Since the beginning of the COVID-19 pandemic, small businesses have quickly adopted remote working and transitioned to new technologies, such as contactless payments and online ordering. Unfortunately, these adjustments have come with increased risks. According to a 2022 report from Barracuda, a cloud and networks security company, small businesses with fewer than 100 employees receive 350 percent more social engineering attacks—like phishing, scamming or email compromise—than larger businesses.

Compared with larger companies, many small businesses have fewer resources to dedicate to cybersecurity, leaving them vulnerable to the ever-evolving tactics of cybercriminals. And dealing with the consequences of a cyber attack can be seriously detrimental to a business’s bottom line, costing approximately $25,000 per year.

Small businesses can protect against cyber attacks with these four tips.

Evaluate online systems.

Before a business can effectively protect itself from cyber threats, it should have a complete understanding of its current ecosystem of online computer operations. The owner can ask: “What do we do on any machine that’s connected to the Internet whatsoever?” said Andrew Lipton, vice president, head of cyber claims at AmTrust Financial Services, a small-business insurance company.

Business owners should understand where their data lives and classify what types of data they store—for example, names, addresses, Social Security numbers.

Lipton suggested that owners reach out to a legal expert, especially if they’re handling sensitive information like Social Security or credit card numbers, to get a better understanding of the consequences of a data breach and get a professional opinion on how to protect their data.

Then, they’re in a good position to talk to their Internet service provider to find the best way to secure their most important information.

Implement cybersecurity best practices.

Even without the firepower of larger companies, small businesses can create a defense that discourages cybercriminals from carrying out their attacks, said Najma Sultana by email. Sultana is the chief security officer at Veem, a global payments provider for small businesses.

A business owner can implement basic security and hygiene practices, such as:

  • Installing firewalls to prevent unauthorized access to the firm’s networks.
  • Using antivirus software and ensuring that it’s updated regularly.
  • Regularly backing up data and storing it offline or in another location, not just in the cloud.
  • Creating strong passwords and not using the same password across different accounts.
  • Requiring multifactor authentication, which asks for two identifying factors, like a password and a code, to access accounts and systems.

Some of these security features may already be available. “Many of the applications and software your company already uses will have built-in security features, but they won’t necessarily be turned on by default,” said Lauren Winchester, vice president of risk and response at Corvus Insurance, by email.

A firm can enable these features to quickly and easily add an extra layer of security.

Train employees—and owners.

Business owners and their employees are often the first line of defense in protecting the business from cyber attacks. In fact, according to the 2022 Global Risks Report by the World Economic Forum, 95 percent of cybersecurity issues can be traced to human error.

Receiving basic cybersecurity training can help principals and employees learn to identify common threats, such as phishing emails or suspicious downloads, as well as develop online best practices, like safe browsing and strong passwords.

And with employees working remotely or in different office locations, it’s particularly important for firms to create and review cybersecurity policies for the business, including safety guidelines and what to do in the event of a data breach.

The Federal Communications Commission offers a free online tool to help businesses create a customized cybersecurity plan based on a company’s unique business needs. Free virtual and in-person cybersecurity training events are available from the U.S. Small Business Administration and its partners. Internet systems and cyber insurance providers may also offer these types of training.

Invest in cybersecurity insurance.

Cybersecurity insurance can help protect a business from financial losses caused by incidents such as data breaches, ransomware attacks and hacking.

If, for example, a point-of-sale system is hacked and the hackers release the stored credit card information of customers, this policy would cover the cost of notifying customers, investigating the incident and providing credit monitoring services. It would also cover legal fees or settlements if a customer sues the business as a result of the incident.

The best cyber insurance carriers in the market today, however, are more than a backstop to financial loss, said Lipton of AmTrust Financial Services. These insurance companies will not only provide a comprehensive policy but will also help evaluate a firm’s systems, offer advice on how to better protect data, and connect a firm with additional security partners or vendors in their network.

Look for a carrier that’s volunteering to be a partner in cybersecurity strategy, Lipton said. Insurance is “a critical component of the cybersecurity strategy, but it’s just one piece.”

This article was provided to The Associated Press by the personal finance website NerdWallet.