Here’s a scenario: you enter an elevator with several other people. One of those people, you find out after the doors close has the flu – which you didn’t discover until that “minor” cough in the elevator became two weeks of bed rest. And you weren’t the only one that was infected. Another person on that elevator also became sick, and you know of at least one other person who the bug was passed onto.
Cybersecurity issues at small businesses (SMBs) are comparable to the elevator scene. Everyone’s personal devices carry vulnerabilities (aka germs). Some lack passwords, others have downloaded malicious apps; some run on very outdated software. Now, it’s very easy to imagine an employee joining free, public Wi-Fi while waiting for a friend at a coffee shop. Unbeknownst to that employee is that his device has several vulnerabilities, and simply by connecting to a network that he thought was secure (but wasn’t), he inadvertently opened up his entire company to attack.
The outdated software on the device is similar to an immune system. Because it wasn’t properly taken care of, it was prone to infection, and because most people don’t practice the most secure and technological hygienic practices with their personal devices, an SMB is at higher risk of a small incident growing into a much larger problem.
The World in the Palm of Your Hand, and All the Problems with It
The technology we own and use every day has allowed us to make great advances in both personal knowledge and productivity. It has even enabled small businesses to skirt costly overhead by avoiding the need to provide employees with phones and computers. Those savings, however, do not come without risks.
Today, SMB employees occasionally sign technology policies, but they are rarely enforced. And if employees use a personal phone for work, which most small business workers do, you can bet that even the most well-intentioned rule-followers aren’t thinking of device policy at night or over the weekend; instead they connect to any public Wi-Fi with a signal and often fail to update operating systems and apps with any sense of urgency. Small business leaders aren’t naïve that such activity or lack thereof is taking place, but they look the other way to keep costs down and productivity high.
Trading security for convenience is the top risk factor when it comes to personal devices, so it’s no wonder that we keep hearing about data and network breaches. Unfortunately, smart devices hold more information about us than we want to acknowledge. Between payment information, and emails with personal identifying information, to the occasional picture of a driver’s license, and the access to networks and cloud-apps, devices carry a plethora of valuable information of interest to attackers.
Why It’s a Big Deal for a Small Business?
Two recent reports identified both the most cyber insecure cities and airports in the United States, each highlighting just how many active threats exist at a given time. For example, if an employee joins a copycat Wi-Fi network (known as an Evil Twin) at the airport instead of the airport’s official network, it’s not just their phone that’s affected, it’s potentially his entire company’s data, cloud-apps, and devices, too.
Specifically, there are several threats that SMB employees using their own devices are prone to. For one, many people are slow to apply critical updates to their devices that often include security patches. This lack of or outdated anti-malware and firewall protection leaves devices wide-open to malicious code. Even more common, employees’ personal devices lack strong password protection protocols – such as a password written down in their Notes apps; the same password used for everything; or worse, no password at all. Some employees may even “jailbreak” their personal devices, meaning they bypass the original manufacturing software restrictions to install previously prohibited software and/or applications. Once the original operating system is no longer supported, remediation in the event of incidents is impossible.
SMBs are not equipped, both technically and financially, to handle the fallout of a successful attack. According to an Accenture study, the average cost of cyber-crime over three years was more than $3.5 million, for the smallest companies it studied. That kind of fallout from a cyber attack will shut down most small businesses and for those that do survive, the lost time and reputation damage will have lasting effects. Some SMBs may have cyber insurance, but depending on how the incident occurred, generally phishing, most policies won’t cover the claim.
What SMBs Can Do to Mitigate Risk
Half the battle of cybersecurity is education. Invest time and money in programs that can teach employees to recognize and report threats, especially if they are using their personal devices for work. SMBs should also develop and enforce a device policy, or even set up a device management software to identify risks. Currently, there are easy to use platforms that can secure users, devices and SaaS applications. Platforms like these can provide SMBs with the ability to monitor devices and networks and control which are compliant or not. Knowledge is power, and these tools give your IT administrators – whether internal or outsourced – the insight into problems before they affect your whole company.
In this hyperconnected world, cyber threats will continue to rise both in frequency and complexity. For SMBs, the lack of resources can create risks that for large enterprises do not even register. To level the playing field, SMBs must educate their employees and find the solutions that bolster defenses without breaking the bank. After all, with a strong immune system, a body can fight off the flu. And with the proper cybersecurity in place, a company can mitigate threats.
Dror Liwer is the co-founder and CISO of Coronet, a data breach protection provider for companies that use the cloud.