When a business becomes the target of cyberattacks, it’s potentially devastating—and not just to that company. The attack often has a significant impact on the company’s customers.
While often many businesses think they’re too small to be hacked, they can be exploited by fraudsters as vulnerable and easy-to-exploit targets. Insufficient security solutions, untrained staff and poor data-handling policies can leave many of these businesses wide-open to hack, putting all of their customers’ information at risk.
Planning for properly handling customer information through its entire lifecycle, instituting a data security plan, training employees and ensuring systems are up to date can go a long way in protecting that valuable information.
Many owners only realize they have a lack of cybersecurity after an attack happens, and this is a mistake for which they often pay heavily.
Recently, Timo Laaksonen, vice president and general manager of cybersecurity company F-Secure North America, answered some critical questions about how to keep your customers’ data—and your business’ data—as safe as possible.
Q: What are the common misconceptions about security breaches?
Laaksonen: For many business owners, it still comes as a surprise that they are of interest to criminals in the first place, and susceptible to both targeted breaches and other crimeware, like browser hijacking and phishing.
But in fact, small businesses are the most attractive marks, because they typically have fewer resources for cybersecurity, making them easier targets.
Many owners also fail to realize that most cyberattacks are highly automated, and that attackers simply use automated scripts, which do not judge or segregate business targets. Today’s attacks search for vulnerabilities to exploit and attack the ones they can easily identify, no matter the recipient.
Q: What are the most common types of security breaches aimed at small businesses?
Laaksonen: Phishing scams, crypto-ransomware and data theft are currently the most common threats for small businesses.
Phishing involves the cyberattacker obtaining personal information or log-in information through email and gaining access to confidential business accounts and customer information. Ransomware can lock a victim out of system files or the entire operating system, with the hacker demanding a monetary ransom in order to unlock or regain access.
Q: What are the biggest mistakes business owners make when it comes to their business’ security features?
Laaksonen: Many owners only realize they have a lack of cybersecurity after an attack happens, and this is a mistake for which they often pay heavily.
To avoid this, businesses should keep their devices, apps and software up to date and stay current with security patches. Misconfigured or unpatched software are easy targets, and attackers often stumble upon these types of systems while doing simple scans and searches on the internet.
Companies also need to ensure they’re encouraging the physical protection of devices. Devices such as laptops, tablets and mobile phones should also be encrypted to better protect information in the event the device is lost. Ecommerce businesses should also have web application firewalls (WAFs).
Q: What are some basic steps that employees can take to protect customer and other business-related information?
Laaksonen: Take time to educate your staff on security matters, such as how to identify and report phishing emails, how to properly handle confidential documents. By doing things like carefully checking sender addresses and observing web addresses for inconsistencies with the sender or subject matter, scams can be easily identified. Red flags include emails containing unexpected attachments and uncommon file types or an office document asking to “enable content.”
Q: What can business owners do today to make their customers’ data more secure?
Laaksonen: Make sure you are using a proper endpoint protection solution from a reputable vendor to secure devices such as mobile devices, laptops and desktop PCs. Many of the “free solutions” out there simply aren’t good enough for your business, as they haven’t been verified by an independent third party, such as AV-TEST or AV-Comparatives, to provide strong, consistent protection.
Next, back up all critical data—including customer data—on a regular basis, using a system that isn’t susceptible to ransomware, and do not depend on a locally connected drive or network share. Test data restoration periodically to make sure everything works.
Lastly, consider hiring a cybersecurity firm on retainer for incident response in order to recover from a breach in a timely manner. The business’ crisis management plan should include protocols for cybersecurity incidents as wellPrint this article