How to Protect Your Small Business From Cyber Attacks

When the team at HOUSEsports LLC decided to expand its offerings to sports fans from podcasts to an online platform for sports fan to talk and connect, the co-founders knew cybersecurity was going to be a key metric on which they would have to focus.

“After we had proof of concept and a clean design, our first concern was to protect the entity and the website platform,” Devin Emory, one of the co-founders of HOUSEsports, said.

They decided to go with Meteor, a JavaScript web framework, to build their platform. The framework not only works across mobile and web platforms, they were also sold on some of the security features built into the code.

“Meteor’s page rendering engine takes care of escaping special symbols when dealing with data bindings which saves us from very basic XSS attacks,” Emory said.

Cross-site scripting attacks, otherwise known as XSS attacks, inject malicious scripts into otherwise benign or trusted websites, according to Excess XSS. This is one of the most common methods hackers employ to gain access to a server.

Another common form of attack, cross-site requests forgery attacks, allows an attacker to force a user who is logged-in to perform an important action without their consent or knowledge, as defined by Tinfoil Security. These attacks are also not possible in Meteor as the framework itself is much harder to spoof, Emory said.

The problem is that not all small businesses have the knowledge required to bake in such protections. And while firms in the finance and technology-related industries tend to have a higher awareness of cybersecurity, overall preparedness is still low, experts say.

Small businesses are also at risk

Half of all small and medium businesses have experienced a data breach in the past 12 months, with 55 percent having experienced a cyberattack, according to data from Ponemon Institute’s survey of 598 companies in 2016.

According to the study, these companies spent an average of $879,582 because of damage or theft of IT assets. In addition, disruption to normal operations cost an average of $955,429, said the institute, which conducts independent research on privacy, data protection and information security policy.

Kristin Judge, director of special projects and government relations for the National Cyber Security Alliance said small businesses are not yet sufficiently prepared, but they are listening for the first time.

“Over the past year, I feel like when we are out talking to audiences, the small and medium businesses that didn’t come out before are actually engaging now.They understand that they are under-prepared and are actually paying attention,” she said.

Recent cybersecurity threats, including the U.S. intelligence community’s conclusion that Russia attempted to influence the 2016 U.S. presidential election, and the WannaCry ransomware attack have further raised awareness of the importance of cybersecurity among businesses and individuals.

“As a small business owner and operator, there are so many other things they are managing on a daily basis that it can be easy to overlook and forget that cyber threat is almost a day-to-day, hour-to-hour presence that they have to keep an eye on,” Kaili Harding, president of the Schaumburg Business Association, said.

Businesses cite their top five challenges for growth and survival as growing revenue, increasing profit, managing cash flow, and attracting and retaining qualified employees, according to a study of more than 1,500 businesses in the U.S. and Canada conducted by the Better Business Bureau in September 2016.

Even with a trend of increasing digitalization and cyber incidents, seven out of 10 considered it unlikely that their business will suffer a cyber attack in the next 24 months, according to the report.

“It's definitely adding to an expense that a lot of businesses have not had to deal with in the past 20 or 30 years,” Harding said.

But, she stresses, businesses must be prepared. “The expense on the front end is well worth the time and effort because it gets a lot more expensive once you've been targeted. Not only that, but you could lose your customers' confidence in the company if they feel the company didn't do the most it could to protect the information that they have,” Harding said.

What small businesses can do

At the minimum, companies need to patch their systems, browsers, and plugins on a regular basis, have a firewall in place, ensure that users are using strong passwords, and are doing vulnerability scanning and remediating the findings, however low-level the vulnerabilities seem, Joshua Crumbaugh, founder and CEO of PeopleSec, a cybersecurity firm that offers security awareness training and penetration testing, said.

A vulnerability scanner identifies devices on a network that are open to known vulnerabilities and alerts the user to the weaknesses before they are attacked.

“The biggest thing is if you really have zero information technology expertise and zero information security expertise, which most companies do, you should probably just look at a managed service provider,” Crumbaugh said.

Indeed, this is the most common method employed by small businesses, Judge said.

“I’m very comfortable in suggesting that small and medium businesses use outside vendors that are reputable to handle their cybersecurity because I don’t have any confidence that small and medium businesses are going to be able to afford staff to handle cybersecurity. And there are wonderful companies that can do it at scale to make it more affordable for smaller companies,” Judge said.

The aftermath of a breach

Having a good setup in place is also instrumental to protecting the organization legally.

“If I'm a customer for a retailer and my private information was stolen from their system, it's harder for me to win as an individual in a case against the company if they can show ‘Hey listen we had routine meetings, we have up-to-date insurance, our board always talks to us about these things, we did everything that we could, we maintained our systems and had a plan,’” said Richik Sarkar, litigator and business strategist at McGlinchey Stafford PLLC.

The customer may still have a claim against the business if they can prove actual damages but business owners can fall back on these defenses to protect themselves against individual liability, Sarkar said.

Sarkar also recommended talking with an attorney when reviewing cyber-liability insurance.

“The devil is in the details, when you are looking at all these policies, there may be all sorts of exclusions or riders you need to get. so you need to work with either a really experienced insurance professional or get an attorney to have a look at these policies for you,” Sarkar said.

The benefit of discussing your options with an attorney is that the discussion is privileged.

“If you’re only having that conversation with your insurance company and something happened later on and somebody wanted to attack what you did and how reasonable it was, there’s no privilege between a small business and their insurance company. There is privilege between a small business firm and their attorney,” Sarkar said.

Source: Mindy Tan