Prevention of cyber-attacks are now considered as one of the top priorities of organizations, sometimes even more than other operations. The risks are immense: data theft from unauthorized access to databases can cripple the business, more so for small businesses. Adding to that, recent breaches on big tech giants such as Facebook, Twitter, British Airways, etc. leaves us with the question that if such big organizations are not able to prevent such cyber-attacks, how can small online businesses be able to tackle this situation.
Cyber crime damages are estimated to cost around $6 Trillion annually by 2021, and thus it is imperative for all business to prepare themselves with counter measures to prevent them from risks by implementing various mitigation strategies for cybersecurity.
Cyber-attacks cost more than just money. There are many other indirect implications that can have devasting affects on the business and everyday operations.
Some of these are as follows:
- Loss of proprietary data: The proprietary data of the organization such as the employees’ records, operational and business-related intimate information, bidding details of contracts, financial data, etc. once lost cannot be retrieved. On the other hand, this information if leaked can harm the reputation of the entire organization.
- Operational Inefficiencies: One of the latest developments in cyber-attacks have been DDoS (Distributed Denial of Service) attacks, which recently hit Amazon Web Services as well. This kind of attack, which prevents legitimate users to access the IT infrastructure of the organization by clogging the system with a huge number of access requests, is very difficult to tackle and can harm the operations of the firm for a long period of time.
- Loss of goodwill for the organization: Cyber-attacks not only affects the current clients and customers but the willingness of new clients to start business with the firm also diminishes. Companies which are not reliable with client data, end up losing existing customers and the ability to sustain consistent growth as well.
- Shareholders’ Perception: Cyber-attacks are directly linked to reduced valuation of the organization. The investors jump ship due to perceived loss in business and in the growth of the organization in the long run. This could possibly act as the deathblow to the business and its chances of staying afloat.
According to a report from USA Today, “two-thirds of all cyber-attacks are directed towards small businesses,” stating the fact that small businesses do not pay much heed to this aspect owing to financial or operational reasons. Thus, it is very necessary that we have some affordable means to mitigate these risks so that even small business can survive in such situations if they may arise in the future.
WHAT CAN SMALL BUSINESSES DO TO MITIGATE SUCH RISKS?
- Educating the employees: The employees are undoubtedly the biggest risks in terms of cybersecurity for any organization, whether its big or small. According to an HBR article, “60% of all cyber-attacks are carried out by people on the inside. While two-thirds of these are intentional attempts to cripple the IT infrastructure of the organization, one-third of these are unintentional and not on purpose.”
Though an intentional attack is something the organization can do little about because the people carrying out the attack can work their way around the system, with their existing access credentials, an inadvertent attack can be prevented well before it harms the organization by educating the employees.
Some of the ways through which an employee can act as a catalyst for cyber-attacks unintentionally are:
- Misleading phishing campaigns: Hackers use email and other social media handles to trap the employees into providing their work credentials, which could be then used to access the company’s IT infrastructure.
- Using malware infected devices in the company’s network: The use of private devices such as pen drives, hard disks, personal computers, etc. which can easily be infected with malware, can jeopardize the company’s network.
- Common oversights: Mistakes such as sending an email to the wrong contact or sharing company information with an acquaintance could lead to cybersecurity issues to the organization.
These situations are fairly avoidable by educating the employees about cyber-attack risks. Thus, if a person knows about phishing campaigns, he or she is unlikely to share their credentials on any of these emails, thus preventing a potential cyber-attack.
Similarly, if the company has policies related to the use of personal devices in the workplace, a person is unlikely to connect a malware-infected device to the company’s network.
Strictly following protocols regarding sharing of classified information with someone outside the organization or helping the employees learn about email features such as schedule send can reduce the risks of cyber-attacks to the company.
- Establishing work protocols and policies for employees: Strictly enforcing certain policies in the workplace is imperative for the organization to mitigate the risks of cyber-attacks. Some of the implementable policies can be:
- Restricting the use of personal devices used within the company’s network: A lot of people use their personal laptops, smartphones, and data storage devices within the company’s Wi-Fi and other networks. These devices can potentially harm the network, especially if a company has Bring Your Own Device (BYOD) policies. While implementing such policy can help reduce costs, companies need to be wary of the number of devices a person is using within the organization’s network.
- Implementing multi-layer authentication framework: Within the company’s network, a multi-level authentication framework should be implemented such that only the concerned person can access the databases as and when required. This can be done by using a password protected framework followed by an OTP sent to the employee. This easy method can drastically reduce the risks of cyber-attacks from any outside perpetrator.
- Restriction from password sharing: Password sharing can lead to co-workers wrongly using the other person’s credentials to carry out a cyber-attack. The employees should be strictly advised to never share their passwords, even within the organization. Adding to that, they should be directed to change their passwords from time to time, be it fortnightly or monthly.
- Internet usage at the workplace: Employees can accidentally visit some malicious websites which can download the firm’s data or upload malware to the company’s network. Restricting the usage of certain websites and social-media accounts through the company’s network can aid in mitigating the risks of cyber-attacks.
- Using the Principle of Least Privilege (POLP) at the workplace: This helps to control the access of data given to a particular individual within the organization. According to this, an individual is only given access to the extent required to perform their tasks within the organization. Thus, the lesser the access, the easier it is to monitor the risks of cybersecurity.
These policies can help to mitigate all types of cybersecurity threats from within the organization. The policies, though needs time for implementation and coming into effect, could be one of the most affordable ways to tackle any cyber-attacks in the future.
- Cybersecurity outsourcing: To tackle the risks of cybersecurity, the organizations either have to hire professionals to work within their system or outsource their cybersecurity operations to a third-party. Hiring a cybersecurity personnel can be tedious as well as could cost a lot. A professional in cybersecurity charges a median salary of over $90,000 per annum (according to Payscale.com), while more experienced personnel can charge up to $130,000. Besides, the person needs to know your business and industry and be updated with all sorts of cybersecurity threats affecting the industry worldwide.
Thus, it is advisable for small businesses to consider outsourcing their cybersecurity functions to professional service providers. These service providers would cost a fraction of the overall cost and are armed with cybersecurity professionals in varying fields and industries. These professionals can remotely monitor the cybersecurity threats to your organization through Intrusion Detection Software (IDS), and thus at your workplace you can invest your attention to your business and its other operations.
These professionals provide other services as well such as training of employees regarding cybersecurity risks, security auditing, providing a Business Continuity Plan (BCP) in case of a cyber-attack, etc.
Submitted by – Abhijeet Kothiyal, Member of Student Risk Club (SRC)