It seems every month we are reading about another cyber attack at yet another large corporation. Because the stories we most often hear about involve big names like Equifax, Marriott or Yahoo it is common for people to consider cyber attacks a "big business" problem. The reality, however, is quite the opposite.
A 2018 study done by Keeper Security Inc. found that:
- 67% of small and medium-sized businesses (SMBs) experienced a cyber attack in the past 12 months
- 58% of SMBs have experienced data breaches involving customer and employee information
- Among SMBs that had been attacked, an average of $1.43M was spent due to the damage or theft of IT assets
Despite the frightening statistics laid out above, too many SMBs have convinced themselves that they aren't a target because they aren't "big enough" to be on the radar of cyber attackers. Yet the fact is that hackers looking to steal information or to extort you, don't discriminate on the basis of company size. And while many large businesses can survive a cyber attack the same is not true for many SMBs where the cost, or damage done to their reputation, is simply too much to come back from.
Before you get too upset by all this bleak news, take note that there are some specific things SMBs can do to help protect themselves.
Develop Strict Password Rules
Employee passwords should have strict rules and expiration requirements, as well as limits on the number of allowed failed login attempts. When passwords are created or changed they should also be encrypted before being stored in the cloud. And of course, make sure to follow your own rules. What good is a password policy if it isn't strictly enforced?
Enable Multi-Factor Authentication (MFA)
Manager and employee access to HRIS systems should be configured with MFA. MFA verifies a user’s identity during the login process, offering an additional layer of security and helps safeguard against unauthorized access to information. Some common MFA scenarios are swiping your card and then entering a PIN, or logging into a site and then answering a security question or providing an additional one-time password that has been sent to your email or cell phone.
Encryption and Ongoing Monitoring
To ensure that data can't be captured while in transit or at rest, make sure that all sensitive data is encrypted before being sent to or stored in the cloud. In addition, the cloud should be actively monitored 24/7/365 to protect against data breaches and cyber attacks.
Centralize and Outsource to a PEO
By outsourcing your HR, Payroll, Benefits, Compliance and Risk Management functions to a PEO, not only can you streamline your day-to-day tasks, but you can also capitalize on technology you may not have access to otherwise. A good PEO should help you to automate your repetitive administrative processes, and provide you with a platform that employs the security measures noted in the list above.
Train Your Staff
Your employees should know that they play a huge role in keeping company data secure. Have annual, company-wide training to teach your team about phishing, common tactics hackers use, and make sure they understand the importance of not reusing passwords. Also add this training element to your onboarding process and to your New Employee Orientation Checklist.
Small and medium sized businesses are just as much at risk (if not more so) of a cyber attack as a large company but they often have even more to lose. Plan ahead and make your company's cyber security a top priority.