Where should small businesses begin with cybersecurity?
A new report from RIMS explains how SMBs can create effective cybersecurity plans.
In today’s hyper-cyber world, no business is too small to be concerned about cybersecurity. In the past year, 42% of small businesses claim to have experienced a cyberattack, according to a recent report from AdvisorSmith. These attacks included a mixture of phishing, malware, data breaches, denial-of-service and ransomware.
It can be difficult for smaller business owners, who may not already have cybersecurity strategies in place, to even know where to start protecting themselves. RIMS, the risk management society, recently released a report detailing the process small and medium businesses (SMBs) can use to safeguard against bad actors.
Identify important information
The motivation for cybercriminals isn’t always to obtain information they can profit from, but often they target information that is valuable to the business they are attacking. The first step to creating a cybersecurity plan, RIMS suggests, is to identify information within your company that may be attractive to bad actors. This includes customer and employee data (Social Security numbers, medical data, contact information, financial information, etc.) as well as company data (billing information, product specifications, operational information, etc.) that is imperative for your business to operate.
Look at possible worst-case scenarios
Playing the “what-if” game may sound like a recipe for anxiety, but it is necessary to consider all possible scenarios in order to defend against them. Examples of questions RIMS suggests you explore include:
- What happens if your customers’ information is stolen?
- What happens if your company has to stop operations for 15 days or longer?
- What if data you need to operate has been encrypted by ransomware?
- Can your company be the entry point of an attack on one of your clients?
- Could any of your subcontractors be an attack entry point for you or your clients?
Define your reactions
Once you have a list of worst-case scenarios, brainstorm how your company will react to each, and consider the safeguards you have in place – or should have in place – prior to an attack. This includes having backups of company and client information, having a trusted IT service available and making sure you have a cyber insurance policy and know how to use it. You should also have a plan for who to inform, and how to inform them, if there is a data breach.
Create clear policies for your employees
People are often the point of entry for cyberattacks, so it’s imperative employees are trained on good cyber hygiene practices to avoid creating a point of weakness in your business. They should know how to safely store customer and business information, how to recognize phishing attempts and how to create strong passwords – especially those employees who have administrative permissions.
Find monitoring alternatives
Cyber risk is constantly changing as bad actors find new strategies to attack businesses, so staying aware of these evolving trends is imperative to protecting your business. Creating a dedicated internal IT team, using detection software and even having an external IT consulting team can all go a long way to protecting your assets.
In their report, RIMS also offers a checklist from cybersecurity provider PurpleSec of the minimum steps SMBs should take to prevent the most common cyberattacks. This includes:
- Developing cybersecurity policies
- Implementing security awareness training for all employees
- Installing spam filter and anti-malware software
- Deploying next-generation firewalls
- Installing endpoint detection and response