Small Businesses Can Be Cyber Attack Victims Too

Over the past year, there is a good chance you noticed a headline like “ThyssenKrupp secrets stolen in ‘massive’ cyber attack.” You might have glanced over it, thinking your small or mid-sized company is not on the radar of a hacker, but these types of attacks can happen to a business of any size.

According to the National Cyber Security Alliance, one in five small businesses falls victim to cyber crime each year. Of those that get hacked, 60% go out of business within six months of the attack—an astonishing number.²

Some attacks revolve around theft of intellectual property. If a hacker or competitor gets a hold of your intellectual property—whether it is a new invention, a secret formula to manufacture a special compound, a new product, or research to develop a cure for cancer—the impact of the theft can be devastating.

In many cases, especially in small and medium-sized companies, it’s not intellectual property that hackers are after, but the data the company stores. Think of all the employee and customer information you have—names and addresses, medical information, Social Security numbers, bank account numbers. This information can be worth some serious cash if sold to the right parties or if it is abused by the hacker.

So, what can you do?

First, take cyber threats seriously. A cyber attack can happen at any time to any company, no matter the size. Cyber threats can be internal or external. Internal attacks are initiated from within the company, like an employee downloading unauthorized software that is infected or a disgruntled employee intentionally uploading damaging software or downloading company files to steal or sell company data. External attackers usually work through the Internet or via Wi-Fi. A hacker may gain access to your system through an email, by having you visit a fraudulent website, or a variety of other ways.

Second, explain to your employees why everyone needs to take cyber security seriously. Not only can it protect you and your business, but it can also keep your employees from losing their jobs. Your security policy must be communicated and enforced. It should include guidelines on password strength and electronic media shutdown requirements. It should also limit the sharing of passwords or individual machines whenever possible and address the use of personal electronic equipment like smartphones or tablets that might be brought into your facility by employees, vendors, contractors, or customers. Any device coming into your facility can be a threat.

Limit the number of people who have access to sensitive information. For example, engineering and manufacturing managers often have access to all systems, but they might only need access to technical information. Give employees access to information and systems they need to perform their job duties efficiently, not to what they think they should have.

When your employees travel for business, make sure they use secure networks. This might mean paying a few dollars for Internet when staying in a hotel, but free Wi-Fi might not seem free if the device is hacked and the employee brings it back to work.

Third, put regulations and requirements in place for how new software or systems are brought into your facility as well as who will manage and install them. This can help eliminate some of the risk from external threats. If your customers or vendors require you to connect online with them, like sharing an ERP or MRP system, make sure their systems and security are up to your standards. When sensitive information or large amounts of money are electronically requested by email, make a call to the requester before sending it. You can set daily limits on the total amount of money that can be pulled from your bank account.

Finally, invest in system protection and keep the protection software up to date. If you have in-house IT support, make sure they have the education, tools, and resources to maintain a secure network and systems for your company. If you don’t have on-site IT support, hire a reputable and qualified cyber protection firm.

There will never be 100% assurance that your company is fully protected from a hack. If you have applied sound business methods, implemented a cyber policy, deployed your engineering controls, and implemented software and hardware protections, there is one final thing you should consider—cyber security insurance. Invest in cyber security insurance so you are properly covered if your business does get hacked. Learn about Acuity’s Cyber Suite today.

1 http://www.reuters.com/article/us-thyssenkrupp-cyber-idUSKBN13X0VW

2 http://www.pcworld.com/article/2046300/hackers-put-a-bulls-eye-on-small-business.html