Security · January 19, 2024

Guide to Cybersecurity for Small Businesses

Cybercriminals are setting their sights on small and medium-sized businesses, or SMBs, unleashing a barrage of cyberattacks designed to infiltrate systems and wreak havoc.

According to BlackFog's 2023 Cybersecurity Risk Management Report, 61% of SMBs surveyed experienced a cyberattack in the previous year. These weren't one-off attacks, either—87% reported experiencing two or more successful attacks during that year.


The importance of small business cybersecurity

While you may think hackers would prefer to target corporations with vast amounts of data and deep pockets, the reality is that SMBs are highly appealing targets for cybercriminals. Not only do most have valuable data—such as customer payment information—but many lack the level of cybersecurity defenses employed by larger companies.

These combined factors create a risky situation. Thankfully, it doesn't take deep technological knowledge or extensive resources to bolster your defenses. By understanding the key threats and addressing cybersecurity vulnerabilities, you'll be able to better safeguard your business.

Top cybersecurity threats

For SMBs, cyberattacks can come in many forms and occur through various methods. Here are the most common types of cyberattacks targeting small businesses.

Phishing

More than 90% of all cyberattacks begin with a phishing attempt, according to the US Cybersecurity & Infrastructure Security Agency. Based on data compiled by Cisco, 86% of businesses have had at least one employee fall prey to a phishing link.

Spear phishing

While phishing campaigns cast a wide net, spear phishing is a more targeted attack under the category of social engineering. Attackers thoroughly research targets on social media to gather background information, allowing them to craft highly convincing emails or texts that appear to come from trusted senders like colleagues. Even the most vigilant can be deceived, making this a particularly dangerous cyberthreat for businesses.

Malware

According to the BlackFog report, half of security leaders cite malware attacks as their biggest cybersecurity fear—and rightfully so, given how disruptive these attacks may be. Malware attacks typically begin with an email containing a link or attachment containing malicious software. Once installed, this software can enable criminals to spy, steal company intel, obtain sensitive data or commit fraud.

Ransomware

Panda Security data shows that 46% of SMBs have experienced at least one ransomware attack. Like with malware attacks, a criminal will trick an employee into installing malicious software. Once installed, the software will render a business's data and files unusable, and criminals will hold this data hostage in exchange for money. For SMBs, ransomware attacks can be quite costly. Of those that decided to pay a ransom, 43% surrendered $10,000 to $50,000, and 13% paid more than $100,000.

Business email compromise

Business email compromise is another type of social engineering attack that involves a person manipulating or tricking an employee into sharing sensitive data or sending funds. SMBs are particularly vulnerable to these attacks. According to the cybersecurity firm Barracuda Networks, businesses employing fewer than 100 people will experience 350% more social engineering attacks than larger companies.

Infographic with tips on protecting your accounts with stronger passwords
  • An eight-character password consisting of only upper and lowercase letters can be cracked in just 2 seconds.1
  • Dictionary words, number sequences and personal information may make passwords easier to crack.
  • More than 50% of people reuse passwords,2 and weak, reused, or stolen passwords are the cause of 81% of confirmed breaches.3
  • The longer and more complicated your passwords are, the stronger they'll be.

Here's an example:

  • Weak: RockyCat
  • Better: R0ckyCaT2
  • Best: b3stC@tR0C|<Y!

Tips:

  • Make your password easy for you to remember but hard for anyone else to guess.
  • Avoid using actual words or popular phrases.
  • Create a unique password for every account.
  • Enable multifactor authentication.
  • Change your password every 3 months.

Source:

1 Hive Systems 2023 password table
2 Google/Harris Poll Online Security Survey
3 LastPass The Password Exposé

Insider attacks

This type of cybersecurity threat involves employees, contractors or stakeholders either purposely or inadvertently using their authorized access to cause harm to a business. In some cases, the employee might be unaware that their credentials have been stolen and used for criminal purposes.

Cybersecurity vulnerabilities

While these attacks differ in approach, they all stem from a common set of cybersecurity vulnerabilities criminals seek to exploit.

Lack of cybersecurity awareness

According to a 2022 CNBC Small Business survey, 6 in 10 business owners say they don't think they'll be the victim of a cyberattack. Many assume that they're too small to target or that their business simply doesn't have any data that would interest hackers. However, cybercriminals often prey on SMBs precisely because so many underestimate the threat.

Limited resources

Unlike large organizations, many SMBs don't have an in-house IT team at their disposal. In fact, almost half of businesses with fewer than 50 employees lack a dedicated cybersecurity budget, according to the 2022 Risk Insights Index conducted by Corvus Insurance. As a result, the burden of cybersecurity often falls on small business owners themselves—and 25% of them admit that they don't have the bandwidth to devote to cybersecurity, according to a 2023 report from Digital Ocean.

Fewer safeguards

Another significant vulnerability is a lack of knowledge. According to the BlackFog report, 39% of business owners say they don't adequately understand the challenges posed by cybercrime. Because many are short on time and knowledge, SMBs often lack essential safeguards like antivirus software, password security protocols and multifactor authentication, or MFA.

Lack of employee training

No formal employee training can also leave many SMBs vulnerable to cyberattacks. Employees are often a company's first line of defense against fraud and cybersecurity threats, underscoring the importance of education. When businesses don't train their employees on cybersecurity best practices, employees can more easily be fooled by the increasingly sophisticated scams criminals employ.

The cost of a cyberattack

It's no secret that a cyberattack can be incredibly disruptive and costly. According to BlackFog, 4 in 10 businesses lost customer data following a cyberattack, while 58% suffered from business downtime.

For companies with less than 500 employees, the average cost of a data breach was $3.31 million in 2023, according to IBM's annual Cost of a Data Breach Report—an increase of 13.4% over the previous year.

Beyond the quantifiable financial burden associated with lost or exposed data, cyberattacks often result in reputational risk, which can be just as harmful to a business. According to BlackFog, 1 in 3 companies lost business following a cyberattack. And according to the National Cybersecurity Alliance, 60% of small businesses that experience a data breach permanently close within 6 months of the attack.

Creating a cybersecurity plan

When it comes to cybersecurity for small businesses, planning is an essential first step. A well-structured plan can help identify cybersecurity vulnerabilities, establish protective measures and educate employees on best practices.

While your small business cybersecurity plan should be tailored to your business, your industry and the types of data you collect, make sure it includes the following components.

BYOD policy

Create a bring-your-own-device policy that includes security measures for employees accessing company information on their own phones or laptops.

Remote work policy

Your remote work policy should clearly outline cybersecurity best practices and protocols so company data isn't vulnerable when employees are working outside the office. Specify required precautions regarding unsecured Wi-Fi networks, file sharing and other risks.

Password policy

Implement a robust policy that outlines best practices for password management, establishes minimum password difficulty requirements and requires the use of MFA and periodic password changes.

Data breach response plan

A data breach response plan that identifies what needs to occur and who's responsible for overseeing these tasks is essential for every business. Your plan should include any outside support that may be required, such as legal, cybersecurity or crisis management consultants. As you develop your data breach response plan, you should also evaluate the benefits of cybersecurity insurance.

Employee training

According to the World Economic Forum, 95% of all cybersecurity events can be traced to human error, underscoring the importance of employee education. Conduct regular employee training sessions focused on cybersecurity best practices and key threats. By teaching employees how to spot common red flags and respond properly, you can more effectively safeguard your business.

Technical safeguards

To help your business reduce vulnerabilities, consider the following tools and technologies as part of your overall cybersecurity plan.

  • Antivirus software: Choose programs that are designed to protect businesses from sophisticated cyberattacks.
  • MFA: This provides an extra layer of security by requiring employees to verify their credentials and identities.
  • Virtual private network: The use of a virtual private network, or VPN, creates a secure connection between employee devices and the company network.
  • Encryption: Use encryption technology to keep customer data safe in the event of a data breach.

The bottom line

Cybercrime presents a very real problem for small businesses, and the problem isn't going away. To help protect your business, create a comprehensive cybersecurity plan, make technological changes to boost your company's digital defenses and train employees to identify and respond to threats.

This material is for informational purposes only and is not intended to be an offer, specific investment strategy, recommendation or solicitation to purchase or sell any security or insurance product, and should not be construed as legal, tax or accounting advice. Please consult with your legal or tax advisor regarding the particular facts and circumstances of your situation prior to making any financial decision. While we believe that the information presented is from reliable sources, we do not represent, warrant or guarantee that it is accurate or complete.

Third parties mentioned are not affiliated with First-Citizens Bank & Trust Company.

Links to third-party websites may have a privacy policy different from First Citizens Bank and may provide less security than this website. First Citizens Bank and its affiliates are not responsible for the products, services and content on any third-party website.

First Citizens Bank is a Member FDIC and an Equal Housing Lender icon: sys-ehl.

NMLSR ID 503941