Is My Business Too Small to Worry About Cybersecurity?
Many businesses have been putting resources including people, technology, and budgets into protecting themselves from information security and cybersecurity threats. As a result, they have become a more difficult target for malicious attacks from hackers and cyber criminals. Consequently, hackers and cyber criminals are now successfully focusing more of their unwanted attention on less secure businesses.
Because small businesses typically don’t have the resources to invest in information security the way larger businesses can, many cyber criminals view them as soft targets. Your small business may have money or information that can be valuable to a criminal; your computer may be compromised and used to launch an attack on somebody else (i.e., a botnet), or your business may provide access to more high-profile targets through your products, services, or role in a supply chain.
It is important to note that criminals aren’t always after profit. Some may attack your business out of revenge (e.g. for firing them or somebody they know), or for the thrill of causing havoc. Similarly, not all events that affect the confidentiality, availability, or integrity of your information (called “information security events”) are caused by criminals. Environmental events such as fires or floods, for example, can severely damage computer systems.
The overall impact of an incident could include:
- damage to information or information systems;
- regulatory fines and penalties / legal fees;
- decreased productivity;
- loss of information critical in running your business;
- an adverse reputation or loss of trust from customers;
- damage to your credit and inability to get loans from banks, or
- loss of business income.
Unfortunately, in one respect, small businesses often have more to lose than larger organizations simply because an event—whether a hacker, natural disaster, or business resource loss—can be extremely costly. Small businesses are often less prepared to handle these events than larger businesses, but with less complex operational needs, there are many steps a small business may be able to take more easily. Thus, it is vitally important that you consider how to protect your business.
Small businesses often see information security as too difficult or that it requires too many resources to do. It is true that there is no easy, one-time solution to information security – it takes time and careful consideration with all relevant stakeholders. However, when viewed as part of the business’s strategy and regular processes, information security doesn’t have to be intimidating.
A strong information security program can help your organization gain and retain customers, employees, and business partners.
Customers have an expectation that their sensitive information will be protected from theft, disclosure, or misuse. Protecting your customers’ information is an example of good customer service and shows your customers that you value their business,potentially increasing your business opportunities.
Similarly, employees have an expectation that their sensitive personal information will be appropriately protected, and a comprehensive information security program can help employees feel valued and help improve their knowledge, skills, and abilities.
Also, other business partners want assurance that their information, systems, and networks are not put at risk when they connect to and do business with your business; demonstrating to potential business partners that you have a method to protect their information can help strengthen and grow your business relationship.
Developing or improving your information security program will also make it easier for your organization to innovate – taking advantage of new technologies that can lower costs while delivering better services to your customers.
It is not possible for any business to be completely secure. Nevertheless, it is possible—and reasonable—to implement a program that balances security with the needs and capabilities of your business.
The Internet and information technology are powerful tools for small businesses to reach new markets and increase sales and productivity. However, cybersecurity threats are real and businesses must implement the best tools and tactics to protect themselves, their customers, and their data.
10 Key Cybersecurity Tips to Help Protect Your Small Business:
Train employees in security principles. Establish basic security practices and policies for employees, such as requiring strong passwords and establish appropriate Internet use guidelines, that detail penalties for violating company cybersecurity policies. Establish rules of behavior describing how to handle and protect customer information and other vital data.
Protect information, computers, and networks from cyber attacks. Keep clean machines: having the latest security software, web browser, and operating system are the best defenses against viruses, malware, and other online threats. Set antivirus software to run a scan after each update. Install other key software updates as soon as they are available.
Provide firewall security for your Internet connection. A firewall is a set of related programs that prevent outsiders from accessing data on a private network. Make sure the operating system’s firewall is enabled or install free firewall software available online. If employees work from home, ensure that their home system(s) are protected by a firewall.
Create a mobile device action plan. Mobile devices can create significant security and management challenges, especially if they hold confidential information or can access the corporate network. Require users to password protect their devices, encrypt their data, and install security apps to prevent criminals from stealing information while the phone is on public networks. Be sure to set reporting procedures for lost or stolen equipment.
Make backup copies of important business data and information. Regularly backup the data on all computers. Critical data includes word processing documents, electronic spreadsheets, databases, financial files, human resources files, and accounts receivable/payable files. Backup data automatically if possible, or at least weekly and store the copies either offsite or in the cloud.
Control physical access to your computers and create user accounts for each employee. Prevent access or use of business computers by unauthorized individuals. Laptops can be particularly easy targets for theft or can be lost, so lock them up when unattended. Make sure a separate user account is created for each employee and require strong passwords. Administrative privileges should only be given to trusted IT staff and key personnel.
Secure your Wi-Fi networks. If you have a Wi-Fi network for your workplace, make sure it is secure, encrypted, and hidden. To hide your Wi-Fi network, set up your wireless access point or router so it does not broadcast the network name, known as the Service Set Identifier (SSID). Password protect access to the router.
Employ best practices on payment cards. Work with banks or processors to ensure the most trusted and validated tools and anti-fraud services are being used. You may also have additional security obligations pursuant to agreements with your bank or processor. Isolate payment systems from other, less secure programs and don’t use the same computer to process payments and surf the Internet.
Limit employee access to data and information, and limit authority to install software. Do not provide any one employee with access to all data systems. Employees should only be given access to the specific data systems that they need for their jobs, and should not be able to install any software without permission.
Passwords and authentication. Require employees to use unique passwords and change passwords every three months. Consider implementing multifactor authentication that requires additional information beyond a password to gain entry. Check with your vendors that handle sensitive data, especially financial institutions, to see if they offer multifactor authentication for your account.
Contact us now to help develop an information security program to protect your small business.