7 Key Components of Small Business Cybersecurity Planning
If you use computers to run your business, which is pretty much everyone, then you need to have at least some basic knowledge of cybersecurity best practices. I met with several cybersecurity experts to find out what small business owners should be aware of to (hopefully) avoid cyber attacks or data loss.
Vikas Bhatia, CEO of Kalki Consulting, shared this as a general overview of what you should consider:
“As a small business owner and a cyber security professional, the simplest advice I can give is 1) get objective advice about whether losing the data you have or collect will get you in trouble, 2) keep a simple inventory of where it resides and who has access to it, and 3) make sure you follow basic technical hygiene (have different passwords for key systems, regularly update patches and antivirus systems – no matter what computer you use).”
That’s a great start, but let’s take a closer look at some of these and other key areas that you need to evaluate to keep your business safe.
1. Limit access.
Matthew Fox is a freelance IT project manager who works with a cybersecurity firm and a web development company. He suggests that small business owners ask the following: “Who has access to the data? Do they have access to only what they need to do their role? Or do they have access to everything?”
Fox believes that malware and other risks can potentially be prevented by restricting access.
2. Protect passwords.
Chris Wilken is the founder of Let’s Fix Security and Wilken Consulting. He offered these questions that small business owners should consider with regards to password management:
- How do you manage your passwords for the websites you use? Do you use a password management program like 1Pass? Are all of your passwords the same? If so, change them.
- What about your usernames? Don’t use your email as your username – pick something else.
- Do you use two-factor authentication? If not, look into it. It is simple to set up.
- Do you know if your account has been compromised? If not, use a service to find out such as https://haveibeenpwned.com/
3. Keep personal data secure.
Many small business owners do not realize that they have access to (and probably store in a database) personally identifiable information (PII).
In short, PII is any information that can be used to trace an individual’s identity. You might be thinking of email addresses, social security numbers, and credit card information, but PII also includes home or cell phone numbers, home address, date of birth (you may have asked for this so you could send a yearly birthday marketing offer), etc. Yikes!
In 2016, CSID, a company specializing in identity theft prevention, released “Survey: How Prepared are Small Business Owners for Cyber Attacks?” with a highly informative infographic. Of the 150 small businesses surveyed, 68% responded that they store email addresses and 64% store phone numbers. Additionally, the survey found that 31% of small businesses are not taking any proactive measures to mitigate cyber risk.
4. Foil phishing.
Phish Food is a delicious ice cream flavor, but if your business experiences phishing, it’s sure to leave a bad taste.
What exactly is phishing? Anyone with an email address has experienced it. This is when you receive an email from a company or organization you might know, but is in fact an attempt to get you to give some shady organization your account number, social security number, credit card number, etc.
Sarah Isaacs, CEO of Conventus Corporation, shares, “Each year, hackers increase their focus on small businesses with targeted phishing attacks. Every small business should have a remediation plan for this.”
But, how do outsiders gain access? Isaacs explains, “The easiest way into a company is via social engineering. Spoofing email addresses and phone numbers is relatively easy these days. If you are ever in doubt about the certainty of a web link in an email – don’t click – first hover over it to ensure it’s coming from a trusted source. It only takes a few seconds to be sure!”
5. Review regulatory guidelines.
As with the requirements regarding protecting PII above, there can be additional regulatory restrictions, depending on your industry.
Fox says, “Small business owners need to understand their industry’s regulations, such as HIPAA for healthcare and PCI compliance for accepting credit cards. Some highly regulated industries like healthcare and financial services require additional steps for compliance and others do not. You should understand what you are required to do.”
6. Resist ransomware.
What if you woke up to an email that informed you that your most important files had been stolen and that you will need to pay a small fortune to gain access to them again? Think this is science fiction? Think again! Being open to a ransomware attack is something that small business owners need to guard against.
But, here is some good news. Isaacs says, “Ransomware isn’t an issue for organizations that have continuity plans in place with solid backup strategies. Back up your files. Now. Storage is cheap!”
7. Plan for a breach.
Planning for a breach is something every small business needs to consider doing. A data breach can break a small business. Kaleigh Simmons, Director of Marketing at Rippleshot, a technology company focused on fraud protection shared this statistic:
“We find small businesses sometimes believe that because they’re so small, hackers won’t bother with them. That’s an incredibly dangerous viewpoint: because it’s not true. Here at Rippleshot, of all the merchants whose payment systems have been compromised, over 70% are businesses with five or fewer locations. And what’s even scarier, a House Small Business Subcommittee found that small businesses have an incredibly tough time bouncing back from a breach. Nearly 60% of small businesses affected by one will close up shop within six months.”
How can your business stay more secure? Fox sums it up perfectly. He says, “Security is all about reducing risk. You can’t avoid it altogether, but you can try to reduce the impact that security issues might have on your business.”