An unprotected USB drive may not seem like a grave threat, but cyber security experts say it has the potential to take down your business.

“This is one way an attacker can introduce malware into an organization’s devices – which provides them with the ability to get access to information or assets,” says Digital Defense CEO Larry Hurtado.

Aside from USB fob attacks, in which a hacker would drop off the devices and wait for an unsuspecting employee to use them, Hurtado says sophisticated cyber-criminals are increasingly turning to social engineering attacks.

“The most widely publicized are called spear phishing attacks: They target a specific individual[via e-mail or social media] with the objective of getting him to provide information,” says Hurtado. Then, the criminal will leverage that information to steal more valuable data.

And hackers look at small- to medium-sized businesses as “low-hanging fruit,” since they often don’t spend as much time or money protecting their systems, according to Hurtado.

How to Protect Your Business

No. 1: Be Skeptical
The first step is to make sure your employees know what spear phishing is.
“They need to understand to keep their guard up when receiving emails, or if they receive information that requires them to click on a link or enter data,” Hurtado says. “If they’re aware of these types of tricks, then there’s a higher likelihood that they’ll be more wary.”

No. 2: Make Sure Antivirus Software Is Up-to-Date
Hurtado shared one cautionary tale of a company that had antivirus software on all its computers – but got hit all the same when one device ran behind on updates, compromising the network.

No. 3: Know Your Weak Points
Hurtado suggests simulating attacks in order to better understand your company’s vulnerabilities.
“You want to probe your network and make sure that all patches are up-to-date, which will keep you protected,” he says. He recommends hiring a third party company to do this, which will take a harder look at your security flaws.

Some companies will even try to print out fake badges, and trick staffers to let them into the building.

No. 4: Understand Where Valuable Information Is Stored
Many companies don’t even know where their most important data is housed, says Hurtado, or how a cyber-criminal might try to access it. Arming yourself with this information will let you better protect yourself from an attack, says Hurtado.

Follow Gabrielle Karol on Twitter @GabrielleKarol