Small Business IT Security: The Top 10 Threats to Prepare For

Small Business IT Security: The Top 10 Threats to Prepare For

Hardware failures, phishing, and malware are just some of the IT security threats currently aimed at small businesses.

Small businesses are increasingly in the crosshairs of cybercriminals. Their attacks are carried out in a variety of ways with two core objectives in mind: theft and destruction.

IT security breaches often cause massive damage to a small business’s reputation, result in the loss of assets, and require an (often heavy) investment to fix the damage. The result of these IT security threats often mean the difference between cutting a profit or going bust.

Because small businesses usually have fewer resources to invest in cybersecurity and IT support than their larger counterparts, they are considered low-hanging fruit for criminals.

In this article, we’ll look at the top 10 IT security threats that small businesses, like yours, should prepare for.

Top 10 IT Security Threats for Small Business

IT Security Threat #1: Hardware & Software Failure

Hardware and software failures can and will happen. It’s only a matter of time.

Most businesses store all of their company files that are accessed by employees on an in-house server. If a hardware or software failure occurs on that server, employee productivity is immediately impacted.

For example, in a manufacturing company you rely on production to run smoothly. There is high demand to produce and ship products in a timely manner. If your business has a hardware or software failure, you will not be able to function properly, causing delays in expected shipments, unhappy customers, loss of income, and a number of other outcomes.

Roughly 45% of unplanned downtime is caused by hardware failure, which could be anything from server drives to faulty network switches.

Hardware failure is always going to be unpredictable, but you can reduce risk with backup infrastructure and by having a roadmap for replacing aging hardware before problems occur.

Having a strategic plan for your server infrastructure is crucial to your business.

Implementing a backup plan allows your business to restore data from a hardware or software failure within minutes and be back in production.

IT Security Threat #2: A Multitude of Cyber Attacks

Viruses, worms, Trojans—any and all forms of malware can wreak serious havoc on a small business.

According to UPS Capital:

  • Cyber attacks cost small businesses between $84,000 and $148,000 in 2017.
  • 60% of small businesses go out of business within six months of an attack.
  • 90% of small business don’t use any data protection at all for company and customer information.

Statistics do not lie and the consequences stemming from cyber attacks are serious. Data theft, data corruption, and permanent data deletion are minor in comparison to the destruction that these threats pose to your business.

Though deploying a firewall and security software is an important first step, having a fallback continuity strategy in place in case cyber attacks do get through to a company’s systems is crucial.

Below you’ll learn more about the most serious cyber attacks threatening your small business today.

IT Security Threat #3: Ransomware Attacks

Ransomware attacks are here and only increasing in regularity (at least for now). In 2017, ransomware detections were up from previous years by 90%.

The number of businesses who detected ransomware on their systems (whether it was a successful infection or not) skyrocketed last year. Despite this shocking statistic, the good news is that this ever-increasing awareness will undoubtedly lead to a drop in attacks worldwide.

In ransomware attacks, criminals infect a computer or network with a virus that encrypts data. These cybercriminals then demand payment in exchange for the return of that data. This is usually done by delivering instructions in a pop-up window on the infected computer.

What happens next varies on a case-by-case basis.

If the business has a solid approach to backing up data, it may be able to weigh the downtime loss vs. the costs of paying the ransom and ignore the threat, wipe the system clean, and start anew from its last backup.

If not, a business may opt to pay the ransom, which typically ranges from hundreds to thousands of dollars, but that still doesn't guarantee the return of its data—you are, after all, dealing with criminals here.

You often need to get your hands on some Bitcoin to pay the ransom, and must do it in the time frame demanded by the criminals. If you don't pay in time your data is gone.

If you factor in loss of productivity and the cost of recovering files, cybercrime costs small and midsize businesses $75 billion each year.

Ransomware has quickly become one of the leading causes of business-threatening downtime.

IT Security Threat #4: Phishing

Internal Threat

From an internal perspective, phishing is when a malicious party sends a fraudulent email disguised as a legitimate email, usually appearing to be from a trusted source. The message is designed to trick the recipient (more often than not, one of your employees) into sharing personal or financial information. These emails typically include instructions for clicking on a link that installs malware.

From a sheer numbers standpoint, your employees are the most likely recipients and thus your company's greatest threat. Later, we highlight the importance of employee education in combating IT security threats in small business.

External Threat

While not as dangerous and common, is also important to look at external phishing threats.

On average, your customers are far less cautious in their security practices than your employees–especially if your employees are properly trained. Because of this, it's much easier to infiltrate your infrastructure through a hacked vendor. They do this via the one transaction that's always present in your customer-vendor relationship: payment.

Both online banking and your company’s payment services are prime targets of malware and phishing campaigns. A data breach will likely result in damages, not only for your customers and bank, but for your business’s finances as well.

Before hooking into a service, your SMB should vet each third-party banking and payments service, but it can't be responsible for monitoring every single one.

Furthermore, sophisticated phishing scams have also hit Gmail and Google Docs. So, don't assume that the apps your business uses every day don't present a degree of danger if you're not careful about what you click on.

Be aware of spear-phishing attacks as well, in which customer support emails ask you to change credentials or are sent via fake email addresses to businesses asking for highly personal customer or employee data.

The security service you choose should include a global threat intelligence network that uses continuous process monitoring and automated malware detection to mitigate and control any breaches that spill over into your system.

IT Security Threat #5: Spyware

Spyware can steal both user and company information. It is also known for weakening the security of devices and increasing malware infections.

Spyware downloads itself onto your computer—via an email you opened or a website you visited—and scans your hard drive for personal information.

It differs from a virus, in that a virus is a piece of code that causes damage to your computer either by deleting or corrupting files. Spyware is often installed on machines to scrape passwords and get access to onlines services like banks and payroll companies.

IT Security Threat #6: Bring-Your-Own-Device (BYOD)

More and more employees are bringing their own devices to work where they are storing important data. Are these devices under the control of your Systems Admin or IT service company? Most likely not.

A BYOD policy which includes encryption and remote backup is critical. Having a plan of action in the event that a BYOD is lost or stolen should be in place before any company data is allowed on a personal device.

Mobile device management (MDM) is difficult enough when overseeing data access and permissions on company hardware. But, when employees start bringing in personal smartphones and tablets under a bring-your-own-device (BYOD) policy, your employee oversight grows exponentially more complicated.

These risks can including anything from a stray device compromising a company's virtual private network (VPN) to a simple scenario in which an employee leaves their unlocked iPhone in a taxi.

The most efficient and effective way of organizing employee devices is to use a centralized security console to manage BYOD policies of smartphones and tablets in one place.

These tools also include remote-locking and location mechanisms to prevent data compromise on lost or stolen devices.

In addition to your company’s security solution for employee devices, your SMB's BYOD policy should be clear and comprehensive. Employees should be educated on the types of data they should and shouldn't store on mobile devices, be required to set up two-factor authentication, and set the bar high when it comes to using complex passwords and automatic locking.

IT Security Threat #7: Password Login Reuse

Users today have so many logins and passwords to remember that it’s tempting to reuse credentials here or there to make life a little easier.

Even though security best practices universally recommend that you have unique passwords for all your applications and websites, many people still reuse their passwords—a fact that attackers rely on.

Once attackers have a collection of usernames and passwords from a breached website or service (easily acquired on any number of black market websites on the internet), they know that if they use these same credentials on other websites there’s a chance they’ll be able to log in.

No matter how tempting it may be to reuse credentials for your email, bank account, and your favorite sports forum, it’s possible that one day the forum will get hacked, giving an attacker easy access to your email and bank account. When it comes to credentials, variety is essential. Password managers are available and can be helpful when it comes to managing the various credentials you use.

IT Security Threat #8: Weak Firewall

You know what's better than one firewall? A multi-vector threat appliance.

Even in a more cloud-based and encryption-focused security landscape, firewalls are still an organization's most important line of defense to prevent malicious attacks.

Despite this, the firewalls of even a couple of years ago don't offer anywhere near the protection of today's multi-vector threat appliances. They are modular and unlike conventional firewalls, they have more all-encompassing security features built in.

SMBs should deploy secure infrastructure with numerous levels and redundant systems, including a next generation firewall and an interconnected intrusion detection systems (IDS) to monitor their network for suspicious activity, both inside and outside the firewall.

IT Security Threat #9: Internet of Things (IoT) Leaks

The internet of things refers to the network of physical devices that are embedded with electronics or software and allow connectivity. We’re talking phones, tablets, virtual assistants (Alexa, Siri), even cars and home appliances.

Electronic devices connect and exchange data, thereby improving efficiency, saving money, and reducing good old manual labor. (No more flipping through the Yellow Pages, going to the market to buy toilet paper, or driving the neighborhood to find a dry cleaners.)

As real-time data collection becomes increasingly important, IoT is growing too.

From monitoring traffic and collecting real-time patient information to optimizing the uptime of industrial equipment, organizations are acquiring IoT devices in massive quantities. However, these devices aren’t always secure. This creates a potential backdoor into your company.

IoT works so great because it’s comprised of dozens of devices that hide in plain sight. Be it alarm systems, GPS, or web cameras, it’d be challenging to guess which of these devices are even connected to the internet in the first place. But since IoT devices lack built-in security, they are often easy targets by hackers.

Attackers usually use automated programs to locate IoT devices. Once located, attackers attempt to connect to the device using the default admin credentials. And since most users don’t change them, this is usually a success for the attacker. Once in, the hackers can easily install malware, basically taking the system under their control.

We advise you to change all of your passwords immediately when you acquire a new device. Default passwords are never a good idea, they usually serve to expose you, the user, to all sorts of cyber threats.

IT Security Threat #10: Employee Ignorance

Possibly the biggest threat to your business is your people. Employee awareness is a key factor in protecting your company from cyber-criminals. Opening malicious attachments, clicking dangerous links, and opting for weak, memorable passwords all pose enormous risks.

One of the most important steps a small business can take to mitigate its chances of falling victim to ransomware or phishing is employee education. All it takes is one wrong click from an employee to compromise your entire system. Teach everyone to think twice before opening an attachment or clicking a URL, even if it appears to be from someone they trust.

Conduct security training at the time of hire, as well as regular company-wide training, and demonstrate attack simulation. Require regular password changes and enable two-factor authentication for additional security.

Wrapping Up

The aforementioned IT security threats that could devastate your small business are relatively consistent across different organizations and industries. According to a study, 90% of businesses without a disaster recovery plan will fail after a disaster.

Don’t fall victim to these IT security threats. Protect what you've built. Learn how to fight back against IT security risks with our Complete Guide to Small Business IT Security. Hackers love small businesses, and companies like yours are targeted every day. It's time to take back control, identify the threats, and mitigate the risks. Click here to learn more today!