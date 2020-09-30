The COVID crisis has brought increased risks to small businesses. In addition to supply chain delays and, for those that depend on in-person customers, a reduction in foot traffic, small businesses are an even more attractive target for cybercriminals. Why? Because they have information that cybercriminals want, and they typically lack the security infrastructure of larger businesses. As online activities increase, so do the nefarious activities of cybercriminals.
In 2019, there were 30.7 million small businesses in the U.S., which accounted for 99.9% of all U.S. businesses, according to the Small Business Administration. While the pandemic has forced thousands to close permanently, many more are left struggling to survive. Business owners are vulnerable and their situation has not gone unnoticed.
“This surge on our information technology infrastructure requires additional investment in both funding and manpower to keep up with the massive usage,” the National Association of State Chief Information Officers said in a letter to congressional leaders in April. “Additionally, malicious cyber actors have used attention on COVID-19 to their advantage, further targeting government infrastructure, the healthcare sector, and individual citizens for internet crimes, such as ransomware, phishing, and computer-enabled financial fraud.”
Last week, a group of bipartisan House and Senate lawmakers introduced a bill to increase resources to help local governments, small businesses and nonprofit groups defend themselves against cyberattacks.
“Small businesses, small nonprofits, and small local governments can’t afford to hire cybersecurity professionals, yet they are still vulnerable to debilitating cyberattacks,” said Rep. Anna Eshoo (D-CA), one of the sponsors of the new bill. It would require the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency, or CISA, to develop and issue guidance on cybersecurity policies. CISA, the SBA and the Minority Business Development Agency would be required to promote the guidance.
As with any legislation, the timeframe to enact this new bill is uncertain. Whether you run your business yourself out of your home or have a small staff, cybersecurity protection is essential, and it doesn’t have to mean hiring a specialist or waiting for a bill to pass.
Threats fall into four overlapping categories: malware, viruses, ransomware and phishing. Protection involves your hardware, software and the people who use them and have access to your company’s data. To get a clearer picture of the company’s vulnerabilities, there are several free government tools you can use: the Federal Communications Commission’s Cyberplanner, the Department of Homeland Security’s Cyber Resilience Review and its cyber hygiene vulnerability scanning service that includes a weekly report with known vulnerabilities for your system. DHS also offers a free phishing campaign assessment that can gauge how likely you and your employees are to click on phishing emails, an alternative tool to pricey third-party email system add-ons.
Here are some basic security practices to protect your business that you can put in place yourself:
- Establish clear rules on handling sensitive data and give access only to those who need it. For instance, you might require that all spreadsheets with customer information are password protected and read-only.
- Make sure all of your hardware and software are kept up to date to ensure that any new security releases that plug recently discovered vulnerabilities are installed swiftly. For operating systems on individual machines, turn on auto update. Don’t forget to protect your router by hiding your network from broadcasting its presence and using a strong password with restricted access. Consider a separate network for guests.
- Establish separate user accounts for each team member and make sure strong passwords are used to access devices. Limit admin privileges so that employees cannot download software themselves.
- Don’t forget about mobile devices, which should also be kept up to date and password-protected. Also consider other external devices such as USBs, which can contain malware. You might ban such devices from being connected to a computer on your network to prevent the spread of malware from one device to another.
- And of course, backup all of your customer data and store it in a safe location in the cloud or on a protected external drive.
If your business has made it this far, congratulations. Don’t let a lack of cybersecurity protections bring it down.