Small business, big target: How to protect your business from cyber threats

Successful small business owners have a lot in common — they’re passionate about what they offer, they’re knowledgeable about their market, and they’re willing to put in the time and effort it takes to deliver the goods.

Unfortunately, the same can be said for cybercriminals. And that’s why they target small businesses — because striving entrepreneurs, experts in their fields, often don’t have the resources to fortify their security infrastructure or the time to keep up with the latest patches and best practices, making themselves vulnerable to phishing and ransomware attacks.  

When operating margins are paper-thin, a cyberattack can break a business. The median cost of these incidents in the United States rose from $10,000 last year to $50,000 this year, thanks to increasingly sophisticated attacks, according to the 2020 HiscoxCyber Readiness Report.

“Small business owners have never been under more pressure than they are today,” says Alissa “Dr. Jay” Abdullah, Mastercard’s deputy chief security officer. “That’s why it has never been more critical to take the steps to protect the brand they’ve worked so hard to create.”

Tana Hoffman calls herself a “serial recreationist,” and she amassed plenty of expensive gear for her outdoor adventures — some of which she knew she would never use again. So the former marketing consultant launched Mountainist, an online adventure gear rental company with a storefront in Alpine, Wyoming, to help other women explore outdoor activities typically dominated by men — without breaking the bank.

As her business grew, she learned the plug-and-play platforms she relied on to get her business off the ground couldn’t provide the insights she needed. In choosing new tools, she knew that cybersecurity solutions would have to keep pace with her goals. Mastercard has partnered with the Global Cyber Alliance to make this security more accessible to small business owners like Hoffman, and she used the GCA’s free cybersecurity toolkit to more confidently navigate the online landscape.

“When you’re running an online business, you’re by necessity handling a lot of sensitive data,” Hoffman says. “That’s a big responsibility — my business’s reputation rests on not only on ensuring women get the gear they want when they want it, but that their data stays safe throughout the experience. That’s not the kind of risk my customers are craving.”

Photos, above and top: Tana Hoffman, who runs Mountainist, sought guidance from the Global Cyber Alliance's small business toolkit to learn more about protecting her growing business.

A survey conducted in June by the Cyber Readiness Institute shows that the smaller a business, the more likely they are to underestimate the risk of online attacks and how less likely they are to take effective countermeasures. And that is during the COVID-19 lockdowns, when more businesses are shifting to digital and using a remote workforce, potentially increasing their risk.

“There’s a deer in the headlights situation,” says Kelly White, cofounder and CEO of RiskRecon, a Mastercard company that helps businesses proactively manage data risks. “They know the threat is out there but it’s a complex threat and it can manifest in many ways.”

RiskRecon, whose pioneering automated scanning and evaluation technologies have helped close the wealth gap for cybersecurity, is offering small businesses with 100 employees or fewer across the United States, Canada, Latin America and the Caribbean free cybersecurity assessments through Dec. 31.

Using passive techniques, RiskRecon continuously tests vulnerabilities across 40 criteria spanning thousands of security checks, from software patching to email and network security, providing the businesses a prioritized action plan for addressing any issues that may have cropped up. For example, RiskRecon can determine what version of its e-commerce platform it is using and whether it has any known security vulnerabilities that hackers might be likely to exploit.

With many — or all — employees working remotely, White recommends that every employee works from a company-issued system with strong endpoint security controls that protect them from malicious software, and they use an email service provider that filters out malicious emails with malware.

The most proactive — and these days, quite easy — step small businesses can take is keeping up with their software patching to ensure that their systems, web services and website can’t be easily compromised by hackers. Don’t ignore notices, White says. Many providers offer auto updates — make sure they’re turned on for your laptop, phone and router.

The GCA’s cybersecurity toolkit is available in English, Spanish, French and German and includes additional tips and tools such as: 

• Know what you have: Take an inventory of your devices and applications so you know what needs protecting.
• Be different: Each device and application should have its own unique password.
• Sign in securely: Add stronger locks to your online accounts with two-factor authentication.
• Don’t take the bait! Defend against phishing and malware with a protective DNS service that prevents access to malicious sites.

Mastercard also offers free online security training in English, Spanish and Portuguese to give small merchants an overview of cybersecurity, common cyberattack vectors, best practices and what they should do if a data breach does occur.