To learn more about how cybersecurity impacts small businesses, Hardware Retailing talked to Daniel Eliot, director of education and strategic initiatives for the National Cyber Security Alliance. For insights into three actions you can take today to protect your business from a data breach, click here.
“I have a small business, so I’m not at risk for cyberattacks.”
Cybercriminals often target small businesses because they are easier to infiltrate, Eliot says.
“Business owners have a legal and ethical responsibility to protect the information they’re collecting,” he says. “Whether that data is from employees, customers or business partners and vendors, it’s all vulnerable, and it all needs to be protected.”
Anyone who collects payment information or pays bills, files taxes or applies for business certifications online is a target and has data that cybercriminals want. Even if you only operate a basic payment card terminal, data is still out there.
Eliot says there are often warning signs that a system has already been breached, but users often blame those signs on their internet service providers or outdated technology. A slow network, loss of access to systems or unexpected new users may be symptoms of a larger issue.
“Anomalous activity on a network should be a huge red flag,” Eliot says. “It’s really important to have someone monitoring the network because those are the signs that a monitor will catch early.”
“Protecting the company from cybersecurity threats is the responsibility of my whole staff.”
Cybersecurity isn’t just a concern for your IT manager or vendor. In fact, Eliot says IT and cybersecurity are very different technology fields. Protecting your business from cyberthreats isn’t solely a job for the person who helps connect your POS systems to WiFi and runs software updates.
“We have to change the culture of businesses when it comes to cybersecurity,” Eliot says. “We need to equip employees with the skills, behaviors, processes and technology to prevent cyberattacks.”
Eliot says more than 90 percent of cybersecurity incidents start with an email. Therefore, an effective way to prevent those incidents is to train employees on how to identify malicious emails prior to giving them email access.
“In many jobs, the first thing you get access to is email, but that really shouldn’t be the case,” he says. “That’s like giving someone the keys to a car without teaching them how to drive it.”
Send every individual who needs access to email through a cybersecurity training program, from the company president to the new cashier. When it comes to creating email accounts and allowing access to networks and servers, think about people’s specific roles and what information they actually require to be successful.
“We often give out too much access to information. Only give employees and vendors access to the data they need,” Eliot says. “That goes for executives, too. Higher-level employees are huge targets for cybercriminals, and the more access people have, the more problems you open yourself up to.”
“There are cybersecurity solutions within my budget.”
There are many steps to protect your business that you can take at little or no cost, Eliot says. Investing in additional employee training and identifying a point person who will take appropriate action in the case of a cyberattack are two steps retailers can take now to protect their operations.
And while there are low-cost options, Eliot says implementing cybersecurity protections should be one of many loss prevention tactics.
“All businesses require a mitigation strategy for any number of threats,” he says. “Whether you’re taking preventative measures against fire, flood, tornadoes or cybersecurity, taking it seriously does require time and money.”
Eliot says it’s especially important for retailers to invest in cybersecurity now if they plan to grow their business.
“Having more employees equals more points of entry and more vulnerability,” he says. “You need to be able to scale your security accordingly, just like you would add more cameras if you added more square footage.”
“My customers don’t expect me to make the same investments in cybersecurity as big-box stores.”
Consumers expect that when they use a credit card or sign up for a rewards program that their data will be protected.
Eliot says for smaller retailers, especially locally owned businesses that rely strongly on customer loyalty and trust, it can be difficult to recover from cybersecurity incidents.
“Once loyalty is tarnished, people feel like they can’t shop there anymore,” he says. “It’s easier and safer for them to go somewhere else.”
Eliot says it’s not a matter of if your system will be breached, but it’s a matter of when, which is why it’s important to make a reasonable effort to protect the data you’re collecting, storing and creating.
“The goal of creating policies is not to make getting our jobs done more complicated or to obstruct business operations,” Eliot says. “The goal should always be to make an organization more secure. It’s a continual balancing act of marrying appropriate security measures with effective operations.”
Eliot recommends retailers talk to their insurance companies to find out what kind of cybersecurity coverage they have and what’s available to ensure their operation is covered.