The Weekly Breach Breakdown: No Small Attacks – How to Protect Your Business from Cyberattacks

• On the Identity Theft Resource Center’s (ITRC) last Weekly Breach Breakdown podcast, we discussed our inaugural Business Aftermath Report. The report shows how data and security compromises impact small businesses. 
• In this week’s episode, we look at what businesses can do to protect themselves. To protect your business from cyberattacks, when something bad happens, stopping the attack and restoring your systems to regular operation is the top priority.
• Make sure team members know their role in protecting the company and themselves from phishing and social engineering attacks, as well as adopting good cyber-hygiene habits. Also, have good back-ups and patch software as soon as possible.
• To learn about recent data compromises or small business data breaches, consumers and businesses should visit the ITRC’s data breach tracking tool, notified. 
• If you believe you are the victim of an identity crime, data breach or want to learn more ways to protect yourself from cyberattacks, contact the ITRC. Call toll-free at 888.400.5530 or live-chat on the company website www.idtheftcenter.org.

No Small Attacks

Welcome to the Identity Theft Resource Center’s (ITRC) Weekly Breach Breakdown for November 5, 2021. Our podcast is possible thanks to support from Experian. Each week, we look at the most recent events and trends related to data security and privacy. Last week, we focused on our inaugural Business Aftermath Report findings that show how small businesses, including solopreneurs, are impacted by data and security compromises. This week we look at how to protect your business from cyberattacks.

In the entertainment business, the saying goes that there are no small parts, only small actors. In the security world, you might say there are no small attacks, only small attackers. That’s the name of this week’s episode: No Small Attacks. This week, we will talk about what you should do to protect your business from cyberattacks and prevent data breaches.

2021 Business Aftermath Report Findings

First, a brief recap of what we found in our survey of small business owners and leaders – nearly two-thirds of which had fewer than 50 employees.

• Fifty-eight (58) percent of the small business owners or leaders reported a data breach, a security breach or both.
• Seventy-five (75) percent of those have experienced more than one breach; 33 percent have experienced more than three breaches.
• Forty-two (42) percent did not return to “business as usual” for 1-2 years; 28 percent required 3-5 years; seven percent said they had not returned to pre-breach performance levels at the time of the survey earlier this year.
• Nearly 80 percent of the companies that reported a breach did so in the past two years. This coincides with the overall trend of cybercriminals focusing on vendors like smaller businesses to attack larger companies with ransomware. It also means this is likely to be a permanent condition.
• Forty (40) percent of compromises were caused by outside cybercriminals. However, 35 percent were attributed to malicious insiders – an employee or a contractor.

That last statistic – the number of malicious employees is much higher than for larger enterprises with more tools and processes to detect bad actors. In fact, through the first half of 2021, there were zero data breaches attributed to a malicious insider in the U.S. Given this information, what should a business do?

How to Protect Your Business from Cyberattacks or Prevent Data Breaches

There is no going back to the days when small businesses could get by with minimal cybersecurity and data privacy protections. Every business owner, leader and team member should operate as if you are already under attack (because you probably are).

To protect your business from cyberattacks, when something bad happens, stopping the attack and restoring your systems to normal operation is priority number one. Once that’s done, the highest long-term priority is restoring trust among your customers and prospects. Ensuring you know what happened, why it happened, and taking steps to prevent another breach are the bare minimum actions.

Be prepared to invest in more training, more policies and more solutions. Then, communicate all of that to your stakeholders – employees, investors, customers and community. If you don’t tell them, no one else will.

Additional Tips

• Make sure every team member knows their role in protecting the company and themselves from phishing and social engineering attacks, as well as adopting good cyber-hygiene habits. There’s no such thing as too much training.
• Patch software as soon as updates are available and make sure you have good back-ups. If you don’t have in-house resources, hire a managed security service provider (MSSP) to handle all your routine IT and OT tasks and monitoring.
• Require multi-factor authentication (MFA) for your team and vendors, and offer it to your customers. MFA linked to an authenticator app is best.
• Threat actors don’t just want your money. They want your data, too. The more you have, the bigger the target you become. To protect your business from cyberattacks, practice data minimization and don’t collect more information than you need. Also, don’t keep it longer than necessary to complete a transaction. You can’t lose control of what you don’t have.
• Know your vendor’s security posture, too. It’s not enough that you have good cybersecurity. Everyone you work with also needs protections equal to or better than yours. That’s the law in some states now, and it is non-negotiable when it comes to protecting your customers.

Contact the ITRC

The ITRC offers low-cost training and vendor due diligence for small businesses. For more information on those services or how to protect your business from cyberattacks, contact us at www.idtheftcenter.org.

Meanwhile, if you think you have been the victim of an identity crime or a data breach and you need help figuring out what to do next, you can speak with an expert advisor on the phone, chat live on the web or exchange emails during our normal business hours (Monday-Friday 6 a.m.-5 p.m. PST). Just visit www.idtheftcenter.org to get started.

Thanks again to Experian for supporting the ITRC and this podcast. Be sure to join us next week for another episode of the Weekly Breach Breakdown.