Small businesses increasingly targeted by cybercriminals

The National Cyber Security Alliance in a recent infographic cites a surprising statistic: 60 percent of small businesses will close within six months of a cyberattack. That figure becomes more concerning when it is measured against the number of small businesses that are prepared for a cyberattack. According to research by the technology company Symantec, 59 percent of small businesses do not have a contingency plan outlining procedures for responding to and reporting data breach losses. Furthermore, 87 percent do not have a formal written internet security policy for employees.

The NCSA infographic, bluntly titled “America’s Small Businesses Must Take Online Security More Seriously,” captures a current trend – cybercriminals are more frequently targeting small businesses and organizations, which were once considered a lesser target. Now, cybercriminals exploit small businesses to gain access to bigger businesses through the distribution chain or payment portals.

Patricia Toth, supervisory computer scientist at the National Institute of Standards and Technology, a division of the U.S. Department of Commerce, said in a recent NIST press release that businesses of all sizes are at risk if they conduct business or store information and data online.

“Many small businesses think that cybersecurity is too expensive or difficult,” said Toth, who leads outreach efforts to small businesses as part of the agency’s cybersecurity and privacy applications group. “In fact, they may have more to lose than a larger organization because cybersecurity events can be costly and threaten their survival.”

Toth is also the lead author of NIST’s “Small Business Information Security: The Fundamentals.” Published in November and available free of charge, the 32-page guide (plus appendix) is intended for small-business owners who have little to no experience in cybersecurity.

CDA Practice Analyst Teresa Pichay calls the publication “informative for practice owners, whether or not they have professional IT advisors.” The guide offers basic steps small businesses can use to help protect their information systems and takes users through a simple risk assessment to identify risks and vulnerabilities (see the article “HIPAA-required risk analysis can prevent malware attacks” on cda.org). Specifically, the guide explains how to:

  • Limit employee access to data and information.
  • Train employees about information security.
  • Create policy and procedures for information security.
  • Encrypt data.
  • Install web and email filters.
  • Patch or update operating systems and applications.

In addition, the guide provides recommendations on new equipment that might be required and how to find reputable cybersecurity contractors.  

Download the guide, “Small Business Information Security: The Fundamentals” at nist.gov. Also read the CDA article “HIPAA-required risk analysis can prevent malware attacks” on cda.org.

Related Items

CDA has fielded calls recently from dental practices wishing to learn more about the risk analysis required of all entities covered by the Health Insurance Portability and Accountability Act. Coincidentally, in response to the rapid rise of ransomware attacks, the U.S. Department of Health and Human Services’ Office of Civil Rights in July issued new guidance for health care providers.

The U.S. Department of Health and Human Services’ Office for Civil Rights released new guidance to help health care providers better understand the malicious software and the steps required to help prevent, detect and respond to attacks.