A Small Business Guide to Cyber Protection

If you own a small business or are the person responsible for protecting one, you are well aware of the problematic position your organization faces. Protecting company assets, including client, employee, patient, and other sensitive data has become increasingly difficult for all organizations as attacks become more persistent, sophisticated, and frequent. Like most things in life, cyber-criminals seek the path of least resistance when plotting their next attack. They are well-aware of the predicament small organizations find themselves in –an overwhelming need to protect their brand, but limited resources to do so.

In 2019, nearly half of all cyber-attacks targeted small businesses. More than sixty percent of small businesses that suffered an incident went out of business. Yet, nearly seventy percent of senior-level decision-makers within small businesses maintained the belief that cyber-criminals would not target their organization. Evidence over the past half-decade does not paint a bright picture for small businesses moving forward unless something changes quickly. We’ve outlined a pragmatic guide for small businesses to either start an information security program or start down the path of maturing one currently in place.

Conduct an Information Security Risk Assessment

The need to assess the current landscape of threats, vulnerabilities, and risks present within your business cannot be understated. Building a program without having conducted a risk assessment first is like driving to an unknown location without directions. It’s better than doing nothing, but it is unlikely resources are focused on the most productive areas for maximum protection and resiliency.

A proper risk assessment is going to uncover opportunities present within your organization based on business processes, technology, and people. How is data being transmitted? Are access controls being appropriately configured to ensure employee privileges are appropriate? Do technical controls protect your systems and network? What are you doing to protect your business from vendors that may have access to your systems and data? The list goes on and on, and it’s critically important to perform a comprehensive assessment that gives you a detailed list of findings and recommendations.

Follow the Evidence and Prepare for Ransomware

Yes, a risk assessment is paramount to doing this right, but don’t overlook the evidence that’s in front of you right now. Small businesses are being crippled by ransomware every single day. Seventy-one percent of ransomware attacks target small businesses. It’s time to go through the necessary steps to protect your business from such an attack.

Deploying the correct technologies, training, and processes to help prevent ransomware does not happen overnight. It requires time, consulting, and change, so while you are implementing those preventative measures, start thinking about how your business would handle ransomware. Sit down with your IT and operations staff to learn more about the business continuity planning that exists. If it doesn’t, start building one immediately. People are resilient and will do everything they can to survive an attack, but having a plan will cut down the time it takes to recover considerably. Build your plan, strongly consider how system and data backups can be handled within the plan, and practice it with critical stakeholders often. It’s more likely that instead of rising to the occasion of ransomware, your employees will fall to the level of training they have dealing with it.

Prioritize and Execute

Once you decide to invest in protecting the business and conduct a risk assessment, there’s only one thing left to do – prioritize your risks and execute remediation efforts. The path to doing executing well is through a strategic plan, risk-based approach, and capable people with the skills and experience to implement changes and safeguards.

Developing a plan to address your top risks first is key to ensuring you stay the path, continue chipping away, and don’t lose sight of the security program vision. You might already know you need to increase training for your employees, monitoring of your systems, and risk analysis of your vendors, but documenting this strategy will give you a better chance of proper prioritization in the long-run and continuous execution.

You might not have the resources large enterprises do to invest in an information security program. Still, it doesn’t have to cost a fortune to increase the protection of your business from cyber-criminals exponentially. Finding out where the gaps are and developing a plan to deal with them should be part of your near-term goals. In the meantime, consider cybersecurity when making all future business decisions to prevent digging yourself a bigger hole.

Resources:

2019 Data Breach Investigations Report

Hiscox Cyber Readiness Report 2019