You’re a hacker, and you have two targets in mind. One is the website of a large multinational company. The other is the website of a small law firm. The goal is a Denial of Service attack shutting down the website and not turning it back on until you’re paid a ransom in bitcoins, a form of electronic currency. You chose the large company, right?
Wrong selection, even for genius coders. The easy money is the law firm because its data security is likely to be subpar. Hackers know these companies don’t have the resources to withstand their incursions. Equipped with automation, they can launch attacks against hundreds of small businesses at the same time.
While many small and medium-sized businesses (SMBs) are aware they’re vulnerable to a cyber attack, most downplay the possibility, according to a 2013 study by the Ponemon Institute. Fifty-eight percent of IT professionals at more than 2,000 SMBs surveyed by the institute said their management didn’t perceive cyber crime as a significant risk. Yet, more than half (51 percent) said they had experienced a cyber attack in the previous 12 months.
Interestingly, the second most prevalent type of cyber attack perpetrated against these businesses is a Denial of Service attack. The related costs are substantial but not surprising. Once a company’s website is knocked out of commission, much of its advertising and actual revenue, in some cases, is put on hold. All of the work put into search engine optimization and marketing to lead people to the website is now squandered.
While the study found that businesses lost more than $600,000, on average, due to damage or theft of their IT assets and infrastructure, that doesn’t come close to the additional $900,000-plus, on average, caused by the attack’s disruption in business, much less the incalculable financial impact on the business’s reputation.
The survey suggests the situation may worsen for small businesses, particularly as organizations continue to adopt and use cloud applications, mobile devices and bring-your-own-device (BYOD) policies. “Uncertainty about how these issues affect an organization’s security posture makes it difficult to communicate the business case for investing in the necessary expertise and technologies,” said Larry Ponemon, the institute’s founder and executive director.
“Without awareness of the latest anti-hacking software, upgrades, firewalls, intrusion detection systems and other IT security best practices, SMBs virtually guarantee they will always be several steps behind the bad guys,” said Michelle Yuenger, manager of business application product strategy at CenturyLink.
Taking Action Now
Small businesses don’t have to break the bank to improve their IT security practices. Here are five smart ways to maintain more secure websites:
1. Regular Checkups
Ongoing assessments of cyber risk will ensure that all upgrades, patches and other anti-virus software enhancements are in place and in top condition to defuse the latest threats. As Yuenger said, “You can’t solve a problem you’re not aware of.”
2. Embrace BYOD
Face the truth—mobile apps are great productivity tools that employees will use either behind your back or with your permission. The latter is better, but only if an organization puts together clear BYOD guidelines spelling out which apps are company-approved and the policies for accessing and sharing company data. It’s critical to establish rules for BYOD usage as employee-owned devices exist outside the view of IT management, giving employees the ability to upload and share data across public, open networks like social media. Once an employee-owned device has been hacked or infected with a virus, it can then contaminate a company’s network and website.
3. Prepare For The Future
Not all anti-virus and anti-malware software is the same. Differences do exist, and they’re based on vendors’ abilities to postulate trending attacks. “You want software that protects the website not just against known malware but also anticipated malware,” Yuenger said.
4. Don’t Forget Training
Phishing—defrauding an online account holder of financial information by posing as a legitimate company—landed in the top spot in the Ponemon Institute study of cyber attacks. This is not surprising, as people are just so darn susceptible to it. Your employee’s primary job may not be network security, but he or she is often the front door to cyber attack, both within and outside your network firewall protection.
Social engineering response training and ongoing education helps employees recognize the signs of cyber assault and better understand how to guard against an attack as well as how to react should an incident occur. Here’s a free, fun phishing quiz that will test your knowledge of phishing attacks where hackers forge emails and websites to extract confidential information from unsuspecting users. Take the quiz and discover how skilled you are at detecting malicious phishing attempts amid common work-related emails.
5. Evaluate And Test
Every time a business introduces new software for employee use, it creates an opportunity for cyber thieves. Before you download the latest and coolest widget, take a breath and test the application first. Try it on a disconnected computer. This way, if it blows up the device, it’s small peanuts compared to infecting the entire network.
When it comes to cyber security, just because your company is small doesn’t mean it needs to think small.
This article was originally published by Forbes.