimacy of an attack message.
While education is extremely important, small businesses should complement education efforts with a strong array of technical controls designed to minimize risk. These don’t need to be overwhelmingly expensive. At a minimum, small businesses should ensure that they leverage strong passwords, automatic updates for applications and operating systems, hardware firewalls, and encryption for their wireless network. This simple array of controls will go a long way toward defending against many cybersecurity threats.