The risk data breaches and cyberattacks pose to small businesses cannot be overstated. Roughly half experienced a breach within the past year at an average cost of $665,000 and immeasurable lost revenue. Worse yet, approximately 60 percent of those businesses will close within six months of the breach.

Despite these stark realities, most small businesses forgo implementing an information technology system that adequately secures their information. The following are two easily implementable and relatively inexpensive steps any company can take while designing and implementing a comprehensive security system and incident response plan. But note, they are not meant to replace a security system or response plan.

Caution employees about phishing and social engineering attacks. Phishing uses a copycat or spoofed version of a trusted email address or website, and social engineering impersonates a known and trusted person, both with objective of fooling an employee into providing confidential information, clicking a malicious link, or opening a malicious file. They are the most-often used techniques to breach small businesses, but can be warded against using the following FTC tips: instead of clicking a website link in an email, an employee should look up and access the website without the link; and an employee should not respond to emails for confidential information without first verifying with the purported sender using another point of contact.

Implement and enforce an effective credential management policy. Access credentials (username and password) are the primary target of most cyberattacks, which once obtained, are used to steal confidential information across as many platforms as possible. To decrease the chances stolen credentials can be used to access your company’s system, employers should require that all employees use complex passwords, which are typically seven to 10 digits long, a mix of upper-case and lower-case letters, numbers and symbols; change passwords regularly; use a different password for each account/system accessed; and use credentials different than those used for personal, non-work accounts. Lastly, employers should implement a two-factor authentication as much as possible that requires both a password and additional piece of information to successfully log into an account (typically, a random code or pin generated by an app and is sent only to the true account holder). This protects the account when a password has been compromised.

This article appeared in the July 20, 2017, issue of The Journal Record. It is reproduced with permission from the publisher. © The Journal Record Publishing Co.