Cybersecurity Tips for Small Businesses

When large, global businesses become victims of cybercrime, it makes big headlines. Small business attacks, on the other hand, don’t attract much attention. However, fraudsters leave no business unscathed.

According to a 2023 Identity Theft Center study, 73% of small businesses reported suffering cyberattacks, data breaches or both in the previous year.1 Fifty-eight percent were hit more than once and 54% lost more than $250,000.2

All businesses need to understand cyber risks and how to protect themselves, especially small businesses for which the median number of cyber incidents increased from three to four in 2023.3

Cyberattacks are increasing and becoming more sophisticated.

With more than 2.5 billion attacks last year, the U.S. is among the most heavily targeted nations in the world.4 This trend will continue. Fraudsters are using the same technologies, such as AI and machine learning, that advance business capabilities to further their own schemes.

Criminals usually research the businesses they want to attack – from simple dumpster diving to more elaborate means. For example, AI can be used to analyze databases and create lists of potential fraud targets, as well as to compile lists of entirely fake credentials for account opening. ChatGPT, an AI-powered tool, can be used to create fake messages and scripts in phishing attacks. They appear to be from legitimate sources but are really attempts to deceive recipients into providing sensitive information. Even social media accounts are targeted.

No matter which method they use, stealing data to use for financial gain is always the goal.

What are the most common cyber threats to small businesses?

Criminals target attacks to the types of businesses and information they want. Some commonly used tactics against small businesses include:

• Phishing: In this social engineering scam, criminals pose as reputable companies or people to collect personal or financial information. For example, you might receive an email from someone you think is a co-worker asking for the password to a business tool. Instead, the fraudster uses the tool to collect customer data or send money. These thieves also exploit system vulnerabilities, steal credentials and execute botnets.


• Malware: This is software installed with malicious intent, like stealing passwords or data. Viruses, worms and trojans are malware that can collect data without alerting the system user. “Backdoors” are trojan malware that grant bad actors remote access to control an infected computer as a legitimate user would. They often create whole networks of infected computers using backdoors. 


• Ransomware: This malware holds data “hostage” until the victim pays for its release. For example, the targeted business or individual could log in one day to find their computer locked and a message with instructions on how to pay a ransom to unlock the data. Unfortunately, the data is usually already destroyed or distributed on the dark web.

Social engineering and malware are the top three cyber risks for small businesses according to Kaspersky.5 So, cybersecurity for small businesses is critical.

Small businesses are a rich source of data for criminals.

Many small businesses lack cybersecurity resources, which makes it easier for fraudsters to exploit them. For instance, 87% of small businesses store customer information and 27% collect credit card data that they don’t protect.6 Fraudsters use stolen data for various criminal enterprises, most commonly selling it on the dark web. Figure 1 illustrates average sales prices for basic stolen data.

Figure 1

Source: Privacy Affairs, “Dark Web Price Index 2023,” April 23, 2023

Though basic data prices are low criminals can net significant profits when selling at high volumes. However, some stolen data comes with a higher price tag. Privacy Affairs' 2023 Dark Web Price Index lists a verified account login at a leading investment firm at $4,255 each.7

Thieves’ profits come at a high cost to small businesses. The average data breach impact for businesses with less than 500 employees was $3.31 million last year – an increase of 13.4%.8

How can you protect your business from cyber threats?

Many SMBs don’t have the cybersecurity budgets of their larger counterparts. But every company needs to safeguard its data. In fact, businesses that fail to protect customer data (e.g., card and other payment information) face heavy regulatory fines. The best way to protect your business is to be ready before a security incident happens. These cybersecurity tips will help you be proactive.

1. Evaluate your company's vulnerabilities and risks.

   Every business has a unique risk profile, which includes specific internal and external security threats. Conduct a cybersecurity risk assessment to identify vulnerabilities in your systems and networks, as well as how criminals might attempt to gain access to your data. Compare your current security posture with one that you’d consider ideal.

2. Secure your network and systems.

   Immediately plug any gaps revealed in your risk assessment. This may include a range of focus areas, including firewalls, servers, routers, applications, and mobile devices. Many companies offer cybersecurity for small businesses. Consider your needs and budget. Some solutions might include:
   • Antivirus software that blocks malware, adware and other malicious programs. Some popular small business antivirus software brands include Bitdefender, Norton, Kaspersky and McAfee. Install and carefully monitor the software, regularly installing updates and patches.
   • Create strong passwords and change them every 90 days.
   • Consider dividing your network into multiple segments to better control traffic, performance and security. 
   • Don’t forget tablets and smartphones. Mobile device management (MDM) plans minimize security risks to these devices. MDMs allow companies to apply software, settings and security policies before distribution to employees.

3. Develop a comprehensive cybersecurity strategy.

   The primary goal of a cybersecurity plan is to prevent attacks, but businesses should also include incident response and testing, which IBM identified as among the three most effective means of reducing costs associated with data breaches.9 Detail which individuals or teams are responsible for overseeing various parts of the plan. A disaster recovery plan specifies actions to take and timelines if an incident occurs. Test and refine the steps to ensure they can be conducted effectively.
   
   Besides your business, who else would an attack impact? Customers, partners, creditors, financial institutions and suppliers may all be affected. It’s important to include a communications strategy. Outline what information to share with these groups, as well as how and when.
   
   Developing a small business cybersecurity plan to address every area of operations may seem overwhelming. But you don't have to go it alone. The Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA) features free online resources such as the Cyber Resilience Review. In addition, the Federal Communications Commission offers a customizable small business cyber planner and cybersecurity tip sheet.

4. Properly vet payment processors and other third parties.

   Payment processing is highly regulated to keep card and other sensitive transactional data safe. Work only with reputable payment processors who follow data security best practices. The Commerce Department also recommends isolating payment systems from browsers and other devices that may be used for less critical business operations. The security practices and credentials of other third parties, such as hosting providers and outsourced IT support, should also be scrutinized.

5. Train employees.

   IBM also identified employee training as critical in reducing the cost of data breaches. Some breaches happen when employees unintentionally share sensitive information. Security is a team effort and it’s important that every member understands the role they play in preventing fraud. Limit access to certain types of information to a “need-to-know” basis. Teach employees to recognize and maintain information security levels (e.g., internal, public, confidential and restricted). Provide ready access to your small business cybersecurity plan and regularly train all staff as part of the overall security process.

6. Test, refine and maintain your security posture.

   New fraud threats are emerging every day. So, reassessing your security posture and the ongoing effectiveness of your plan is critical. Be sure you have the tools to identify unusual system or network activity. But also maintain some regular practices:
   • Regularly scan for vulnerabilities. Uncovering system weaknesses isn’t a “one-and-done” activity. You should continually conduct security audits and vulnerability assessments to identify any gaps that could give bad actors access to your network and information. CISA’s free Hygiene Vulnerability Scan can help. When you sign up, this solution will automatically review and weekly report weak configurations and recognized vulnerabilities.
     
     
   • Update systems, browsers and software. Software developers and other technology partners constantly enhance their products and services to improve performance, resist tampering and patch fix security gaps. Many of these updates can be scheduled for automatic alerts and implementation.
     
     
   • Back up data and store copies where fraudsters won’t have access (e.g., external hard drives and/or cloud-based storage).
     
     
   • Enforce password changes, ideally every three months. Follow guidelines for creating strong passwords. If possible, add multifactor authentication for access to sensitive programs and devices.
   
   
   • Stay informed. Subscribe to and read online cybersecurity and trade association publications and their associated emails, such as the National Security Alliance. They provide up-to-date news and educational resources to stay abreast of threats and tips for prevention.

7. Buy cyber liability insurance.

   Data breaches and other incidents can be costly. Cyber liability insurance can help pay costs related to investigation, regulatory fines, and customer or vendor legal actions. You might also consider business interruption insurance to help with expenses due to closures if your business suffers an attack.

You’re working hard to build your business. Fraudsters are working just as hard to undermine your efforts. They’ll steal whatever they can, including your reputation. But being a small business owner doesn’t mean you have to be an easy target for criminals. Every day is an opportunity to protect the assets that matter most – your data, customers and brand. Why not start today?

For more information on how we can help develop a cybersecurity strategy for your business,  complete a short form and a Synovus Treasury & Payment Solutions Consultant will contact you with more details. You can also call 1-888-SYNOVUS (1-888-796-6887) or stop by one of our local branches.