Small business owners don’t spend a lot of time thinking about cybersecurity. Yet, avoiding the topic can be cataclysmic for both small retailers and small real estate companies. According to a 2022 press release from the National Cybersecurity Alliance, 60% of small and midsize businesses that are hacked go out of business within six months. Small business owners “are so busy in the day-to-day minutiae, wearing 15 hats, that cybersecurity is literally the last thing on their minds,” said Blue Chameleon Investigations director of cybersecurity Patrick Wright. “The unfortunate reality is it should be absolute front-of-mind presence almost 100% of the time. The concern is no longer someone kicking in your door with a shotgun and stealing the cash out of your till. It’s being extorted for $300,000.”

More and more, the targets of hackers are small businesses, not large corporations. “Over the last six to seven years, there has been a major, major shift from bad actors. They really don’t go after extortion from the enterprise clients: IBM, Google, Facebook,” said Wright. “Those guys aren’t going to pay it. When they attack them, it’s usually a political statement. They know the small and midtier companies absolutely will pay it because if they don’t pay it, they’re out of business.”

Wright offered the following practical tips for smaller businesses to safeguard themselves:

1. Put yourself in a security mindset.

“Cybersecurity has officially become a business risk,” said Wright. “It is an integral part of a business framework.” Now, rather than on-site robbery, “it is significantly exponentially more likely that you will be the victim of a cyberattack or cyber extortion from a party that is sitting in a second or third-world country with a sponsoring government that does not care what they do.” Cultivate a security mindset that permeates every aspect of your business operations. It’s not just about implementing technological safeguards; it’s about fostering a culture where every team member is aware of the potential risks and actively participates in the protection of sensitive information, Wright said.

2. Prioritize email security.

A whopping 91% of all cyberattacks begin with a phishing email to an unsuspecting victim, according to a 2020 press release from Deloitte. Here are some key measures to implement immediately:

Use strong passwords that are hard to figure out. Include a mix of letters, numbers and symbols. “Length matters more than complexity, although both are nice,” Wright said. “If you made the password easy to remember, it’s the wrong password. It should be too long and too complex to remember.”

Require a second form of verification to access email accounts. This adds a layer of security beyond passwords, mitigating the risk of unauthorized access, he said.

Invest in email filtering. Business-grade email filtering automatically detects and filters out spam, phishing emails and malicious content, Wright said. It also can employ advanced threat protection, analyze attachments and URLs and ensure compliance with data-protection regulations through features like encryption and data loss prevention.

3. Make sure any computer security solution you use includes security for cloud applications used on the business’ computers.

Cloud applications like Dropbox, SharePoint and OneDrive get hacked often, Wright said. “People end up uploading or accepting infected files into these cloud repositories.”

4. Monitor account activity.

Employees should monitor their email accounts for any unusual logins or suspicious activities and talk with IT promptly to investigate. For instance, if a business owner or employee receives non-delivery reports regarding emails they didn’t send or notices emails sent to unfamiliar recipients, that could signal a compromised account, said Wright. Additionally, carefully examine an email that seems suspicious for typos and verify the sender’s authenticity. Watch out for warning signs like generic greetings, notifications about account holds due to billing issues, or invitations to click on links, as these could indicate phishing attempts, cautioned Wright. If in doubt, follow the mantra that if you see something, say something, said Wright.

5. Conduct a cybersecurity risk assessment.

Email is the first area to focus on, but to safeguard yourself effectively, he emphasized, “find and acknowledge the risk.” A cybersecurity risk assessment delves into potential vulnerabilities, threats and impacts on your business’ IT systems and data while evaluating your capacity to defend these assets against cyberattacks. During the assessment, consider these pivotal questions:

• Where is sensitive client data stored?
• Can all potential threat sources be identified?
• What is the potential impact level of each identified threat?
• What are the internal and external vulnerabilities?
• What protective measures are in place, and where do improvements need to be made?

Understanding your comfort level with risk is essential. As Wright noted, “some amount of risk is OK. There is no such thing as a completely secure environment, just environments more secure than others.”

If a company lacks the skills or resources to conduct a thorough audit, Wright recommended that a qualified security vendor to handle the assessment.

6. Implement protective measures.

Implement protective measures to address the vulnerabilities the risk assessment identified and to strengthen the business’ overall cybersecurity posture. This may include enhancing network security, encrypting sensitive data and establishing incident-response plans. When a business owner turns on the computer and sees a scary red skull on the screen, their cognitive ability “goes right out the window,” said Wright. “A vetted, proper process for responding is critical.” Some important parts of a plan are:

• a designated incident-response team
• a clear and rehearsed communication strategy
• regular backups of critical data
• a well-documented recovery process

7. Train employees.

All safeguards become irrelevant if employees don’t know them or know how to implement them. “Lack of training absolutely goes into the risk category,” Wright said. Small steps can yield big rewards. “Training your employees on what to click on and what not to click on in an email could literally save your company,” he said.

Consider investing in professional training services and bringing in an outside expert. Alternatively, The latest cybersecurity trend gamifies training. “It’s interactive, so you’re clicking things, you’re reading things and you’re hearing things so it makes you retain that information,” Wright said. You also can just go on YouTube, find a couple of helpful cybersecurity videos and share them with your employees. “There is nothing wrong with making use of that, nothing at all,” he said. Just by doing that, “you’re going to be light-years ahead of other people.”

8. Implement all software updates immediately.

“Manufacturers do an acceptable job — I refuse to say good job — of patching vulnerabilities in their systems,” he said. The challenge arises when users ignore or postpone these updates by clicking the option to install them later. Business owners and employees who see a message about the need to installing an update to a system like Windows should do it immediately, he said. “Repatching your software is one of the easiest, low-hanging fruits that doesn’t cost you anything to provide additional security. Myself, a two-decade veteran of this industry — when my phone says there’s an update, I stop whatever I’m doing and I run the update.”

9. Back up your data.

Implement regular, automatic backups to secure the data stored in the cloud and in on-premises servers. “I can’t tell you how many companies we’ve run into that will back up QuickBooks onto a thumb drive once a week and think: ‘Yay, we’re doing data backups,’” Wright said. “But they’re not.” Instead, he recommended “something that backs you up directly to the cloud.” It’s helpful to have a third-party, automated, scheduled backup solution, and there are a lot of affordable options out there. “It might run you five, seven bucks a month,” he said, claiming the expense is worth it. “Data backup is your No. 1 tool and utility for recovering from a cyberattack,” he said. Getting back online after a ransomware attack “could be as easy as just reinstalling your operating systems” for a business that backs up its data, he said.

10. Consider cyber insurance.

Cyber insurance provides peace of mind. “If you walk in, turn on your computer and see a big, scary, laughing red skull, there’s comfort in having cybersecurity insurance,” noted Wright. He compared a cyberattack to an auto accident. “The first thing you do in a car accident is you make sure you’re OK, that you’re not bleeding, you’re not concussed, you’re not falling over.” Then, “you call your insurance company for help.”

Wright emphasized that not all cyber insurance companies are equal. To identify reliable providers, ask probing questions. “Good questions to ask are scenario-based questions and objective-based questions,” he said. “Have them explain how they have your back and present a scenario,” he said. “If they don’t have an answer or if they stutter or say, ‘We’ll get back to you,’ my advice is to move on to someone else.” Given the specialized nature of cybersecurity, Wright stressed the importance of choosing an insurance company with substantial experience. “The more experience an insurance company has with cybersecurity, the fairer the assumption that they will be able to take care of you better.”

The goal of all these security measures, Wright said, is “to make yourself as hard of a target as possible so it’s just not worth it” and the hacker will move on to someone else.