Owning and operating a small business is, in some ways, all at once, the fulfillment of a dream and an experience that can come with a lot more stress that you might have otherwise expected, right?

And regardless of the type of business you’re in, cybersecurity is one issue that can’t be completely ignored.

Ransomware has become an increasingly prevalent threat to businesses of all sizes in recent years, likely because the perpetrators, often, are able to extort significant sums of money from them. By one estimate, 71 percent of ransomware attacks target small businesses, with an average ransom demand of $116,000. Much of this comes from the fact that businesses, today, are digitally connected to employees (even if it’s just you), your vendors and, of course, your customers.

No business is too small to be a target.

From ransomware to phishing, cyber threats are growing. In 2024, the FBI reported more than $2.7 billion in losses from business email compromise alone, just one of many threats businesses face. Of course that is, understandably, where the challenges come in. Small and mid-sized businesses are especially vulnerable because they may not have as many resources to dedicate to cybersecurity. With that in mind, there are some important and easier than-you-might-think ways that are achievable to protect your business.

Here in Indiana, the Indiana Small Business Development Center (ISBDC), a program of the Indiana Economic Development Corporation (IEDC), is committed to providing Hoosier small businesses with easy to understand and ready to use resources that can help avoid or reduce the impact of cyber incidents. The GCA Cybersecurity Toolkit is a no-cost resource for small business owners as they improve their security. You can select from a wide range of tools to find the resources that best fit you and your business' needs.

At the federal level, the Cybersecurity Infrastructure and Security Agency (CISA) recommend that businesses at all levels implement eight cybersecurity best practices, and it offers a variety of no-cost information, services and tools. To get started, CISA suggests following four essential steps to safeguard your data and enable your employees to stop attacks before they happen, including:

• Teaching Employees to Avoid Phishing
• Requiring Strong Passwords
• Requiring Multifactor Authentication (MFA)
• Updating Business Software

With the four essentials as your foundation, you can level up by implementing four additional practices.

• Use Logging on Business Systems: Log activity so your team can monitor signs that threat actors may be trying to access your systems.
• Back Up Business Data: Incidents happen, but when you back up critical information, recovery is faster and less stressful. Put a backup plan in place that aligns with your organization’s recovery point objective to protect your systems and keep things running smoothly.
• Encrypt Business Data: Encrypting your data and devices strengthens your defense against attacks. Even if criminals gain access to your files, information stays locked and unreadable.
• Report Cyber Incident Information to CISA: When organizations and CISA share threat information, everyone is more secure. Report incidents to help CISA warn others and get information in return to help you stay ahead of threats.

For additional information as it regards reporting a cybercrime, be sure to visit the Report a Cyber Incident website page on the Indiana Cyber Hub.

As a business owner, who’s committed to serving your customers while at the same time protecting the assets that you’ve worked hard to achieve, being cyber resilient will also help in preserving your company’s image and reputation. And it’ll provide you with a greater piece of mind knowing that what you’re doing can help you to proactively protect all that you’ve invested in toward achieving your dream. Moreover, these are goals that are within reason and within your budget.

Cyber threats and cyberattacks are a reality; by now, you’ve probably heard someone say that it’s not IF your company will be impacted, but WHEN. But that doesn’t mean it has to disrupt your business.