Small businesses face a heavy risk when it comes to cyber security. The best defense relies on an active, educated employer.
On March 9, 2018, the Oregon Clinic discovered an unidentified party had accessed an email account. The data breach gave attackers access to names, birth dates, medical information, and in some cases, the social security numbers of patients and staff.
The clinic was able to recover from the attack, and went on to offer patients impacted by the breach one full year of identity monitoring services.
But other businesses which have been subjected to cyberattacks face more dire consequences.
According to a recent study by insurance carrier Hiscox, the average cost to a business when it is subjected to a cyberattack is around $200,000.
Small businesses suffer most from these costly attacks. Due to the massive price tag associated with an infringement, 60% of small businesses go out of business within six months of being victimized, according to the National Center for the Middle Market.
Attackers target small businesses for a variety of reasons. Some try to gain access to employee and client information, such as email accounts, bank numbers and social security numbers. Hackers also install ransomware, which, as the name implies, will hold a network hostage until the business owner pays a fee to be released.
Hackers also target servers to create a “zombie” network, which uses a business server as a launching pad to conduct other attacks to avoid detection.
Other attackers, especially ones from foreign governments, take over a network to mine for bitcoins.
Close to 50% of all cyber attacks are perpetrated against small businesses, which hackers often perceive as low-hanging fruit. According to a report compiled by Verizon, nearly half of small businesses reported a data breach in the past two years.
Despite the likelihood of an attack, and the relative risk involved, less than half of small business owners reported spending money on cyber security last year.
This is in part because maintaining a good cybersecurity defense is costly. Unlike virus protection, a business cannot simply install a defensive program against cyberattacks and remain safe.
“The demand for these cybersecurity professionals is so high that the price they command for their services is also very high,” says Dr. Wayne Machuca, lead instructor for Mt. Hood Community College’s cybersecurity program. “This precludes small and medium-sized businesses from being able to afford and adequately staff around their cybersecurity needs.”
There are 4,600 cybersecurity job openings in Oregon, according to cybersecurity employment website CyberSeek. Despite Oregon’s reputation as a state with a heavy tech sector, there are twice the number of cybersecurity job openings as there are qualified professionals to fill them.
Ruth Swain is the interim director of the Small Business Development Center at Mt. Hood Community College, which helps small businesses protect themselves against cyber threats through the Oregon Center for Cybersecurity.
With Machuca’s help, the center has developed a program which allows students in their last year of school to provide training and cybersecurity expertise to small businesses owners and their employees free of charge.
“We worked with the interns and instructors here to come up with a cybersecurity prevention checklist for small businesses,” says Swain. “The advising is free, so we are encouraging businesses to sign up.”
The program was awarded a grant from the National Science Foundation, and Machuca says they have used the grant money to replicate the program along with its sister colleges. “It’s really exciting stuff,” he says.
Skip Newberry, president and CEO of the Technology Association of Oregon and executive sponsor of Cyber Oregon, an organization dedicated to delivering the latest cybersecurity information and best practices to businesses, says businesses which cannot afford a cybersecurity professional on staff should train employees to recognize cyberattacks.
“The first and best defense is adequate training for employees,” he says. “In this day and age, anyone who uses technology should be trained in how to spot phishing and spear phishing attempts, and best practices for managing passwords, which is how the vast majority of cyber breaches occur within small businesses.”
Much of the training is preventative, but if an attack has occurred, the most important thing for a business is not to keep silent.
To subscribe to Oregon Business, click here.