As a small business, your customers trust you with their data. They trust that you will keep it stored safe and not end up in another news story about the latest company to have their data exposed on the dark web. However, one cannot simply rely on trust for protection. Nor can they rely on outdated thinking; that a cyberattack won’t happen to them because they are too small, don’t have anything a cyber criminal would want, or whatever the reason is. Cyberattacks on small businesses are real, and they are targeting small business firms just like yours.
So, you know you need to keep your client data safe, but what exactly are the cybersecurity risks business leaders are up against? And how do you protect your company from a cyberattack? Below we will cover five common cybersecurity risks financial advisors need to be aware of and solutions to combat those problems.
You may have heard of phishing before; a type of cyber attack where cyber criminals send emails to users pretending to be a legitimate company or someone they know. They do this for financial or informational gain, such as getting access to their passwords, banking or credit card details, or any other type of personal identifying information. It’s becoming increasingly more popular day by day. And unfortunately, people are still falling for it, especially small businesses.
Why financial info? You are a prime target when it comes to phishing campaigns because of the sensitive information you handle and the lack of security awareness training your industry has previously received. However, it’s not just the financial industry that’s received less security awareness training than other industries. As a whole, most of us were not taught how to identify a phishing email until it became a very serious problem. Once it became a real threat, larger organizations with a large IT budget were able to provide their staff with the necessary training. It’s the smaller and independent firms that were not able to.
While there is no way to prevent a phishing email from landing in your inbox, even with the best spam filter in place, you can learn how to identify one so that you won’t be the next victim of a successful phishing attack. Get in the habit of taking a second to scan every email for red flags before taking action such as clicking a link or downloading an attachment. These red flags could include any typos, grammatical or punctuation errors (check the sender’s name and email address too), a generic greeting, the wrong logo, and a sense of urgency or threat requesting you need to take action immediately. You should also hover over hyperlinks before clicking them to check that the full URL is not a redirect to a different site than what the email is stating.
Whenever you are unsure if an email is legitimate or not you can call the person or company who sent the email and ask for verification before proceeding or you can skip clicking any links altogether and go straight to the app and login from the homepage instead of clicking the link and having it redirect you there.
Another common cybersecurity risk small businesses must be cautious of is ransomware. Again, all of that sensitive information and money you manage is sure to make any cyber criminal look your way and if you’re not protected you could wind up paying a very large sum of money to get your data back or risk losing your data altogether. That is what happens when you get ransomware, a form of malicious software that locks up and encrypts your data until you pay the attackers their ransom. Currently, the average ransom for small businesses in 2022 is $210,000.
Your defenses for this are not as cut and dry as preventing a phishing attack. With ransomware attackers can get into your network in a variety of ways. Take the ransomware attack on the Colonial Pipeline for example. The attackers were able to get access to the network through an old VPN that previously used a password which was found leaked on the dark web, and the account was not using multi-factor authentication. What you can do to limit your risk of getting hit with ransomware is ensuring your antivirus is updated and working properly, enabling multi-factor authentication, using safe password practices, and monitoring your network for potential threats.
Not as commonly known as the previous two, man-in-the-middle attacks are still a large cyber threat to small business. Similar to eavesdropping, this type of attack occurs when a cyber criminal unknowingly gains access to your network and sticks around to spy, steal information, or corrupt your data. There are two ways cyber criminals are able to do this, either through public wifi or through malicious software that you unsuspiciously download.
Let’s talk about the first, through public wifi. With the continued increase of remote working, many of us are finding ourselves working at places outside of our office or home. Like a local coffee shop, bookstore, and other public spaces that offer free wifi. However, be aware of the dangers of public wifi. You don’t know what or who is lurking on the network ready to snoop on your activity. To combat this, always use an updated VPN, or virtual private network, and never access or share sensitive information while using public wifi.
The latter works when you download a file from the internet or open an attachment in an email that contains malicious software. Depending on the software used by the cyber criminal, it can access your browser data, tamper with your data, or any other harmful activity it was intended to do. This is why it’s best practice to not download or open any files from sources you are not familiar with and trust.
Data leaks, not to be confused with data breaches, are not a cyber attack, however, they are still a cyber risk that small businesses need to consider. A data leak occurs when a device such as a laptop or cell phone containing sensitive data is accidentally exposed either by losing the physical device or data accidentally being leaked by user error. On the other hand, a data breach occurs when a successful cyberattack obtains data.
Fortunately, a simple solution to this risk is by practicing good data protection habits. Like not leaving your devices unattended, nor making silly mistakes like sending confidential information to the wrong contact, and so on.
Third-party vendor security
Many small businesses have a large third-party vendor network that they use daily. While this is great to increase the efficiency of daily operations, it poses a cybersecurity risk. This is because your data is in the hands of many other organizations that you do business with, so you are relying on them to have a good security posture to keep your data safe from cyber criminals. If one third-party doesn’t, your data, their data, and the data of the other organizations they do business with are at risk of being exposed.
In order to protect your data from the cyber risks associated with third-party vendors, you need to thoroughly review each vendors security practices, risk response procedures, and review their performance every so often.
Conclusion – What small businesses can do to fight back, and next steps
It’s without a doubt that leaders of small businesses have to deal with many cybersecurity risks on a daily basis because their data is highly sought after in the world of the dark web. However, don’t feel like you are helpless when it comes to protecting your assets from cyber criminals. By employing good data protection habits and policies you can take back control of the security of your data knowing it’s that much harder to access and cyber criminals will go after easier targets with lessened security. You can also sign up for Guardian Cybersecurity services to keep you and your customers’ data safe from cyber criminals.