Many or all of the products featured here are from our partners who compensate us. This may influence which products we write about and where and how the product appears on a page. However, this does not influence our evaluations. Our opinions are our own.
Cyberattacks like the 2017 Equifax data breach put the personal data of millions at risk. Small businesses, with less security protection and fewer resources dedicated to cybersecurity compared with larger corporations, are an easier target for hackers.
Small businesses face an average annual cost of $34,604 on cyber-related incidents, and only 52% of small businesses have a strategy around cybersecurity, according to a 2018 report by Hiscox, an insurance provider.
Here's information on cyberattacks, and seven tips to protect your small business.
What is a cyberattack?
A cyberattack is an unauthorized attempt to expose, destroy or access your data. Forty-seven percent of small businesses suffered at least one cyberattack in the past year, according to the Hiscox report.
Here are three common types of cyberattacks.
Malware: Short for "malicious software," malware acts against the intent of the user, and can come in the form of a virus, Trojan horse or worm.
Ransomware is a form of malware that demands money to avoid a negative consequence, such as permanently deleting your data or publishing it publicly.
Phishing: This is when scammers send fraudulent emails or text messages that may look like they’re from a reputable company, like your bank or credit card provider.
Phishing scams often tell you to click a link or open an attachment, and can then steal sensitive data, such as your credit card or website login information.
Man-in-the-middle attack: This type of attack happens when scammers secretly intercept communication between two parties to steal login credentials or account details.
Man-in-the-middle attacks can occur in areas with free public Wi-Fi hot spots, as scammers may set up fake Wi-Fi connections with names that sound similar to a nearby business. Once you’ve connected to the scammer’s Wi-Fi, they can monitor your online activities and steal your personal information, according to Symantec Corporation.
How to protect your small business from cyberattacks
1. Get educated
National Cyber Security Awareness Month (NCSAM), held every October, raises awareness about the importance of cybersecurity. The NCSAM toolkit offers tips and resources to protect against cybersecurity threats.
The SBA also offers a self-guided online course in cybersecurity basics.
2. Create a cybersecurity plan
Your cybersecurity plan should include an employee training program and an incident response plan. The first step to securing your network is to make sure your employees understand security policies and procedures.
Training shouldn’t be a one-and-done deal; schedule yearly or semi-yearly refresher courses to keep security top of mind. Help your employees understand the importance of updating their software, adopting security best practices and knowing what to do if they identify a possible security breach.
The faster you act in the face of a cyberattack, the better you’ll be able to mitigate the damage.
An incident response plan will have crucial information such as:
Whom to contact.
Where data and data backups are stored.
When to contact law enforcement or the public about a breach.
The Federal Communications Commission offers a cyberplanner to help small-business owners create a plan to protect their business. (You can generate a customized plan at the bottom of the page after you create it.)
3. Be smart about passwords
The National Institute of Standards and Technology (NIST) advises government agencies on password best practices. According to the organization’s Digital Identity Guidelines, NIST recommends passwords be at least eight characters long and notes that length is more beneficial than complexity. Allow your employees to create long, unique passwords that are easy for them to remember.
If you deal with highly sensitive data, you may want to require multifactor authentication, which requires users to present at least two identifying factors, like a password and a code, before gaining access to systems or programs. Think of it like an ATM, which requires a combination of a bank card and a PIN to access funds.
4. Increase your email security
Nearly half of all malicious email attachments come from office files, according to Symantec’s 2019 Internet Security Threat Report.
Basic email safety precautions, like not opening suspicious attachments or links, are a first step that can be covered in your employee training plan. If you deal with clients’ personal data, you can also encrypt documents so both the sender and the recipient need a passcode to open it.
5. Use a firewall and antivirus software
A firewall acts as a digital shield, preventing malicious software or traffic from reaching your network. There are many kinds of firewalls, but they fall into two broad categories: hardware or software.
Some firewalls also have virus-scanning capabilities. If yours doesn’t, be sure to also install antivirus software that scans your computer to identify and remove any malware that has made it through your firewall. It can help you control a data breach more efficiently by alerting you to an issue, instead of your having to search for the problem after something goes wrong.
6. Secure your Wi-Fi network
Wi-Fi equipment is not secure when you first buy it. Your device comes with a default password, but make sure your network is encrypted with your own, unique password. Your router will likely allow you to choose from multiple kinds of passwords; one of the most secure is a Wi-Fi Protected Access II (WPA2) code.
You’ll also want to hide your network, meaning the router does not broadcast the network name. If customers or clients will need access to Wi-Fi, you can set up a “guest” account that has a different password and security measures, which prevents them from having access to your main network.
7. Protect your payment processors
It’s crucial to work with your bank or payment processor to ensure that you’ve installed any and all software updates. The more complex your payment system, the harder it will be to secure, but the Payment Card Industry Security Standards Council offers a guide to help you identify the system you use and how to protect it.
More from NerdWallet: Identity theft and cybersecurity guide