Data breaches at large companies are often big news, but you’re unlikely to hear about them when they hit small businesses. That’s because an individual breach at a small business affects fewer people — not because such breaches are less common.
In fact, 44 percent of small businesses report being the victims of data breaches, according to a 2017 Bank of America Merchant Services survey of small businesses and consumers. That’s roughly in line with our own research, conducted with IDG, in which we found that 46 percent of all businesses have experienced a security breach.
If anything, when it comes to cybersecurity, the main difference between a large and small business is that the consequences of experiencing a breach are potentially far more devastating for smaller organizations, who operate on tight margins with less cash flow and who lack the resources for breach mitigation and reputation management.
Yet despite the risk, many small businesses are behind the curve on security. Only 33 percent of small businesses reported that they had purchased security software, and only 25 percent believed they were in compliance with the Payment Card Industry Data Security Standards (PCI-DSS). Our own survey — again, of all businesses —found that only 30 percent of IT leaders are confident they can thwart an attack against their organization.
Given the amount of time, attention and money businesses are spending on IT security these days, that’s a depressingly low number. Yet the situation for small-business owners is by no means hopeless. Taking a few important steps now to ensure the right technologies and security practices are in place will go a long way toward protecting data.
The Must-Have Security Tech for Small Businesses
The most vital network-protection technologies include firewalls, anti-virus solutions, encryption and endpoint detection response solutions.
There are countless options for small businesses when it comes to firewalls. Key features to look for include the types of attacks the firewall will protect; the degree of visibility, flexibility and control it offers the business; and how easy it is to set up and configure properly. It’s also wise to look for a firewall that can scale with the business, handling more users as it grows over the next several years.
Anti-virus software is also a necessity for any business. But because modern threats are polymorphic — they are constantly evolving — it’s important to look for a solution that does more than simply stop viruses based on commonly known threat signatures. The more effective solutions have artificial intelligence built in, and they look not for static signals but for suspicious behavior in incoming traffic.
It’s crucial that any information you transmit that includes sensitive data, including credit card information, be encrypted. As with firewalls, small businesses should seek an encryption solution that’s easy to set up and use, scalable and works with whatever operating systems are in use in the business.
As work becomes increasingly mobile and more employees are performing vital tasks on their own phones, tablets and other devices, endpoint protection and response is becoming increasingly important.
As Dan Schiappa, senior vice president and general manager of products at security solutions provider Sophos, explains in “The Cybersecurity Insight Report” by CDW, businesses should look for “predictive security for endpoints that includes anti-ransomware and anti-exploit capabilities that are enhanced with deep learning technology. This is the definition of next-generation endpoint security today.”
A Security Culture Goes a Long Way for Businesses
Whatever solutions are put in place, however, a robust IT security protocol must go beyond appliances and software. The weakest security link in any organization is always its people, so strive to build a culture of security. That includes formal training on topics such as recognizing phishing emails, frequent repetition of your company’s security policies and practices and recognition of good security hygiene when you see it.
Security culture also includes knowing what to do to mitigate the risk to the business when a breach occurs, given that companies generally can’t prevent every breach.
That starts with identifying the particular data that’s most important to protect, and then segmenting it from other parts of the network using a firewall or some other network control. By separating the most sensitive data from the rest of the network, segmentation helps limit the damage of a breach.
Most businesses have no idea what kind of malware is lurking on their networks and are oblivious to the weaknesses within their networks that hackers can exploit. That’s why an independent, third-party assessment of your current security posture is also a good idea. One excellent place to start is with CDW’s Threat Check, which includes a free network scan that can help identify issues, followed by a meeting with the Threat Check team to discuss next steps.