The news, both mainstream and business-orientated, is often filled with reports of large-scale data breaches and their effects. We hear about millions of dollars lost and reputations damaged, but the news mostly focuses on larger corporations. As a small business owner, should you have anything to worry about?
Quick answer: yes, you should. Small businesses are being increasingly targeted by cybercriminals; hackers will often try to attack targets that are relatively unprotected. Given that resources are often scarce for small businesses and that there are other priorities to address (not to say cybersecurity should be anything but a priority), the following are some inexpensive and easy methods for businesses to implement.
Determine If Current Efforts Are Effective
There is no point in waste when it comes to security. While you may have expected your employees to follow some basic security guidelines, or you may have sent out a memo about the subject earlier, you will need to check to see if your small business is actually following good cybersecurity practices. You can start by inquiring about the following:
- Whether good password procedures are being used.
- Whether employees are equipped to recognize and avoid potential phishing and scamming attempts.
- Whether data is being handled, stored, and backed up in a safe manner.
- How accounts are managed and whether someone would be able to infiltrate them easily.
The main goal here is to let your staff know you are serious about cybersecurity, make sure they understand their role in protecting the business against common threats, and know the potential consequences a data breach would have on the business.
Hold Regular Training Sessions
People will often forget what they have learned, and plans and practices that are not used frequently are usually forgotten. While small businesses should generally emphasize the importance of cybersecurity in all operational and administrative processes, training (especially initially) is necessary for all employees, even ones that don’t regularly handle data. Cybercriminals prefer to use social engineering attacks before using technical know-how to get into your business’ information, and the vast majority of data breaches involve some amount of human error.
While the more information you can provide, the better, you can start by focusing on the general practices and training for any basic procedures and use of technology. Small businesses might want to go into more detail about how data is used and what online services could cause a breach if used improperly. Your business might also use specialized programs that have their own security needs, and managers and IT professionals should keep this in mind. Training sessions should happen at least every six months to account for changes in technology and cybercriminal tactics.
Create a Standardized Incident Response Plan
This document can go by several different names, but your small business needs a standardized document that goes into detail about what an employee should do when faced with a situation. For example, social engineers will often attempt to impersonate another employee or the owner in an email, asking for certain files or contact information. A plan can mean that someone will think twice before falling victim to such tactics, knowing that those requests would be made in person.
You will need to determine the best tactics for your small business based on your staff and industry, but make sure to review every potential type of attack and make at least a basic preparation for it. Go into more detail if your business seems particularly vulnerable. Once the document is finalized, send it out to all staff and enforce it regularly.
Review and Change Policies for Use of Mobile Devices and Cloud Storage
People often think of desktop computers and servers when it comes to cybersecurity, but businesses too often underestimate the information that is kept on mobile devices and in the cloud. Dropbox and Google Drive folders often contain the information that could be used against your business or against customers, and financial information could be gleaned from transactions performed over unsafe networks.
Your company should review how mobile devices and cloud storage are used in the workplace. If possible, and if mobile devices are integral to the business, you might want to provide devices to employees for work use that you can control. You might also want to avoid BYOD/shadow IT options, as there is a strong chance personal devices and cloud accounts could put company networks and systems at risk. Finally, while it is a small cost depending on the number of employees, Virtual Private Networks should be used on remote devices that handle work data, especially if they need to frequently use public networks.
Small businesses will have to remain on the lookout for threats and cybercriminals, but this is a necessary task for any business to succeed today. In addition to the above, look into finding other strategies and tips specific to your industry, business, and the types of data you need to protect. Never rest on your laurels as a business. The world is constantly changing, and attackers are constantly finding ways to get into company systems.
What security measures are already in place at your business? Do you think that you might still be at risk of a data breach or compromise? Are there any other tips you’d like to share with your fellow readers? Please leave a comment and tell us what you think, as we can only improve the community through the sharing of information.
Cassie Phillips is a cybersecurity writer and blogger who frequently writes on cybersecurity for businesses both large and small. She knows there is much more to discuss but hopes the information provided gives your company a launching point towards a safer business.
Get email updates with the latestfrom the Digital Guardian Blog
Thank you for subscribing!