Phishing attacks increase exponentially the closer we get to April 15th, and our minds are too preoccupied to consider which link to click on and which not. Last year, enterprising W2 Phishing scammers sent out demands for all employee information, including telephone and emails, ID numbers and more, purportedly from corporate executives and for compliance requirements—a treasure trove of data with which they could overcome even some cases of multi-factor verification. Somehow, small businesses are slow on the uptake, and few take the necessary precautions.

Fortunately, perhaps, it’s not just the companies that feel the heat; it’s the clients, too. The breach of a company database is not just damaging to a company and its reputation—clients whose data has been compromised stand to suffer damage and eventual attacks themselves. Their identifying information, sensitive data and non-public data is at risk. Mutual trust is paramount. And both the EU’s General Data Protection Regulation (GDPR) and the US’ California Consumer Privacy Act (CCPA) have formalised requirements by law.

They too are putting the pressure on small business owners to prove they are immune.

Certify This!

You would expect small business owners to be more worried: 81% of cyber attacks target SMBs! And in 2019, Cybercrime Magazine reported that 60% of them go out of business within 6 months of such an attack. Shockingly, 80% do not even have cyber insurance.

When it comes to instituting cyber risk strategies, Gerry Dick in Inside Indiana Business distinguished between ‘compliance’ and ‘absence of risk’. They are not the same. Regulatory compliance is formalised in ISO2701 and SOC2 certification. Compliance is requires implementing an information security management system (ISMS), whereas absence of risk is subject to a company’s ability to prove that customer data is safe.

Regardless, he strongly recommends companies undergoing a cyber risk assessment, often performed by a licensed CPA (certified public accountant). This entails chalking up the potential risks (assets, risks and vulnerabilities), mitigating these and investing in insurance (risk transfer).

Businesses should:

  • Collect only vital data from customers

  • Limit access to data

  • Administer strict password controls, including multi-factor authentication

  • Store data in a centralised location using strict CRM systematised management strategies

  • Encrypt data using the latest protocols

  • Integrate malware protection, and

  • Adhere to ISO2701 and SOC2 requirements.

Techtarget also strongly recommends using blockchain technology for data storage.

SaaS – Lurking in the shadow

Unfortunately, the best laid schemes of managers and regulators often get blocked by shortcuts. Being a small business, often trying to beat the bottom line, some of your employees may be using SaaS applications, or what is being gradually referred to as ‘shadow IT’, those tech solutions not necessarily sanctioned by the IT specialists whose cyberfighting expertise you may actually be paying for (in fact, some of them may be using SaaS solutions, themselves). An employee may need to use a specific technology for a specific task, and rather than purchasing it outright, he/she signs on for it using an email address and (unless free) company credit card.

This is practicality and can’t be avoided. The best you can do is, when drawing up your risk factors, to identify all as-a-service components your company may be using—directly or indirectly. If you have a risk mitigation plan in effect, make sure it prioritises shadow IT: is the service supplier himself ISO27001 or SOC2 certified? Does the employee using that technology understand the risks involved? And finally, Security Boulevard even suggests something akin to sand-boxing the accounts being affected by that technology.

But, once again, as with phishing, all the tech in the world will never replace human awareness and judgement. Your employee may think he’s signing on for free Photoshop or saving yet another buck for the upcoming tax-reporting season, whereas he’s just given away your company’s paycheck.

Buyer beware!