Manage Learn to apply best practices and optimize your operations.

Small-business cybersecurity: Mitigating employee and customer threats

Small-business cybersecurity programs often hinge on how organizations prepare for -- and respond to -- employee and customer threats.

According to the U.S. Small Business Administration (SBA), the number of small businesses has increased by 49% since 1982. But times have changed, and computers and e-commerce have replaced brick-and-mortar locations and paper credit card receipts. For organizations, this means bolstering their small-business cybersecurity efforts, protecting their IT infrastructure against attacks from outside -- and from the inside. According to experts, not only are SMBs ripe for attack, but their employees and customers can unwittingly open the door to attackers.

Research firm IDC pegs the number of small businesses -- those with fewer than 100 employees -- at 7.9 million. Many of them operate under the illusion that they're too small to be noticed by hackers. "Most of them don't believe they're being targeted," said Charles Kolodgy, research vice president of security products at Framingham, Mass.-based IDC.

There are plenty of reasons that cybercriminals would want to attack small businesses -- credit card information or access to their bank accounts to name two. "The attackers aren't always after multimillion-dollar paychecks. They're after whatever they can get," Kolodgy said. "Small business is kind of an easy mark."

Employees unwittingly let in attackers

As with any business, employees are either the first line of defense or the weakest link when it comes to cyberattacks. The welcome mat for hackers is often the employees' own mobile devices, thanks to the proliferation of bring-your-own-device (BYOD) policies.

The administrative assistant downloading PowerPoint files full of kitten pictures also opens the door to malware and attacks.

"If the device isn't meeting certain policies that other corporate devices are, the chances of infection are higher," Kolodgy said. "If you're allowing a lot of people to use their personal devices on a corporate network, they could be plucking data that would lead to some kind of exposure.

Indeed, 89% of small and medium businesses expressed concern that mobile devices, including laptops, weren't properly secured to prevent attacks, according to a study from research firm Ponemon Institute LLC. With the recent Android malware scare that resulted in Android devices transferring a virus to Windows computers once connected, BYOD can be a scary proposition for small businesses.

"It also pertains to other devices," said Larry Ponemon, chairman and founder of the Traverse City, Mich.-based Ponemon Institute. While BlackBerry and Apple devices have an advantage due to their proprietary operating systems, these too have been cracked, creating potential vulnerabilities, he added.

But it's not just BYOD opening up small businesses to cyberattacks. Users who don't know any better -- think of the administrative assistant downloading PowerPoint files full of kitten pictures -- also open the door to malware and attacks. "They don't realize what they're doing, and it's an education thing," said Matt Hodkiewicz, network systems engineer at Little Chute, Wis.-based technology consulting firm Heartland Business Systems. "What you do at home is not what you can do at the office."

Customers can be as dangerous as the unknown

Employees aren't the only ones leaving out welcome mats for attackers. Knowingly or unknowingly, customers on unsecured wireless networks can compromise a business' system. "With hotels, we always were scared of our guests being able to access the house side of the network, being able to get credit card data or accessing cameras," said Josh Copeland, IT manager at Fort Smith, Ark.-based CSK Hotels, a company that specializes in IT for the hospitality industry.

As more small businesses -- from auto shops to coffee houses -- provide Wi-Fi for their customers, protecting proprietary company and customer data becomes paramount. To combat rogue customers, CSK Hotels effectively splits the network in two and installs firewalls to control the guest side, according to Copeland. "Network segregation is the way to go, especially when you're concerned about backend access to the house network," he said.

Malware: Always a problem for small-business cybersecurity

Even with the best of intentions, employees and customers can let in malware, which is why securing networks is so important. The frequency of malware has decreased, but the current generation of malware has gotten nastier, according to Ponemon.

More on small-business cybersecurity

Download our SMB security handbook
Review our technology risk management guide for CIOs

"Five or six years ago, it was kind of amateurish, and if you had a decent antivirus tool, it would stop it," Ponemon said. "But advanced malware is very stealthy and hard to protect against, and many attacks don't even have a signature."

Advanced persistent threats -- targeted attacks that may seem like an ordinary hack -- are also problems for small businesses. But since many small business owners don't have the resources to discern between the two, they may not perceive advanced persistent threats as a problem, Ponemon said.

Being proactive about mitigating threats

Given these concerns about lost money, damaged reputations and compliance with the Payment Card Industry Data Security Standard, small businesses need to take a proactive approach to cybersecurity, experts say.

"It comes back to that commonsense approach," said Scott Forrester, director of Leeds, U.K.-based online audio shop and a former IT security consultant. That means using offsite backups and allowing access to sensitive information only to those who need it. "Does the receptionist really need access to HR, or does everyone need remote access?" he said.

Forrester also recommended that SMBs consider outsourcing their IT security. For example, as the owner of an e-commerce site, he had the option of hosting payment pages on his own website or letting the bank do it. But there was no benefit to doing it himself, even as a former IT security pro. "All it's going to do is cause me a big headache in terms of capturing, storing and securing data," he said.

Other common-sense approaches to small-business cybersecurity include keeping software up to date and implementing strong password policies, said Heartland Business Systems' Hodkiewicz. For example, forcing users to change passwords frequently and requiring complex passwords is one thing small businesses can do to secure their networks, he said.

Firewalls and other front-line security measures also need to be reviewed, according to Hodkiewicz. "You have to constantly review new changes; what might have been a good, secure firewall six months ago might have holes you need to readdress," he said.

Ponemon recommends that small-business owners rethink their security paradigm to protect the business, its customers and its partners. "The reality is that sometimes organizations are too tactical on security and don't develop governance and policies," he said. But these reduce risk and should be part of any company's -- large or small -- IT security strategy.

The common advice from experts is that SMBs must stop assuming that they're flying under the radar of the thriving hacker nation. A targeted attack could stop business from functioning for hours, days, even weeks or more. The very livelihood of the business could depend upon the strength of the business's cybersecurity measures.

Next Steps

For SMBs with limited IT resources, the emerging market of managed detection and response services can help to prevent cybersecurity threats and breaches.

Dig Deeper on Small-business IT strategy