Data theft is one of the most common cyber crimes, because those who have the data, have the control over the business. SMBs think they are at the bottom of the food chain, but attackers are not apex predators, many of them just go in the path of the least resistance and small business owners leave open doors for these attacks with their lack of IT resources and cyber awareness. That’s why nearly half of the data theft incidents involve SMBs.

Our goal is to reduce the frequency of these attacks by giving guidelines for SMBs to help them survive and then thrive in the market. 

The cost of data theft

Data theft is financially motivated in most of the cases, for SMBs it concerns 93% of data breaches. It’s not just data and money you can lose, but also time, your nerves and the worst of all: customer trust. 

You have intellectual property, confidential business information and customer data: are they valuable for you? Would you pay for it in case it’s stolen? Of course. And cyber criminals know that. 

SMBs are especially exploitable and they often pay a higher cost for data theft than the big players – it can cost their business if they don’t get their data back, so they pay instead of effective defense.

Let’s break it down: 

Money: The average cost of data theft for SMBs was $2.98 million. SMBs are more willing to pay for cyber criminals, because they can’t afford to disrupt their business operations.

Time: It takes longer for SMBs to detect a breach: the average breach lifecycle is 287 days and in addition to that, downtime also heavily affects SMBs – time is money afterall, the more you lose, the greater the price you have to pay after. This delay is like having an intruder in your home without even noticing it…

Customer trust: It is priceless, but if you lose it, it can cost you your business.

In short, SMBs have a lot to lose and the majority lack any kind of line of defense. No wonder, cyber criminals expect smaller businesses to be an easy target, but you can change that: build a stronger defense by following the next steps.

Step 1: Raise cybersecurity awareness

Cyber security awareness has three main elements:

• Empower your workforce: Give cyber security training for your employees, as they are the most common targets for phishing attacks, don’t forget they’re your last line of defense, cyber criminals know that and they prey on their unsuspecting minds and human error.
• Provide system-wide transparency: Awareness is not just about knowing what could happen to you, it’s knowing what’s going on in your company right now. This is key to preventing cyber security threats.  Awareness is knowing and doing. Get a detailed overview of your business operations. UEBA (user and entity behavior analytics) and SIEM (security information and event management), paired with the new technological improvements of AI and automation, are definitely effective tools to save you time and money and improve overall productivity, already in the short run. Awareness is not just about passive “knowing”of what can happen hypothetically, it’s active “doing” as well. 
• Get the right attitude: Cyber criminals are constantly getting better with technological advancements and they are not only eager for money but also for the admiration of the hacker community, so they will find new ways to infiltrate your inner circle of confidential information. Keep an eye on cyber security trends, dedicate time and energy for defense and think in the long term – build a cyber resilience strategy. 

In short, building strong defense is an on-going process, but first, you must know where you’re starting from. 

Check your current security status

Step 2: Access risk management

The most common causes for data theft include:

• Weak or stolen credentials involving poor password management and the lack of multi-factor authentication
• Negligent use of workplace devices, that’s especially true for SMB workers, who use personal devices for business purposes
• Spear phishing emails – 90% of them are targeted at employees, attackers know that untrained colleagues can easily fall for scams
• Insider threats – a third of employees say it’s common to take corporate data with them when leaving a company
• Third party member threats – vendors, partners, suppliers: their access rights are often overlooked and they leave open doors for cyber attacks.

All of these causes can be mitigated by access risk management. Even if cyber criminals steal credentials, or employees fall for phishing scams, if you follow the least privilege principle, that is every employee and third party member has only the necessary access rights to confidential information, then you can minimize your attack surface and prevent data theft in many cases. 

However, best practices such as the segregation of duties or the principle of least privilege are all subject to human error, especially privilege creep, when access rights are reassigned, and nobody keeps track of it. That’s why manual access risk management is far from being safe or effective:

Check the 7 sins of access rights management and how to avoid them.

Step 3: Minimize human error with automation

Businesses who have adopted AI or automation to strengthen their defense experienced significantly less harm from cyber attacks. Automation can maximize your defense, minimize human error and enhance your productivity. 

Manual tasks are a burden to your already overwhelmed IT and HR departments. Manually assigning, revoking and managing access rights and licenses are an unnecessary hassle that could be easily automated. 

Many small business owners think that they lack the resources to afford automated control, but we created our software, TheFence with SMB owners in mind to help them minimize their attack surface and strengthen their lines of defense.

• Automated risk detection: Identify potential risk factors without relying on manual tasks or time-consuming training. It minimizes human error, the most common cause for business data leakage. 
• Automated notifications and alerts: Reaction time is crucial, it can make a difference between an access risk and a cyber attack. Automated alerts help you address potential access risk issues as soon as possible.
• Maximize transparency in your company: Notifications and alerts are sent directly to your company’s communication channels, so there’s maximum awareness, nothing blocks the flow of information. Stay always up-to-date and get a detailed overview of your employees’ security status.
• Pass any security audit: Auditors can cause constant stomach cramps, especially if you work in an industry where you have to be compliant with IT security standards. Be prepared instead of being scared. 

Another great advantage of setting up proper access control management is cost-efficiency. It’s not just about risk detection and notification, but also checking for unassigned licenses  – an unnecessary money drain for many companies. Why pay for those licenses that no one uses? 

You can save a significant amount of money by keeping an eye on your employees’ license usage. Luckily, it’s all automatic – you just get the report of the potential annual license cost savings. Check how much you could save with us!

License cost calculator

Step 4: Regular data backup

We can’t press hard enough the importance of cyber security. Rule number one is prevention and preparation for the worst, so if you create a regular data backup routine, then you can substantially reduce your vulnerability to ransomware attacks. As its name shows, a ransomware attack encrypts your crucial business data and you can only recover it if a ransom is paid, but in many of the cases even after payment, only a portion of your data is recovered. 

Step 5: Stay alert!

There’s no perfect recipe to ward off cyber threats, so staying alert may sound way too generic, but still, it is the most you can do for your business. 

Regularly update your tools, you should have the latest version of all softwares, applications, operating systems and browsers – especially your antivirus software to protect your business from viruses and malware. 

It seems to be obvious, but as SMBs often lack a dedicated IT expert, these easy steps are often overlooked. But you can do even more:

Automate the manual tasks, provide regular training for your employees and start building a cyber resilience strategy: don’t forget, criminals go in the way of the least resistance and they don’t expect SMBs to be prepared: preparation, prevention, alertness can save you money, time and data. Luckily, some parts of this process can be fully automated!

Defend what’s yours

You work hard, you produce value with your business, your employees rely on you and you rely on them. Don’t let cyber criminals break your business’ integrity, don’t let them destroy what you’ve built. Think beforehand and defend what’s yours.

Access control can make or break your business. Make it with TheFence. It’s better to be safe than sorry.