I am not really aware of any business in 2018 that doesn’t leverage the internet for their operations. From websites, email, paying bills online or receiving electronic payments, these are just some of the transactions that businesses carry out on a daily basis. And regardless of size, your business is a potential target. In fact, Symantec research demonstrates that during a five year period, the focus of attacks geared to large enterprise shifted significantly to small business.

“Symantec research demonstrates that during a five year period, the focus of attacks geared to large enterprise shifted significantly to small business.

Small business as a target for cybercrime makes sense when you apply the human and financial resource components of doing business. Most small business do not have dedicated IT departments, they likely have not had the time or budget to train employees to be on the lookout for phishing attacks, nor do they likely have strict policies for password maintenance, or giving/removing access to applications and/or systems, etc. As a result, small businesses are easy targets that net good financial results for cybercriminals. And, the cherry on top of this cybercrime Sunday: these poor controls are also often the gateway to supply chains of large enterprise. This was exactly the case with one of the most famous supply chain breaches: Target. In this particular case, and HVAC company that was a supplier to Target was the entry point. After the breach was discovered the hack cost Target more than $250 Million and the HVAC company went out of business.

For many business owners however, cybercrime remains an elusive concept. What exactly is cybercrime? There are a variety of definitions and as the RCMP defines it “..as any crime where cyber – the Internet and information technologies, such as computers, tablets, personal digital assistants or mobile devices – has a substantial role in the commission of a criminal offence.” In other words, cybercrimes affecting businesses include, but are not limited to:

• Phishing
• Spear Phishing
• Malware
• Piracy
• Website Takeover
• Distributed Denial of Service or DDOS
• Hacking
• Misuse of Social Networks
• Intellectual Property Infringements
• Criminal Botnet Operations
• And more

The internet, the tool which has made so many things possible, is now a gateway for cybercriminals to earn or steal money or just be malicious and cause your business embarrassment or even halt operations for hours, days…or longer. Regardless of size, businesses must take a proactive approach to protecting their operation as well as those of their customers. While the Target example is extreme, it is proof of what is possible. In many jurisdictions, companies have been somewhat lulled into a false sense of security from the attacks that are already impacting small business. For example in Canada current laws do not require organizations that are breached to report it. This will change in 2018. The legislation has been out for review since last fall. When implemented, it will change everything for Canadian businesses, including small businesses. In United States, reports of breaches do occur, but to what degree?

So, what can small business do? There are some very effective and easy ways to protect their bottom line. In fact, there are five key areas that they can focus to help secure their business and educate their employees. When done effectively, you can protect your business against up to 80% of common internet threats. These five areas are:

  1. Boundary Firewalls & Internet Gateways
  2. Patch Control
  3. Access Controls
  4. Malware Protection
  5. Secure Configuration

The good news is that there are options for small business to help ensure that they are focused on the five key controls. There are various standards and certifications available in the market for this specific purpose. While some are costly and time consuming, others offer cost-effect and easy-to-use solutions for small and medium business and for supply chain risk mitigation.

This post previously appeared on the CyberNB blog.