Common-Sense Steps to Prevent SMB Cyberattacks (and Survive Them)

The past two years have been challenging for small businesses. And for most, it's taken near-superhuman efforts to stay solvent, if not successful. But for those who've succeeded, 2022 is shaping up to be a big rebound year.

There are some things that could derail the good times ahead, however. One of them is the growing threat of cyberattacks, which are increasingly targeting American small businesses. According to specialty insurer Hiscox, 23% of small businesses suffered at least one cyber-attack in 2021. And that's a number that seems to be on the rise as we head into 2022.

But the news gets worse. The average cyberattacks on a US business costs the victimized company $200,000, according to recently compiled data. And after surviving the last two years, there aren't many small businesses left that could absorb such a loss and keep on going.

Small businesses aren't helpless against the threat, though. Some simple common-sense measures can decrease the likelihood of falling victim to an attack. Here's what they are and how they help protect against cyberattacks and their potential fallout.

Reduce Data Collection Wherever Possible

The fact is, protecting customer data isn't easy. Big companies spend untold amounts of money securing their systems to keep data safe. Small businesses, on the other hand, typically don't have the resources to do that. So the best thing they can do is to try and minimize the potential attack surface by reducing the amount of customer data they collect in the first place.

In general, most small businesses don't need to store customer payment data, except in rare circumstances (like processing repeated orders for big customers). So avoiding storing financial data at all is a great place to start. After all, a successful cyberattack that gains access to an email list is less damaging and less costly than one that comes away with credit card data.

And the same thing goes for any other personally identifiable information (PII). A good rule of thumb to follow is: if it's data that's not necessary (for a legitimate business purpose), don't collect it. And, then, make an effort to limit storage time (if data's not used within a reasonable timeframe, delete it).

Limit Employee Access to Data

Unfortunately, the human element is always the weakest link in any data security plan. So the next common-sense measure is to limit data access to only those employees that need it. That way, it's possible to focus attack prevention efforts on only those workers with access to the data. That means having fewer passwords to police, lectures on avoiding phishing to give, and accounts to monitor for suspicious behavior.

Audit Cloud Providers' Data Protection Policies

The next thing to do is to examine the data protection policies of any cloud service providers the business relies on. These days, the vast majority of small business data gets housed on the systems of third-party cloud providers. It's a great way to drive down infrastructure costs, but it places the onus for data security onto the provider, leaving the business liable for attacks that are beyond their control. For that reason, it's crucial to see what each cloud provider does to keep its data secure, and what it'll do for affected businesses in the event of a security incident. If the answers aren't reassuring, the next step is to find better service providers.

Have Backup and Response Plans

Even the best-prepared business could still fall victim to a cyberattack. So it's a good idea to develop a rapid-response plan to handle one if it happens. First, a good response plan should start with having complete (preferably offline) backups for all critical systems and data. And the plan should detail how the business will restore compromised systems if an attack takes place. Doing so will ensure business continuity and prevent catastrophic financial damage stemming from an incident.

Next, the plan should include steps on when and how to alert customers that their data may have been involved in a breach. For small businesses that handle financial data, that should include ready-to-go information on identity theft protection steps customers can take right away. Enlisting customers' help to contain the effects of a cyberattack is critical to surviving one. Plus, most customers will respect a business that gives them the information they need to protect themselves, which also pays dividends during the business's recovery.

Safe From Harm

By putting the above measures in place, small businesses can reduce the likelihood of falling victim to a cyberattack and increase their odds of survival if one happens. Unfortunately, there's no perfect solution, given the scope of the problem. But leaving things to chance isn't a viable option. So with the right preparations – and a little bit of good luck – small businesses can beat the odds and head into 2022 reasonably assured that they're prepared to defend themselves against cyberattacks. And after the challenges of the last two years, that should provide a bit of relief, at least.