This article was originally posted to the Microsoft 365 Growth Center blog.

Many small businesses don’t think about cybersecurity until after a security breach. Not having cybersecurity can cost your business money, time and result in lost sensitive information.

Let’s go over why small businesses should pay attention to cybersecurity and some proactive steps you can take.

Why do small businesses need cybersecurity?

Cyber attacks are the new normal for small business. Media reports may focus on corporate mega breaches, but small businesses are the new frontier for cyber criminals. A recent Verizon data breach report said small businesses are the target of 43% of cyber-attacks.

The average loss per attack averages more than $188,000. Even worse, one report suggests that 60% of small businesses fold within six months of a cyber attack.

Why are small businesses vulnerable to cyber attacks?

There are a few major reasons small businesses are particularly vulnerable to cyber attacks:

  • They can’t afford dedicated IT staff. And if they can, training and budgets are often inadequate. It’s potentially worth exploring a managed IT services provider for your business. They offer deeper expertise and full-time availability.
  • Inadequate or non-existent computer and network security. Small businesses can’t respond to threats quickly enough or can’t detect them at all.
  • Lack of a backup plan. Many small businesses don’t use cloud services to back up their data offsite.
  • Employees unknowingly help cyber criminals attack businesses. Staff members need to be more aware of attack methods as varied as social engineering calls and email scams.
  • Small businesses are comparatively easy to attack. Hackers can find entry points to access valuable customer financial data more readily because of the absence of protection. Criminals can also use the business’ credentials to attack larger targets like suppliers and financial institutions.

What are some common cybersecurity threats for small businesses?

There are many cybersecurity threats for businesses. Here are a few common ones:

  • Email and phishing scams use email and text messages to hook victims. Fake, official-looking information asks victims to click on a link to a web page and then enter sensitive financial and personal data. Criminals use the data for identity theft or resale.
  • Passwords. Cyber criminals can get access to passwords by tapping into databases, looking at servers to find unencrypted passwords, and using email, text messages or social engineering.
  • Server attacks. DOS (Denial of service) SQL injection and drive-by attacks target websites and servers. DOS attacks overload system resources so they can’t handle the volume of service requests. SQL attacks read and modify sensitive data in databases. Drive-by attacks plant malicious code that will infect a visitor’s system to capture and transmit their sensitive data.
  • Man-in-the-middle attacks involve hackers intercepting data from a victim on a fake page. These attacks also use phishing.
  • Social engineering attacks involve human interactions to acquire sensitive information. This can include attacks like phishing and spear phishing but also physical activities. For example, a bad actor could leave a USB key loaded with malware in your business. An unknowing employee could plug it into a company computer and now be open to malware or other malicious programs.

Tips for securing your small business from cybersecurity threats

  • Assess risks and vulnerabilities. Hire an external consultant to test systems that have external access, such as websites, drives and folders. Create procedures to follow in case of a breach and make network and computer security top priorities, on par with other key business priorities.
  • Have a plan for devices. You and employees are likely accessing business data from multiple devices. While it’s very convenient to check work emails on your phone, that also opens up a potential vulnerability. Be sure you’re incorporating mobile device security into your cybersecurity plans.
  • Employee training is key. Make sure your employees are aware of cyber security threats and security policies. Be sure to update your training procedures s as you roll out new policies continually.
  • A recent study by GetApp shows that 43% of employees don’t receive regular data security training.
  • Follow best practices for passwords. It’s prudent to make all passwords strong and unique. Additionally, use different passwords for different accounts. Make using strong random passwords containing letters, numbers, symbols and special characters mandatory. Good passwords shouldn’t be easy to remember. Also, prompt your staff to change all passwords every few months.
  • Use two-factor authentication and facial recognition to login to apps and systems. An increasing number of apps and e-commerce websites use two-factor authentication to verify a user’s identity. Users receive a numerical code by email or text and enter it along with their password to gain access. Biometric features like Windows Hello can also help you and employees login faster and more securely.
  • Update your software and systems continuously. Make sure you’re running the latest versions and security patches. Properly configure network security and use antivirus software.
  • Backup all your data as protection against ransomware attacks. Use an offsite cloud provider in addition to on-site backup.
  • Get started with the FCC’s Cyber Security Planning Guide. It covers everything from network and computer security to awareness and device and website security.

Make sure your digital tools are secure

You can take all the right steps to secure your business, but you could still be vulnerable to cyberattacks if your digital tools aren’t secure.

Any company saying their tools are 100% secure is overpromising. Instead of fancy claims, lean on products and services with a track record of success in the security and privacy space. You should also learn the security red flags to spot when choosing your solutions.

What’s an IT disaster recovery plan, and do I need one?

A basic IT disaster recovery plan should identify steps to assess damages and restart operations. It should also determine who’s responsible for which tasks and specify how often to update the plan.

What happens to your IT systems and data in case of a disaster?

Your business might have a disaster recovery plan, but does it cover your IT systems and its valuable data? In a cyber attack, you could lose your business’s network access and data. A basic IT disaster recovery plan should detail the steps to get you running:

1. What did they steal? Assess damage

What data is compromised? Is just names and addresses or more serious data such as passwords or credit card numbers?

2. Respond immediately

Change all your logins and passwords. Use completely different random passwords. If they discovered your banking information, call your bank and ask to cancel cards and issue new ones.

3. Advise customers, suppliers and anyone else affected

Notify customers and others as soon as you’re aware of a breach. Tell them what data was hacked, what you’re doing about it and what they should do.

4. Perform an audit to determine the scope and vulnerabilities

Audit your systems to figure out what happened after a breach. If the cyber attack involves criminal activity and stolen financial information, hire a consultant to audit the scope of the damage. A professional security analyst will help determine the scope of the attack and recommend actions to plug security gaps.