How can small businesses protect themselves from cyber threats?

Firms must step up efforts to address rising exposure to cyber risks

How can small businesses protect themselves from cyber threats?


By Mark Rosanes

Small enterprises play a crucial role in driving economic growth in the US, forming 99.9% of the country’s more than 32 million-strong business population and accounting for almost 47% of all private sector employees, according to the latest figures from the Small Business Association (SBA).

These businesses, however, have been facing tremendous pressure in recent years, with an increasing number of cybercriminals pouncing on their digital vulnerabilities, the association revealed.

“Small businesses are attractive targets because they have information that cybercriminals want, and they typically lack the security infrastructure of larger businesses,” the SBA noted in a cybersecurity guide published on its website.

A recent poll conducted by the association of small business owners across the country has found that 88% of respondents felt their businesses were vulnerable to cyberattacks. Despite this, most of those surveyed admitted they could not afford professional IT services, did not have enough time to focus on cybersecurity, or did not know where to start when it comes to protecting their data.

And the consequences are telling. The latest internet crime report from the Federal Bureau of Investigation (FBI) has revealed a sharp rise in cybercrime complaints and losses in the past few years. From 301,580 complaints equivalent to $1.4 billion in damages in 2017, the figures have shot up to 847,376 and $6.9 billion in 2021, respectively.

During the period, the FBI has received almost 2.8 million reports of cyberattacks, amounting to $18.9 billion in losses, highlighting the need for effective data protection measures among the nation’s business population.

What are the most common types of cyber threats facing small businesses?

The SBA listed some of the main types of cyber threats small businesses need to be aware of but warned that new dangers could emerge as “cyberattacks are constantly evolving.” These are the most common attack types, according to the agency.

1. Ransomware

The SBA describes ransomware as a specific type of malware that infects and restricts access to a computer until a ransom is paid, adding that it is usually delivered through phishing emails and exploits unpatched vulnerabilities in software.

Separate data gathered by cybersecurity firm SonicWall has shown that there were almost 421.5 million ransomware attempts against US businesses in 2021 – a figure that dwarfed that of second-placer Germany, which registered about 34.3 million hits. Ransomware attempts against the US actually more than doubled those of the top 10 countries with the most hits, which included the UK, Brazil, Canada, Colombia, France, South Africa, Belgium, and Mexico. Combined, these nations logged about 174 million ransomware attempts.

2. Phishing

In a phishing attack, cybercriminals use email or malicious websites to infect a device with malware or collect sensitive information.

“Phishing emails appear as though they’ve been sent from a legitimate organization or known individual,” the SBA explained. “These emails often entice users to click on a link or open an attachment containing malicious code. After the code is run, your computer may become infected with malware.”

Tech giant IBM’s 2022 X-Force Threat Intelligence Index, meanwhile, has found that phishing was the attack vector of choice for threat actors targeting businesses in the US, with 47% of incidents using this technique to gain initial access. Among the top spoofed brands are Microsoft, Apple, Google, Amazon, and Facebook.

“Threat actors may be focused on phishing as more North American organizations implement robust patch management programs in the face of several critical vulnerabilities released in 2020 and 2021,” the research noted.

3. Malware

Another common threat the SBA identified is malware, which the agency describes as an “umbrella term that refers to software intentionally designed to cause damage to a computer, server, client, or computer network.” This can include computer viruses and ransomware.

Data from the FBI has shown a downtrend in malware reports it has received since 2019. From 2,373, complaints have dipped to 1,423 in 2020 and dropped further to 810 in 2021.

IBM, however, has warned businesses that despite the decline, threat actors continue to innovate and find new ways to make malware more capable across operating systems and more challenging to detect.

Practical ways small businesses can protect against cyberattacks

To help small businesses address the growing threat of cyberattacks, the SBA has published a guide outlining several steps firms can take to protect against cybersecurity risks even before the attack happens.

“You don’t have to be a large corporation in America to be vulnerable to cybersecurity attacks,” the agency explained. “Fortunately, there are ways that you can strengthen your business against a cyberattack to minimize financial losses and reduce risks for employees.”

Here are some of those practical measures:

1. Assess the risk facing your business

The first and most crucial step to improving a company’s cybersecurity, according to the SBA, is having a deep understanding of the unique risks they are facing and pinpointing where to make the biggest enhancements.

“A cybersecurity risk assessment can identify where a business is vulnerable, and help you create a plan of action, which should include user training, guidance on securing email platforms, and advice on protecting the business’s information assets,” the association wrote. “Start by learning about common cyber threats, understanding where your business is vulnerable, and taking steps to improve your cybersecurity.”

The SBA noted, however, that although “there’s no substitute for dedicated IT support, whether an employee or external consultant,” small businesses with “more limited means” can still access affordable or even free planning and assessment tools to help enhance their cybersecurity, including:

  • The Federal Communications Commission’s (FCC) customizable cybersecurity planning tool
  • The Department of Homeland Security’s (DHS) Cyber Resilience Review (CRR) and free cyber hygiene vulnerability scanning tool
  • The DHS’ and Cybersecurity & Infrastructure Agency’s (CISA) supply chain risk management toolkit
  • A range of free cybersecurity tools and services from CISA

2. Invest in employee training

The SBA noted how employees and emails have become “a leading cause of data breaches” because they often provide a direct path into a company’s computer system.

“Training employees on basic internet best practices can go a long way in preventing cyberattacks,” the agency wrote, adding that educating staff does not always have to be a costly endeavor.

The association suggested businesses access the DHS’ Stop.Think.Connect campaign, which offers training and other materials on a range of topics, including:

  • Spotting a phishing email
  • Using good browsing practices
  • Avoiding suspicious downloads
  • Creating strong passwords
  • Protecting sensitive customer and vendor information
  • Maintaining good cyber hygiene

Read more: How threat preparedness can help companies improve their cyber security posture

3. Keep antivirus software updated

It is also crucial that companies ensure that their systems are equipped with the latest antivirus software and antispyware and that these are regularly updated.

“Such software is readily available online from a variety of vendors,” the SBA explained. “All software vendors regularly provide patches and updates to their products to correct security problems and improve functionality. Configure all software to install updates automatically.”

4. Make sure networks are secure

The SBA advised businesses to safeguard their internet connection by using a firewall and encrypting all their data. Wi-Fi networks should also be secure and hidden. 

“To hide your Wi-Fi network, set up your wireless access point or router so it does not broadcast the network name, known as the Service Set Identifier (SSID),” the agency instructed. “Password-protect access to the router.”

5. Use strong passwords

One of the simplest ways to improve cybersecurity, strong passwords should have the following elements:

  • 10 characters or more
  • At least one uppercase letter
  • At least one lowercase letter
  • At least one number
  • At least one special character

6. Activate multi-factor authentication

Another effective practice to protect data is the use of multi-factor authentication (MFA). This verification process requires users to provide two or more proofs of their identities to access their accounts, adding another layer of security. One example is a system where a password and a code sent to a separate device are required before a user is granted access to an online account.

7. Conduct regular data back-ups

Backing up data is among the most cost-effective ways of making sure information is recovered in an event of a cyber incident or computer issues.

“Critical data includes word processing documents, electronic spreadsheets, databases, financial files, human resources files, and accounts receivable and payable files,” the SBA wrote. “Back up data automatically if possible, or at least weekly, and store the copies either offsite or on the cloud."

8. Ensure payment processing is secure

The agency advised small businesses to work with their banks to make sure that “the most trusted and validated” tools and anti-fraud services are being used. It also recommended that companies isolate payment systems from less secure programs and use separate computers when processing payments and surfing the internet.

9. Control physical access

Businesses should prevent unauthorized individuals from getting access to or using their computers. Companies should also give administrative privileges only to trusted IT staff and key personnel. 

“Laptops can be particularly easy targets for theft or can be lost, so lock them up when unattended,” the SBA added. “Make sure a separate user account is created for each employee and require strong passwords.”

10. Consider cyber insurance

Although not on the SBA’s list, a cyber insurance policy can help cover the financial losses resulting from a cyberattack and, in an increasingly digital business environment, it pays for companies to have one. Coverage can also include claims made by individuals or groups that may have been harmed because of a business’s action or inaction.

Related Stories

Keep up with the latest news and events

Join our mailing list, it’s free!