Cybersecurity continues to be a hot topic for small and medium-sized businesses (SMB). It’s not uncommon for smaller businesses to believe that because of their size, “there isn’t much to steal,” so cybercriminals will simply not target them. This assumption couldn’t be further from the truth. The 2017 State of Cybersecurity in Small & Medium-Sized Business Report conducted annually by the Ponemon Institute clearly debunks these ideas, showing that 61 percent of smaller businesses experienced a cyberattack and 54 percent reported data breaches involving sensitive information in 2017.
The reality of this situation is that cybersecurity criminals are very much aware of the flawed assumptions and the false sense of security residing within smaller businesses and actively seek to exploit them. It is easier for an attacker to compromise a smaller business that has limited budget and resources dedicated to cybersecurity than it is for the attacker to compromise a large enterprise with multiple layers of security effectively implemented and fully funded.
Smaller businesses obviously cannot match the spending on cybersecurity technologies or staff a full team of cybersecurity experts like their larger counterparts. Still, there are ways for smaller businesses to compensate for these budgetary and resource limitations to implement an effective comprehensive cybersecurity defense.
1. Do Not Tackle it Solo
Small businesses thrive by focusing on doing what they do best and when it comes to cybersecurity, this fact doesn’t change. Unless you’re a small business specifically focused on providing cybersecurity services it is recommended you seek out professional assistance. There is absolutely no shame in this and in fact, it demonstrates that you have your business’ best interest at mind. By taking the needed actions to do business as securely as possible and contracting with a reputable Managed Security Service Provider (MSSP), you are telling your employees, partners and customers that protecting your business from cybersecurity threats is a priority and that you are committed to protecting their information.
2. Document your Cybersecurity Policies
Most successful small businesses are extremely agile, operating by word of mouth and intuitional knowledge, much of which is undocumented. Cybersecurity is one area where it is essential to document processes and policies and in many cases required by regulatory authorities to meet governance requirements. There is good reason for this, as cybersecurity likely impacts all areas of your business and you should have a well laid out plan and process to deal with it. The U.S. Small Business Administration (SBA) provides a cybersecurity portal that includes online training, checklists, toolkits and many other resources providing a great starting point for your security documentation. (https://www. sba.gov/managing-business/cybersecurity/top-toolsand-resources-small-business-owners).
3. Educate Employees
Small business employees often find themselves wearing multiple hats and executing multiple roles, making it essential that each and every employee be trained on your company’s cybersecurity policies and procedures. Additionally, cybersecurity threats are ever-evolving and employees should be made aware of any applicable threats your business may be susceptible to. Establish training for employees focused on basic security practice areas such as password security, phishing attacks, acceptable use of technology and incident reporting and handling procedures. Ensure rules of behavior are established and trained upon for how to handle and protect sensitive information such as customer data. We recommend every employee sign a document annually, stating they have been informed of the company’s policies and understand they will be held accountable for following these policies.
4. Layered Security
Cybersecurity for small businesses often includes antivirus paired with whatever out-of-the-box firewall that comes installed on their computers. Those tools are not enough to protect from the increasing number of fast-evolving threats that businesses face today, especially if you have an entire network to protect or you are using cloud-based services. To be sure that your small business is safe from security threats, the first step is to understand layered security. Layered security is not redundancy, however, installing two different brands of antivirus would be considered redundancy. Layered security is implementing various technologies that protect and detect in different ways. Implementing a firewall with advanced detection features, installing antivirus on endpoints and performing vulnerability scanning is an example of layered security. No single tool can completely protect your business. Layered security represents a stream of conditions, or “if not this, then that” responses, with each layer reducing threats to your business. This includes tools such as (but not limited to):
• Endpoint Security: Antivirus, Anti-Malware, file integrity monitoring, host-based intrusion detection
• Patch management
• Network monitoring
• Mobile device management
• Multi-factor authentication
• Password management
• Vulnerability management
• Configuration management
• Cloud-based access control and management
• Data leakage detection and prevention
Regardless of whether your small business includes a single computer or a network of computers, servers and other devices or machines, it is essential to implement more than one method of protection. It can seem cost prohibitive to layer multiple security tools, but these added protections reduce downtime and prevent the expenses associated with cybersecurity incidents.
5. Supply Chain
Small businesses are increasingly connected to enterprise supply chains, partner networks and cloud services while conducting business. With data flowing constantly in so many directions and between so many different applications and users, the traditional idea of a security perimeter does not strictly apply anymore. This puts the onus on the small business to make sure suppliers and partners connected to their networks have taken adequate security measures to protect the integrity of information flowing to and from their business.
Small businesses should consider all aspects of supply chain information risk by taking the following information approach. This is an information-led, risk-based approach to determine what information is being shared and assess the probability and impact of a cybersecurity incident or compromise. By considering the nature of supply chains, determining what information is shared and assessing the probability and impact of potential compromises, small businesses can balance each risk aspect. Supply chain risk management should be embedded within existing procurement and vendor management processes, so supply chain information risk management becomes part of regular business operations.
6. Investigate Cybersecurity Insurance
General business insurance does not cover cyber-attacks and will not help to recover the business costs or legal costs associated with a cybersecurity incident. Cybersecurity insurance removes some of the risk of a cybersecurity incident and transfers it to the insurance company. Cybersecurity insurance policies can cover multiple different losses and liabilities such as business downtime, extortion, data recovery and fines levied by regulatory bodies. Some policies can even provide protections against third-party liabilities, including their failure to protect confidential data and legal fees. Speak with an experienced and trusted broker to discuss cybersecurity insurance options that can protect your small business.
This article was originally published in WesternBanker’s quarterly Tools for Success spring/summer 2018 issue. Read the original here.