Small Companies Carry Greatest Cyber-Risk

By David McCann for CFO.com

At small businesses, rank-and-file employees may be more aware of the threat from cyber-crime than are company leaders.

It seems so, at least, from a finding in a recent survey of more than 600 full-time employees and 100 C-suite-level leaders at companies with fewer than 500 employees.

In the survey, conducted by Switchfast, an IT consulting and security outsourcing firm, 35% of the employee group, but a disturbing 51% of the executives, said they were convinced that their business was not a target for cyber-criminals.

Such complacency with respect to cybersecurity is a notable risk, according to Switchfast. Calling the devil-may-care attitude a “common misperception,” the firm notes in its survey report that small businesses are prime targets for hackers because of their size.

Large companies make headlines when cyber-criminals strike. At the same time, they have dedicated IT and security staff to vigilantly do battle with wrongdoers. That makes smaller companies more vulnerable.

“Negligent employees remain the number-one cause of data breaches at small businesses,” writes Switchfast — and here, “employees” means anyone who works for a company, including executives. “Seemingly innocent actions, like connecting to a Wi-Fi hotspot in a coffee shop or hotel lobby, can cause some of the [greatest] damage to a small business.”

In fact, hackers notoriously frequent such venues because they know corporate workers are likely to be there and commit such grievous security errors. The cyber-criminals can launch man-in-the-middle attacks or distribute malware when users connect to private servers over open networks.

In the survey, 66% of the “employees” group, but also 44% of small-business leaders, said they’ve connected to a public Wi-Fi network to do work.

Poor handling of passwords, by employees and executives alike, is another common mistake. For example, writing down email passwords on sticky notes can allow thieves to access otherwise secure accounts.

Bad password practices also carry a risk of facilitating inside jobs. About one in five SMB leaders (22%) and employees (19%) that participated in the survey said they’ve shared their password with a co-worker or assistant.

Accessing personal social media accounts from work computers is another significantly risky albeit common practice — 66% of employees and 44% of managers have done it, according to the Switchfast survey.

Switchfast advises small companies to establish a “bring your own device” policy. The policy can dictate what work employees can do on their mobile devices and restrict them from downloading work files to personal devices.

Another solid protective strategy is the use of a virtual private network “to keep prying eyes from spying on sensitive data transmissions,” Switchfast says. “Small businesses should consider requiring employees to use a VPN whenever they work away from the office.”

The firm also recommends that businesses conduct phishing tests, as most cyber-attacks originate with a phishing email. Designed to simulate a real phishing attack, these test emails contain a link that monitors who falls for the scam and who responds in an appropriate manner.