It has been a commonly held misconception that large corporations are more likely to be at risk from cyber-attacks compared to small/medium organisations, mainly due to the fact that larger businesses are much more desirable due to the scale of the operation and the sensitivity of the information.
However, change in technology in the 21st century has almost forced small business owners to an online platform. With this ever-growing demand to shift to an online presence, the risk lies with customers as well as the employees for the loss of personal and sensitive information.
A study done by Verizon 2012 found that 67% of cybersecurity compromises in 2011, happened in organizations with just 11 to 100 employees. This is because all information is valuable, whether it is held by big businesses or small start-ups. Hackers can profit from any kind of data, especially if it can be used in combination with other data. Though large organisations are by no means immune to cybersecurity breaches, they are generally more likely to have strong policies in place to regulate online activity and to minimize the likelihood of cyberattack.
When small business owners have information security policies and procedures in place, along with employee education, they may reduce the risk of information security breaches. Some common questions for small business owners to bear in mind are:
- What security software products should I invest in to protect my network?
- What steps should I as a business owner implement to educate my employees on information security?
- What role could social engineering have on a small business?
- Where is the sensitive data held within the organization?
With these key questions in mind, businesses can start to minimise cyber-attacks by implementing some of the following strategies:
To some degree, employees are the first line of defence when it comes to keeping a network safe. Educating employees to look out for suspicious emails or anything that appears out of the ordinary is recommended, as well as ensuring they are aware to use network application that only allows launching of approved applications. Put some administrative privileges and controls in place – this will ensure that privileges are inactive when using email or web browsers.
Engage in online security training
Employees should receive training to stay up to date with the latest changes in the industry and be educated on the latest phishing schemes and tactics, such as social engineering.
Make security personal
Ensure that the employees understand that the information they have access to, must be protected.
Be accessible to users
If an employee experiences a network security issue, they need to know who to report it to. Therefore, it is vital that the person managing security issues, to be accessible and prompt in providing responses.
Companies should also look at protecting their intellectual property from data breaches, privacy concerns, and network security failures, by ensuring they have some form of cyber insurance.
Unlike larger companies, small businesses often do not have the capacity to recover from a costly data breach. By understanding their cybersecurity risk and taking specific steps to reduce or mitigate it, small businesses can avoid disasters in the future.
Additional to the suggestions above, the Ministry of Business, Innovation and Employment has information available for small businesses here.