Home / Cisco Security / Cybersecurity for Small Businesses: How Much Is Enough?

Cybersecurity for Small Businesses: How Much Is Enough?

An article by Lindsey Weiss



Are you wondering how much you need to worry about cybersecurity? As a small business owner, it’s hard to know what amounts to smart cybersecurity practices and what’s overkill. You want to keep sensitive business and customer data safe, but you don’t want to invest a lot of money into cybersecurity systems you won’t ever need.

The truth is, every company needs cybersecurity, no matter how small they are. And in reality, small businesses are popular targets for cybercriminals; not only do small businesses have more IT vulnerabilities, they also have valuable customer data and access points to the larger companies they work with.

However, that doesn’t mean cybercriminals are spending hours trying to hack your small business specifically. Rather, as Alert Logic discusses, hackers play a numbers game, making countless attempts at malware intrusions and phishing scams, hoping some stick.

How Cybercriminals Attack Small Businesses
The majority of attacks on small businesses come in the form of email scams. Most of the time it’s malware hidden in an email attachment, although small businesses may also get hit with phishing and spear phishing.

Ransomware is another growing concern for small business owners. Small businesses that outsource IT work using unsecured remote desktops can have their systems compromised by hackers in what’s known as a brute-force attack.

Your Responsibility as a Small Business Owner

Data Privacy Laws and Small Business
In general, data privacy laws in the United States are less strict than in the European Union. While the EU passed the sweeping General Data Protection Regulation act in 2016, US data laws exist in a patchwork. As a small business owner, there are three data protection rules you should know.

Data breach notification lawsThere’s no federal law on data breach notification, but each state has laws regarding how businesses notify authorities and consumers in the event of a data breach.

Payment Card Industry Data Security Standard:PCI DSS isn’t law (although a few states have laws with similar standards). However, PCI DSS compliance is mandated by major credit card brands. Designed to protect cardholder data from fraud, PCI DSS is required of all businesses that process, store, or transmit payment information.

Sarbanes-Oxley ActAll publicly-held companies must be SOX compliant. SOX mandates retention of certain financial records and also sets rules around how those records are protected. To prevent access by unauthorized users, either internal or external, it’s recommended that businesses encrypt protected records and store them on removable devices.

Preventing Data Breaches: The Inside Element
Although most cyber-attacks come from outside entities, ultimately, it’s internal vulnerabilities that make a data breach successful.

Without email filtering, there’s nothing to stop malicious emails from reaching employee inboxes. And without education on cybersecurity practices, employees are likely to become the nearly one in four who click on phishing links. Robust firewalls and antivirus software prevent malware from infecting your systems, but they won’t stop an uninformed employee from entering login credentials on a spoofed site or sharing passwords to a vishing hacker posing as the IT guy. To prevent breaches, business owners must be proactive about both protecting networks and educating employees on cybersecurity risks.

Responding Appropriately to a Data Breach
Every small business should have a data breach response plan before a cyber-attack happens, including a qualified response team and an actionable response plan. For many small businesses, that means contracting with IT, communications, and legal professionals who have the knowledge and experience to step in and manage data breach recovery on the business’s behalf. While it represents a considerable expense, a timely and appropriate response often makes the difference in whether a small business recovers from a data breach or shuts down within six months.

Most small businesses don’t need to spend huge amounts of money on cybersecurity. However, small businesses do need to make the investment in basic network security and ongoing employee training to protect against cyberattacks. Otherwise, small business owners may discover — at a high cost — that they’re an easy target for opportunistic cybercriminals.