It’s hard to imagine any business that doesn’t use any form of technology these days. The problem is, any computing infrastructure or equipment can be exposed to various methods of cyberattacks. Just last May, the WannaCry ransomware affected more than 10,000 organizations of all sizes in more than 150 countries. The attack caused stoppages in critical services and operations such as the UK’s National Health Service and several of Renault’s automotive manufacturing plants. Last year, one billion Yahoo users saw their accounts hacked, costing the company dearly.
While these reported ones were about large organizations, there were many anecdotal accounts of SMEs getting hit by the attack. Many of these smaller organizations are running on older systems and have little to no protection. Startups often get tied up with the more pressing parts of the business such as sales and operations that most often overlook security as part of your agenda. Here are 7 things entrepreneurs need to know about cybersecurity.
1. No such thing as too small
You may think that cybercriminals only target high profile organizations like the incidences we often hear and read about on the news. However, a Ponemon Institute study reports that 55 percent of SMEs experienced some form of cyberattack. If your business uses any computing device or the internet or has a digital presence such as a website or cloud accounts, then you are at risk of cyberattacks. Most attacks are now carried out by automated malicious software and scripts that seek out vulnerable computers and networks regardless of the size and nature of the organization.
According to cloud security provider Indusface, SMEs, which are more at-risk due to their limited experience with cybersecurity measures, are required to deal with today’s complex threats. Most small businesses have no dedicated IT staff that focuses on such things. This is why it’s important for startups to make security a shared responsibility across all members.
2. Threat 1: Data breaches
There are several common cyberattacks that you should be aware of. The first one is data breach. This is when cyber criminals seek to steal your company’s data by gaining access to your databases. Personal and financial information are sold on the black market for use in identity theft and fraud. Startups who have websites or apps that gather customer information such as ecommerce, online support, or CRM are prime targets for such attacks.
You may think that large organizations that have experienced data breaches such as Sony, Dropbox and LinkedIn survived the data breach fallout so you shouldn’t worry too much about such attacks. However, these major companies have resources and longstanding relationships to weather such issues. Startups don’t fare too well dealing with loss of customer trust and stained reputations. According to the U.S. National Cyber Security Alliance, 60 percent of small businesses fail within six months after suffering from such attacks.
3. Threat 2: Ransomware and malware
Security company Kaspersky identifies ransomware among the top cybersecurity threats to businesses today. Ransomware are a specific type of malware (malicious software) that infect computers (including mobile devices) over a vulnerable network. The ransomware encrypts files on the compromised computer. Users won’t be able to access the files unless they get a decryption key by paying ransom to the attackers. Even with paying the ransom, there’s no assurance that attackers will actually honor your payment.
Most ransomware attackers demand between $500 to $1,000 in exchange for your files. Some ransomware such as Jaff demand as much as $4,000. Ransom payments are often in cryptocurrencies like Bitcoin due to the anonymity these methods offer. The major impact to businesses isn’t exactly the ransom but the disruption to the business. Getting locked out of all your work files can halt your operations indefinitely.
4. Threat 3: DDoS attacks
Distributed denial-of-service attacks (DDoS) render your website or server inaccessible by overwhelming your network with traffic. An hour of downtime from a DDoS attack can cost up to $20,000 for a third of companies. For high transaction websites such as ecommerce services, this figure can be upwards $100,000 for every hour.
Small businesses are often left to weather the downtime and absorb lost sales and productivity. Even if not directly targeted, SMEs could still be affected by DDoS attacks on larger infrastructure providers. Last year, thousands of sites and services went down after a massive DDoS attack hit DNS provider Dyn.
5. People are often the weakest link
People are often the weakest link in a security chain. A BakerHostetler report found that most security breaches are caused by human lapses. Many systems are left vulnerable to data breaches and ransomware attacks through phishing where people are tricked into clicking on links and installing malware.
Some can even bring these threats into your infrastructure by carelessly plugging in their own phones, notebooks, and storage devices to your network and computers. Educating yourself and your staff on the best day-to-day security practices would be a worthwhile investment to prevent attacks caused by human error. Have security policies in place that would govern how you and your staff should be using your IT resources.
6. Access control counts
Know to whom you’re giving infrastructure access. As a startup, you may be unnecessarily handing out critical infrastructure access to just about anyone like that freelancer you hired to build and maintain your page may still have access to your servers or the guy you let go last week may still have the passcode to void transactions on your POS system.
Today, most administration tools and services allow you to set user roles with corresponding levels of access so that you can control who gets to do what on your infrastructure. Encourage people to use strong passwords and protect them at all times. Revoke access of anyone not working for your company as soon as they go. Cover yourself legally as well by putting in nondisclosure clauses to prevent them from leaking passwords on agreements with people you involve in the business.
7. Invest on security
As a startup, you may be averse to take on added expenses. However, cybersecurity is just one of the IT investments you have to make. Besides, there are cost-effective anti-malware and security software that you can use for your office computers.
In addition, security-as-a-service is now a thing which means you don’t have to make heavy upfront investments on security applications and appliances to protect your network. Instead, you can subscribe to scalable security services such as web application firewalls and DDoS mitigation services for your online infrastructure and applications. Startup cyber security is just among the many realities IT professionals must focus on. Know the risks and put up programs in place that would help you avoid getting hit by cyberattacks down the line.