How would you respond to a small business owner who thinks their company is “too small” for a cybersecurity strategy?

There is no such thing as being "too small" for security. Hackers target organizations of all sizes and are usually banking on the fact that small businesses are leaving a door unlocked somewhere.

Businesses really need to think of cybersecurity like physical security. Would you go home leaving the front door of your business unlocked? You apply security to catch — and ideally deter — intruders, locking doors and windows, having alarm systems in place and building emergency plans. Why wouldn't you want to have the same resources to protect your digital assets? With most of your important data being stored on internal networks or in the cloud, not having a cybersecurity strategy can leave you open to a breach or targeted cyber attack.

Over the course of 2018, the real driver of cybersecurity strategy in business has been compliance. Small businesses have been instilling security practices not because they want to, but because they are required to. As governments across many countries have introduced regulations, one of the most noteworthy being the General Data Protection Regulation, we have watched how the protection of personal data has affected the way companies are forced to implement cybersecurity strategies.

Why is it important for small business owners to be their own risk managers?

Small business owners are jacks-of-all-trades in most instances. They manage sales, marketing and accounting, and as such, they have to think of ways to protect their organizations. The crown jewels of their companies are likely online, and they have an obligation to protect the personal and financial information of their customers, as well as adhere to industry or regional compliance requirements. I don’t expect small business owners to know what to do about their data or asset protection. You can’t know everything, but you can start with the basics of perimeter protection and engage a third party to ensure you’re processing payments and customer data correctly. Then as you scale, your security posture will mature with your business.

 What are the potential consequences for a small business that gets hacked?

Over the last number of years, we have seen debilitating security breaches against large enterprises, resulting in tarnished reputations, diminished brand trust and loss of profit. It is no different for small businesses. The hit could cripple your business. At Herjavec Group, we have seen how Ransomware — a malware that infects computers and restricts access to files, often threatening permanent data destruction unless a ransom is paid — has reached epidemic proportions globally. And small businesses are not excluded. Your employees need to be aware of cyber risks in order to help you prevent a phishing or ransomware attack. You’ve got to have basic security controls in place, and you’ve got to be diligent. Know where your assets are, who has access to them and follow basic cyber-hygiene principles of patching updates as soon as they’re available for any web-based resources or security technologies.

What information is the typical hacker looking to obtain from a small business?

There are multiple reasons for an attack — customer data for identity theft, exploiting data, stealing infrastructure or denying service — but sometimes hackers just want to try and see what they can get their hands on. They may be looking for a way to maliciously reach customers or employees to eventually use the information they gain to attack someone else. This means that you’re not actually the intended victim, just the medium, in the attack of someone else. In this case, the intended target now thinks that you were the one who launched an attack on them.

Why is it important to build a relationship with your cybersecurity vendor?

It’s simple: You can’t do it all, and you don’t know what you don’t know. You want to engage a cybersecurity provider to do an assessment of your environment, help you build a security plan and execute over time. Let me be clear — there is no end game to security. It’s a constant journey with continuous improvement required throughout. Engage an expert so you can do what you do best — run your business.