There are many challenges to running a business that owners must face — including the threat of a cyberattack. Cyberattacks are a growing threat for small businesses and the U.S. economy. In fact, according to a recent U.S. Small Business Administration (SBA) survey, 88 percent of small-business owners felt their business was vulnerable to a cyberattack. Yet many businesses cannot afford professional IT solutions, have limited time to devote to cybersecurity, or do not know where to begin.

Additionally, there is a common misconception among small to mid-sized business owners that due to their size they are not likely to be targeted or considered “high profile” enough. This false mindset can make businesses even more susceptible to cyberattacks. Small businesses are attractive targets as they have information that cybercriminals want, and they typically lack the security infrastructure of larger businesses. As more business is conducted online through cloud services, without the use of strong encryption technology, a hacker can easily access sensitive data behind a door with an easy lock to pick. 

Here are four ways in which small to mid-sized businesses can plan ahead and protect themselves against cyberattacks.

Don’t be ignorant 

Oftentimes, businesses and business owners think, “it won’t happen to me,” but it’s not a matter of if a cyberattack will happen, but when. Erring on the side of caution is not only the safest thing to do, but also the right thing to do. It is better to be prepared for any type of threat, breach, or attack than to be caught off guard and left in a vulnerable position.

Plan and create policies

When building a cybersecurity plan, be mindful to include an employee-training program and an incident-response plan. The first step to securing your network is to make sure your employees understand security policies and procedures. Establish basic security practices and policies for employees and create employee and IT-related policies that are compliant with the NY SHIELD Act. Companies are considered compliant if they implement reasonable administrative, physical, and technical safeguards. 

Educate employees

Cybercriminals are becoming more sophisticated in their methods and employees are often considered “easy targets.” In fact, the majority of malware is delivered via email, putting a business at risk if an employee unknowingly clicks on a phishing email or downloads a suspicious document. Therefore, educating and training employees on the risks, as well as conducting security trainings, are ways to safeguard a business. 

Training should not be a one-and-done event. Rather, schedule yearly or semi-yearly refresher courses to keep security top of mind. Help employees understand the importance of updating their software, using secure passwords, adopting security best practices and knowing what to do if they identify a possible security breach. 

Invest in cybersecurity software

On top of planning and training, the next step is to invest in cybersecurity software. Businesses need antivirus software that can protect all devices from malware, viruses, spyware, ransomware, and phishing scams. Software should not only offer protection, but also technology that helps you clean computers as needed and resets them to their pre-infected state. Investing in email gateways such as Mimecast, ProofPoint or Microsoft will support cybersecurity plans and tactics. 

Safeguard your Internet connection by using a firewall and encrypting information. A firewall acts as a digital shield, preventing malicious software or traffic from reaching your network. There are many kinds of firewalls, but they fall into two broad categories: hardware or software. If your business has a Wi-Fi network, make sure it is secure and hidden. To hide your Wi-Fi network, set up your wireless access point or router so it does not broadcast the network name, known as the Service Set Identifier (or SSID). Also, password-protect access to the router. 

Invest in your firm’s safety with cybersecurity planning 

Cyberattacks are not going away any time soon and will continue to pose a threat to small and mid-sized businesses. By taking these necessary steps to protect your business, you will safeguard your firm from attack, which will allow you to spend time doing what matters most — running your successful business.          

Charlie Wood is executive VP for the FoxPointe Solutions Information Risk Management Division of The Bonadio Group.

Author disclaimer: The summary information presented in this article should not be considered legal advice or counsel and does not create an attorney-client relationship between the author and the reader. Readers with legal questions are recommended to consult with their attorney. 

The cybersecurity landscape is Constantly changing. Everyday, Stories are told of breaches, ransoms, and threat actors pushing us collectively further into uncomfortable territory. Stories like the Colonial Pipeline and Kaseya were major eye-openers for many, but they weren’t the first and they won’t be the last. 

The recent report, called the State of Ransomware 2022, from Sophos News (https://news.sophos.com/en-us/2022/04/27/the-state-of-ransomware-2022/) states that 66 percent of organizations surveyed were hit with ransomware in 2021, up from 37 percent in 2020. And, the average ransom paid by organizations that had data encrypted increased nearly fivefold to $812,360. While those numbers are staggering, they aren’t exactly a surprise when you consider the almost daily reports of incidents throughout last year. If you take a moment to look at the reports from last year from a variety of vendors, they all paint the same picture. Cybercrime is on the rise, and in a big way. So, where does that leave us this year?

“Everyone has a plan until they get punched in the mouth.” Boxer Mike Tyson is credited with this quote, and it’s been used many times in recent years. Poorly laid plans go out the window once the worst happens. Applied to cybersecurity, it could probably be “no one wants to plan until they get punched in the mouth.” After an incident is when everyone wants to buy and/or implement security solutions. So how do we prepare ahead of time? 

There is a security strategy that has gained more steam in recent years called “assumed breach mentality.” What does that mean? It means that we approach our IT security from the perspective of not if, but when. This can come across as pessimistic. Does it mean we just give up and accept defeat? Hardly. If we continue the boxing example it would mean that we don’t plan and train to never get hit, but instead to expect to get hit and endure. There is no perfect solution or defense. There are strategies and tools that will limit our risk, and there are plans and policies that if put in place correctly, can help us endure when the worst happens. 

Letting go and adopting the assumed-breach mentality can be liberating and terrifying. We spend a lot of time trying to figure out how to keep threat actors out, and that is still important. Just because we train to be hit doesn’t mean we want to be hit. We limit our risk as much as we can and prepare for the worst. In shifting that mindset now, we need to start thinking like a threat actor. Look internally at your network, your policies, and investigate your weaknesses. How do we limit the movement of the bad guys in our network, how do we protect key information, and perhaps even more vitally — how do we get back to business? Here are three things we can do to make an impact with our newfound state of mind. 

First, we need to evaluate our current security posture and know what to look for. The IBM Cost of a Data Breach Report 2021 (https://www.ibm.com/security/data-breach) lists compromised credentials as the most common attack vector at 20 percent of breaches, and business-email compromise has the overall highest average cost. That gives us something to focus on right away. That means securing your email, using multi-factor authentication, and training your users regularly on phishing emails and to recognize anything suspicious. Of course that is just a start, and it is best to have an objective third party evaluate your vulnerabilities or even perform a penetration test to be more thorough in rooting out any issues present in your environment. While there is a cost to these, they can be invaluable at getting an idea of where you are with your security posture and what changes need to be made. 

The second point is basic cybersecurity hygiene. It’s important to understand that all of us are somewhere on the scale of cybersecurity journey to maturity. That’s ok. It’s more important to realize where you are and work to move forward. Where do we start? The National Institute of Standards and Technology (NIST) provides a cybersecurity framework, and many organizations look to that as the standard. Another I am fond of is provided by the Center for Internet Security (CIS). That organization has the CIS Controls (https://www.cisecurity.org/controls/implementation-groups/ig1). There are 18 controls with over 150 safeguards, but CIS has them broken into implementation groups. Group 1 is an evolving list of what is considered basic cybersecurity hygiene and a great place to start. It can provide you an excellent checklist with which to start.

Our last point is having an incident-response plan and cyber insurance. If we think back to boxing again, now that we have planned to avoid getting hit, let’s talk about what happens when we are attacked. Too many organizations realize too late that they didn’t have a plan in place, or that they did, and they had no idea what to do with it. CompTIA has an article (https://www.comptia.org/blog/security-awareness-training-incident-response-plans) that can help get you started. An important point about an incident-response plan is don’t skip the tabletop practice. Knowing what do with the plan when the worst happens is what makes it effective. A bunch of words on a page won’t do anything on their own. Additionally, cyber insurance is another important piece. Find a provider your trust and know what your coverage entails, and who your breach coach is (if your insurance plan has one, and it should). A breach coach is the individual who will help guide you through the process if the worst should happen. 

In summary, here are the key takeaways:

• Adopt the assumed-breach mentality

• Evaluate your security posture

• Start on the path toward good cybersecurity hygiene

• Design an incident-response plan and obtain cyber insurance

There are no silver bullets, or cure-all potions. It will take time and effort, but it will be worth it when you need it. I wish you the best on your cybersecurity journey.      

Nathan Hock is a virtual chief information officer (vCIO) at Usherwood Office Technology in Syracuse.

When pandemic shutdowns shifted the nation’s commerce from in-person to online, cybersecurity experts knew that fraud attempts would follow. Circumstances during the past few years forced many Americans to quickly become far more comfortable with working remotely, banking, and making purchases online. Now, as the pandemic begins to recede as the primary focus of our attention, it’s a mistake to think that online threats will fade too.

As geopolitical tensions rise between Ukraine and Russia, it’s even more important to be aware of fraud attempts. Intense public interest and a willingness to help means that Americans are sharing information and donating online to a wide variety of causes. This is where the risk of exposure increases, because all it takes is one click for your business to be at risk.

Think for a moment about some of the posts you might have seen recently on social media. Many of these include images of bombed-out buildings, stranded dogs and cats, or children huddled in below-ground shelters — all intended to capture your attention and elicit a sympathetic or action-oriented response. 

Many of these images are from legitimate sources that are trying to raise money to help, but some are bogus images and videos serving as bait for malware or viruses. Even if the sender is familiar, exercise caution and conduct due diligence before clicking or following any links from emails or social media posts. 

Make sure your employees and vendors are vigilant against phishing emails

Cyber threats are everywhere, and criminals take advantage of the human desire for information. An action as simple as opening an email or clicking a link can deploy keyloggers (also called keystroke logging — these are programs that record which keys are struck on a keyboard), remote-access tools or other possible malicious software onto a person’s computer — typically, without the victim even noticing. 

Remote work, which allowed many businesses to continue to function at the height of the pandemic, has made employer cybersecurity even more of a challenge. Employees who access company systems from personal computers don’t always exercise the same caution with their personal systems as they do at work. Because of this, a simple click on a personal Facebook post that contains malware can allow criminals to steal passwords and access work product or work systems.

Alert your employees to exercise caution in handling any email with the subject line, attachments, or hyperlinks related newsworthy events — even if it appears to originate from a trusted source. Criminals have become very adept at “spoofing” legitimate organizations by designing emails that look like they’ve come from news or philanthropic organizations. Many of these are phishing email campaigns, circulating using subject lines related to the Ukraine crisis. Do not open unexpected attachments or click on links in suspicious emails. 

Once cybercriminals gain access to a system, a lot of the damage is done. They can lock you and your employees out of the company network, demanding a ransom in exchange for returning your own systems to your control. They can access your payment-processing systems and either extort your vendors or pose as a representative of your company to withdraw funds. 

This raises another important point: your third-party service providers are subject to the same risks. Know how they interact with your systems, monitor vendor access to your network, and ensure they maintain cybersecurity programs that are in line with your risk tolerance.

Make sure you are speaking with experts about cybersecurity, including your commercial lender, and your business-insurance provider. They are your partners in this fight against fraud.

How to avoid becoming a victim of fraud:

• Educate your employees on how to identify potential fraud.

• Know how your vendors interact with your network and ensure they are following cyber-safe practices.

• Follow CISA’s Shields-Up guidance (https://www.cisa.gov/shields-up), which outlines general cybersecurity practices that will help your business resiliency in the event of a cyber-attack.

• Check out the free tools and resources available from the U.S. Small Business Administration (https://www.sba.gov/business-guide/manage-your-business/stay-safe-cybersecurity-threats).

If you do become a victim of fraud, there are steps you can and should take. One of the first things you should do is notify your bank. It is there to offer support if you have an incident, as well as provide guidance to help you build stronger defenses. Additional resources to help you better prepare your company for the current cyberthreat environment are available from the Cybersecurity & Infrastructure Security Agency at www.cisa.gov.      

Terra Carnrike-Granata is senior VP and senior director of information security at NBT Bank, where she designs and implements sophisticated controls to prevent loss and mitigate risk, while also developing innovative ways to educate consumers and businesses on cyber threats.