Should small businesses worry about cybersecurity? Many small business owners are too busy keeping the lights on to think about cybersecurity. They think they are too small to be bothered by hackers when the reality is just the opposite.
Accenture’s 2023 Cybercrime study finds that over 40% of all cyberattacks were targeted at businesses with fewer than 1,000 employees and that only 14% of SMBs are ready to fend off an attack. Almost all SMBs collect customer data like credit card, bank account, and social security numbers, as well as personal information like addresses, driver’s license numbers, and mobile phone numbers. Yet many SMBs do little or nothing to protect that data beyond setting an employee login password.
In fact, statistics show nearly half of all businesses with fewer than 50 employees don’t have a cybersecurity budget, one-third of SMBs with 50 or fewer employees rely on free, consumer-grade cybersecurity solutions, while another 27% that process credit card transactions have no cybersecurity protections at all, and just 17% of all SMBs have cyber insurance.
Why do cybercriminals target small businesses?
That last sentence above neatly sums it up. It’s about opportunity. SMBs are more attractive to criminals because they typically have limited, if any, cyber defenses in place compared to larger organizations.
Smaller businesses tend to be more casual or family business environments with fewer technically savvy employees and less formal technology training to spot scams. Security standards are usually lower with a relaxed attitude toward password hygiene and policy enforcement, making employees more susceptible to divulging confidential information through phishing attacks – the number one cause of password compromises and ensuing security breaches.
Further, SMBs are more likely to pay a ransom to get their customer data and systems back online as quickly as possible, especially if there is no data back-up or disaster recovery plan in place. Cybercriminals may have to target many more SMBs to make the same payday as extorting a single large enterprise (which increases every SMBs’ odds of being targeted), but their risk of exposure and arrest is significantly lower as SMBs rarely follow through with law enforcement authorities and/or do not want the media publicity associated with a breach.
Impact of a Breach on SMBs
When a cyberattack is successful the impact on a small business can be devastating. In fact, many SMBs never recover, with 60% going out of business within six months. Consider:
-
- The loss of revenues from the inability to process transactions during the actual outage
- The cost of ransom to recover stolen data (and what’s to prevent the hacker from copying and selling the data even after it has been returned, if it gets returned)
- If the data is unrecoverable or you refuse to pay the ransom, you must rebuild your customer database and IT infrastructure
- The financial fines and legal liabilities associated with compliance violations
- Reputational damage and future loss of revenues from customers who no longer trust doing business with a company that has been breached
So, the short answer is yes, small businesses should worry about their cybersecurity efforts.
What does cybersecurity success look like for a small business?
Cybersecurity success is defined as putting all the security tools and technologies in place needed to protect vital company and customer data. This means doing things like:
- Using a secure network connection such as a Virtual Private Network (VPN)
- Building and keeping all confidential data behind a company firewall
- Establishing rules and standards for strong password creation and hygiene, implementing advanced identity management tools such as multi-factor authentication, Single Sign On (SSO), and enabling secure password sharing in team environments, a.k.a. Password Management
- Installing antivirus and malware detection software to monitor network activity for threats and to isolate suspicious emails and corrupt files
- Storing confidential data on encrypted storage devices
- Performing regular data backups as part of a Disaster Recovery (DR) plan
- Educating employees on best practices for email communications, how to spot phishing scams, and how to report them
- Having an incident response plan ready with assigned roles and responsibilities for key employees in the event of a breach
- Conducting routine security audits and penetration testing to expose network vulnerabilities and keep pace with the latest security patches and updates
- Purchasing cyber insurance to recover expenses in the event of an attack
That’s a lot of moving parts – and there are many more – but taking these basic steps will reduce your attack surface and prevent most breaches at minimal cost to the business. At Passpack, we endorse them all. As a shortcut, many SMBs outsource their cybersecurity needs to an ISP and trust their provider to keep their network environment safe. That’s fine, but that shouldn’t be your only defense, and ISPs can’t do the job all alone.
Cybersecurity success starts with Passpack password management
Compromised passwords are the leading cause of data breaches. In fact, studies show that more than 90% of all cyberattacks begin with a phishing email that gets an unsuspecting employee to reveal a core company password. The truth is, without a password management application in place as a first line of defense much of the above advice is worthless. That’s where Passpack comes in. When used in concert with other cybersecurity tools the Passpack password management solution delivers peace of mind.
Cybersecurity success starts with Passpack password management
Compromised passwords are the leading cause of data breaches. In fact, studies show that more than 90% of all cyberattacks begin with a phishing email that gets an unsuspecting employee to reveal a core company password. The truth is, without a password management application in place as a first line of defense much of the above advice is worthless. That’s where Passpack comes in. When used in concert with other cybersecurity tools the Passpack password management solution delivers peace of mind.
Passpack is a password management solution specifically designed for small businesses that need to protect and share access to common digital resources among team members. Simple to use, Passpack enforces consistent password creation policies with a built-in password generator that controls the length, strength, and recycling of password character strings. Easily scalable, it stores an unlimited number of passwords and users to grow with your business. With synchronized access from any device, Passpack makes it easy to quickly on-board and off-board employees without disturbing the credentials of other users.
Designed around the concept of centralized control for a closed loop, all password related activities flow through a single administrator. This person grants resource access to individuals and has visibility into every user’s credentials. The admin creates and modifies passwords for all digital assets as needed, manages user read/write permissions, has the power to create unlimited discreet teams, and can track user login histories in the event of a breach – all for pennies per user per day. Users can never see passwords that are not theirs or not shared with their Team.
As a byproduct, Passpack aids in regulatory compliance for HIPAA, GDPR, CCPA, or whatever government agency oversees your industry. It helps insulate businesses from the risk of a breach caused by inadvertent password exposure and resulting fines and damages.
Passpack offers several security features optimized for SMBs including support for two-factor authentication, SSO, end-to-end encryption, granular reporting capabilities, and more. But perhaps the most compelling reason to choose Passpack for your password management needs is its Zero-knowledge architecture foundation [link to ZKA blog when posted].
Passpack’s implementation of zero-knowledge architecture is more robust than most in the industry, requiring the use of an encrypted Packing Key that is completely separate from the username and password for each account. Known only to the end-user, the Packing Key must be entered each time to unlock passwords and other confidential information (also AES-256 encrypted) stored in their Passpack account. Packing Keys are never made available to Passpack, its employees, or outside parties. This ensures that only the end-user can access and retrieve human-readable information from their own Passpack account.
Build your cybersecurity defenses around Passpack
The bottom line is that SMBs are at equal if not greater risk for a cyberattack as larger enterprises. Don’t think it can’t happen to you or wait to invest in cyber defense until after a breach. Eventually your business will be targeted. The only question is whether the hackers will be successful or not.
With an unlimited number of users, passwords, and teams, Passpack offers a compelling value proposition for SMBs with small budgets and big goals. Visit us at Passpack.com and try our solution free for 28 days to see how easy and affordable it is to start building your cybersecurity strategy today around a Passpack subscription as your first line of defense.