Another day, another damaging cybersecurity breach.
That’s how it may seem lately as a long list of high-profile firms has fallen victim to a surge in malicious online activity.
But for every breach that grabs the headlines, there are thousands of smaller businesses being hit by online fraud attempts that are growing rapidly in boldness, frequency, and sophistication.
The damage inflicted by a successful attack on a small company can be far-reaching, not only financially but in terms of its precious reputation with customers and vendors.
Small businesses absolutely shouldn’t assume they’re below the radar of the bad guys. In fact, they’re more tempting targets in many ways because hackers know they often lack the sophisticated defenses and heightened alertness of the 800-pound gorillas. Some 43% of online attacks are aimed at small businesses, and 60% of those attacked go out of business within the following six months. And that was before the pandemic.
Companies’ defenses have been stretched thin by COVID-19 as staff has been dispersed to work from vulnerable home networks and firms have accelerated moves into digital services and payments, often without having time to go through the usual due diligence steps. Some businesses have had to downsize due to the shutdown, operating with a skeleton crew.
These changes can leave gaps that bad actors won’t hesitate to exploit. That could be through a phishing attack, spoof calls, or physical theft of papers or thumb drives left carelessly in the wrong place. It could be through an exciting-sounding new vendor that offers a service to help drive your growth, but who then disappears after you pay their invoice.
It’s a good thing that companies are thinking more progressively about using digital tools as a result of the pandemic, hastening the end of the era of the paper check, for example.
But it needs to be accompanied by heightened awareness of how hackers are also raising their game to take advantage of new vulnerabilities. Cyber criminals have become more ambitious. They want the bigger payoffs that come from hacking a company’s system, accessing its data and shutting down operations so it’s vulnerable to a ransom demand.
That awareness should be the first step in conducting a full risk assessment to ensure a business is protected in this constantly evolving threat environment. Banks and other payment providers can provide some support in this area, but they’re no substitute for the robust internal processes and cybersecurity programs that businesses need to set up themselves.
The first rule in this new world is to never stand still. A “set it and forget it” approach is a recipe for disaster. Whereas before it may have been okay to re-evaluate your defenses annually, now it should be a more or less constant process that is at the forefront of someone’s job role. Companies need to be regularly evaluating the security of their vendor and customer data, checking every access point to ensure it is protected.
Whenever the business model shifts or a new relationship begins with a third party, the cybersecurity piece should be front and center. How forward-thinking on cybersecurity is that new partner who now has access to your data? Are they just doing the bare minimum or are they following best practices?
Small businesses also need to ensure that a breach won’t threaten their survival. They often have a faulty assumption that the costs of a cyberattack will be covered by the business’s general liability insurance policy. In this new environment, businesses should be talking to their insurance agent to assess whether they need a specific cyber policy to fully protect them if the worst happens.
People are a company’s biggest asset, but also their biggest vulnerability when it comes to fraud. Nearly every successful attack is the result of some kind of human error, so it’s vital to educate all staff to be hyper-alert to the full spectrum of threats out there.
If something sounds too good to be true, it probably is and therefore requires deeper investigation before making any commitments. A new vendor who is stressing the time sensitive nature of their offer, for example, should raise a red flag. It’s more important than ever to truly know who you’re dealing with, and just as in personal relationships, it’s rarely a good idea to get married after the first date.
By taking a thorough, systematic approach to assessing their cyber risks and bringing together their banker, accountant, insurance broker and other partners, small businesses can put the right people and processes in place to address them and sleep much easier at night.
Valerie Kramer is the Managing Director of Treasury Management and Client Services and Solutions. Saadia Mahmood is the Director of Enterprise Risk and Chief Information Security Officer.