For small business owners, the external threats never seem to end. For example, ransomware attacks are generally on the rise – affecting businesses every 14 seconds in 2019 and every 11 seconds by 2021 – and according to published reports, more than half of the targets were businesses with fewer than 100 employees.
These companies are easy targets for hackers because many smaller businesses lack the financial or technical expertise to protect themselves from cyberattacks. The numbers are frightening: In 2022, total ransom amounts demanded by attackers increased by 60% to an average of $178,000, and hackers hijacked $11 billion in ransoms by the end of 2021.
However, savvy small business owners can take some defensive steps. One way to improve privacy is to work with a qualified cybersecurity managed service provider. But identifying a good provider means more than just finding one with an attractive advertising campaign. Companies that take the time to develop an initial framework—or an outline of their positioning and needs—are off to a good start. Because this is an evolutionary endeavor, the process should not be rushed. So while it’s important to move forward in a timely manner—like addressing a problem or taking one step a week—the individuals and teams involved in the effort should also be flexible in terms of timing.
A good starting point is to assess what regulations, if any, apply to the company or its customers. General categories to consider may include:
- Payment Card Industry Data Security Standard (PCI): An information security standard for organizations that handle branded credit cards.
- Health Insurance Portability and Accountability Act of 1996 (HIPPA): A federal law mandating the creation of national standards to protect confidential patient health information from disclosure without patient consent or knowledge.
- National Institute for Standards and Technology (NIST): A federal agency that develops cybersecurity and other frameworks and standards.
- Cybersecurity Maturity Model Certification (CMMC): A US Department of Defense-led initiative to develop a comprehensive framework to protect the defense industry from increasingly frequent and sophisticated cyberattacks.
- International Organization for Standardization (IOS): An organization that develops standards that define specifications and requirements for products, processes, services, and systems.
Business owners can also ask potential cybersecurity solution providers or IT support service providers about their experiences in the above and other categories. This can ensure that the vendor’s background and skills match the client’s requirements. As part of their framework, small business owners may also want to ensure that their potential – or existing – vendor is up to date with their application improvements.
More digital tips
Hackers love a well-paying customer, so a company that suffers a ransomware attack and then pays is highly likely to get hit again. To protect against this incident, a company should ask its proposed or current cybersecurity vendor about their ability to deploy automated eCare agents. It fixes issues in layers of security, email filtering, 24/7 monitoring, and firewall geo-blocking that can restrict access based on an external user’s geographic location. For example, if a small business does not do business in Russia, it may be a good idea to simply block all traffic from that country.
As business owners make their assessments, they should remember that effective cybersecurity deployment is not limited to blocking malware, botnets, and phishing through any port, protocol, or app. Protections should also detect and contain advanced attacks before they can do any damage. Using DNS or Domain Name System filters to block malicious websites and filter out harmful or inappropriate content can be a big step in this direction.
The bottom line is that the business model is constantly changing, and COVID-19 has accelerated the process and created more opportunities for bad actor threats to infiltrate your organization. For example, more and more companies have transitioned to a remote working model, but many have been slow to embrace the protections that blockchain technology may offer.
Although third-party cloud-based storage and retrieval can provide some protection, a common standard to ensure data integrity has yet to be developed, meaning data movement and storage remain major security and compatibility concerns. So there is no one-size-fits-all approach to protecting an organization’s sensitive information and systems – but a sound security framework can be a very effective start.
Carl Mazzanti is President of eMazzanti Technologies in Hoboken.