It is a special month for the Identity Theft Resource Center (ITRC) and the National Cybersecurity Alliance. It is Cybersecurity Awareness Month, a time to devote discussions to how to keep organizations and individuals safe in the digital world. With this year’s Cybersecurity Awareness Month theme being “Do Your Part. #BeCyberSmart,” it’s a great time to focus on the impacts of cybersecurity and cyberattacks on small businesses.
New Data Shows Identity Crimes are On the Rise
It is always essential for businesses to ensure their employees work securely, whether it be at the office or at home. Threat actors continually look for new ways to attack. Real-word events continue to reinforce the need for everyone to be more cyber-savvy so we can be more cyber secure. According to the ITRC’s Q3 2021 Data Breach Analysis, there have been more data breaches caused by cyberattacks in 2021 than all data breaches in 2020. ITRC data also shows that we are fewer than 250 data compromises away from breaking the all-time record for data breaches and exposures in a single year.
The ITRC also released a report during Cybersecurity Awareness Month looking into what happens specifically to small businesses following a data or security breach. The 2021 Business Aftermath Report confirms what many small business owners and leaders already know: there is no quarter given by threat actors to small businesses, the companies that are least able to easily prevent or recover from a security breach, data breach, or both.
The Impact of Identity Crimes on Small Businesses
There are more than 15 years of information from multiple sources about the impacts of identity and cybercrimes on large organizations. However, there have been no equivalent comprehensive studies on how small businesses recover from cyber events until the 2021 Business Aftermath Report. Some of the findings include:
- Fifty-eight (58) percent of small businesses have been impacted by at least one security breach, data breach, or both.
- Forty-five (45) percent of small businesses spent between $250,000-$500,000 to cover the costs of the breach. Seventeen (17) percent of small businesses spent between $500,000-$1 million.
- Thirty-five (35) percent of small businesses incurred debt to cover the breach costs, and 34 percent dipped into cash reserves.
- Fifteen (15) percent reduced their headcount to cut expenses.
- External threat actors were responsible for 39 percent of attacks. Malicious employees and contractors were responsible for 34 percent of the attacks.
How Small Business Owners and Employees Can Protect Themselves
No business, large or small, is immune from an attack. According to Infrascale, 46 percent of all small businesses have been the targets of a ransomware attack. Of the companies hit with a ransomware attack, nearly three-quarters (73 percent) have paid a ransom. While an attack can hit any small business, business owners can do things to protect their organization and their employees, and vice versa.
- Train employees on phishing. Everyone from the CEO to a team member who interacts with customer data should know what phishing is, be able to identify an attack, and know where to report it. Employees should slow down, check an email’s sender, and contact them directly to verify the validity of the message
- Identify the company’s critical assets and back them up. If this is done, there will be a secure archive of the vital information.
- Develop more robust security policies. The stronger the guidelines are, the harder it will be for a cyber attacker to strike.
- Perform updates. Whether it is in an operating system or a specific application or program, updates should be done so there are no exploitable areas on the devices. It reduces the likelihood and impact of an attack.
- Understand you are on a million-dollar device. The phone or computer employees use has information that is valuable to criminals for reuse or resale. Employees should know that criminals use social engineering tactics to guilt them into giving up useful information. However, it doesn’t make them a bad person if they do not share the information.
- Keep work and personal passwords separate. It reduces the risk of credential stuffing. Using the same password could result in a hacker being able to gain access to multiple accounts.
- Add two-factor authentication (2FA) to personal and business accounts where possible. This helps ensure any attempt to login to a protected login is actually the user.
Resources for Small Businesses
To access the latest data breach information and learn more about the impact of data breaches, employees and businesses should also visit the ITRC’s data breach tracking tool, notified.
Listen to ITRC’s The Fraudian Slip podcast featuring Zarmeena Waseem, Director of Cyber Education at the National Cyber Security Alliance (NCSA) as they discuss how businesses and consumers can protect themselves from cybercrimes.
NCSA’s CyberSecure My Business program has a library of free resources, including videos, tip sheets, infographics and more–all designed for the small business community. You can access those resources here: https://staysafeonline.org/resources/?filter=.topic-cybersecure-my-business.resource-item
If anyone has additional questions, they can speak with an ITRC expert advisor by phone (888.400.5530) or live-chat by visiting www.idtheftcenter.org.