Small business owners are no strangers to navigating challenges and mitigating risk. But there’s one thing many small businesses aren’t prepared for: cyberattacks.

Costing the U.S. economy billions of dollars a year, cyberattacks pose a threat to companies of every size. Yet, while most large enterprises have invested in the security infrastructure required to protect their digital assets, many smaller companies – that also handle the kind of sensitive data that cybercriminals want – don’t have the same level of security in place.

This gap is why SUCCESS Computer Consulting recently hosted an in-person discussion about the small business cyber security landscape with a hand-picked panel of cyber experts. Those experts include Brandon Nohr, SUCCESS’ Chief Technology Officer, Mark Danielson, a Supervisory Forensic Accountant for the Federal Bureau of Investigation (FBI), and Marc Laliberte, Director of Security Operations for WatchGuard Technologies.

Let’s take a closer look at what our experts had to say about the cybersecurity challenges small- to mid-sized companies face, when the FBI would get involved and what you can do today to start closing any gaps you have.

Assess your small business risk

Our experts agree that social attacks are by far the most common threat for small and mid-sized companies. Social attacks happen through emails (phishing), voicemails (vishing), and texting (smishing). They prey on the weakest links in an organization to gain access and underscore the importance of a cybersecurity-aware culture and regular end-user training.

Other cyberattacks that are seen commonly and growing in popularity include:

• Credential compromise usually starts as a data breach and results in your information and credentials being available for purchase on the dark web. 
• Living off the land attacks weaponize software you already have on your network.
• Zero-day malware attacks exploit vulnerabilities in various systems (e.g., browsers, operating systems, applications, hardware, and firmware). Roughly 70% of malware in 2021 was zero-day malware. 

Know when to involve the FBI

If you’re hit with a cyberattack, your first instinct may be to keep it quiet and pay the ransom. But that’s precisely what our experts advise against. 

Instead, you should contact the FBI within 72 hours to report a cyber breach if a ransom is demanded. Their role is to support your company, recover your data and funds as soon as possible, and apprehend cybercrime perpetrators. 

Beyond recovering lost funds, there is also a chance the FBI may have a decryption tool from other incidents that they can use to decrypt your data. And they’re capable of grabbing unique information from ISPs, private firms, and various other services to properly identify and stop perpetrators.

Even when the FBI can retrieve your funds, a full investigation and resolution of a data breach can last one or more years, depending on the case. 

If you’ve implemented proactive cybersecurity measures, the hope is that you’ll never need to involve the FBI – but they serve a critical role in recovering your data in case of emergency. 

Implement these cybersecurity measures

• Develop a cyberattack plan – every company needs a documented and tested disaster recovery and a business continuity plan in place. If your internal team doesn’t have the expertise, we can help. 
• Follow a cybersecurity framework – these industry-standard roadmaps spell out all the policies and procedures you should have in place: CIS, NIST, HISTRUST, ISO, and COBIT. 
• Adopt a zero-trust approach – always assume there’s a fraudulent insider in your company. Taking this approach can greatly improve the security integrity of a company. 
• Use Multi-Factor Authentication – our experts call this the easiest and most effective way to prevent fraudulent access. 
• Implement monitoring tools – proactive behavioral monitoring helps you quickly identify both known and unknown malware within your network. This is critical because new malware is being created every day. 
• Create a cybersecurity-aware culture – make sure your team understands your password and data security policies. Offer regular end-user training. And never imply that people will get into trouble for accidentally opening phishing links. That’s an easy way to make yourself more vulnerable because employees will hesitate to report anything suspicious. 
• Examine your processes for dispersing funds – outdated procedures open you up for a compromise. If you haven’t already, the time to secure your payment processor is now.

Move forward in your journey

At SUCCESS Computer Consulting, we talk a lot about how cybersecurity is a journey. If you feel behind or aren’t sure where to begin, our experts agree the most important thing you can do is just get started. 

Our team of experienced cybersecurity experts can help. Contact us today.