Developing and implementing a cybersecurity plan has never been as important as it is today, given mounting threats putting small firms in jeopardy.
Studies show that bad actors go after small businesses because they know most lack cyber tools, data protection and staff. Despite the risks, 83% of small business owners still have not implemented cybersecurity.
When breached, according to a Security Magazine report in May, some 60% of small businesses who become victims of a data breach permanently close their doors within six months after an attack.
We hear business owners say “it’s never going to happen to them because it has not happened yet”.
Some say, “Why would we be a target?” Our response is, what’s important is finding ways to avoid the high cost of doing nothing, which is greater than the cost of mitigating the risk – especially when it comes to ransomware and the value of lost, highly sensitive or proprietary information. At the same time, we inform them that no cyber protection tool / program is 100% bulletproof.
Backup is essential
Business owners should assess their vulnerabilities and the potential liabilities they can face. Until a breach occurs, most firms don’t see the need for change. While attacks can cost a lot of money, the true cost is harm to customers and business relationships.
A typical hacker is on a random hunting (or “phishing”) expedition to see what perimeter weaknesses can be exploited. The question is what can be done to identify, address and prevent risks to reduce business costs?
We talk in terms of developing a security strategy involving policies and procedures, providing user education and adopting both basic and advanced security technology that can be implemented now and expanded in layers or tiers over time within the scope of the available budget.
Intrusion prevention tools often include anti-spam filters, email fraud detection, antivirus software, firewalls, virtual private networks (VPNs), encryption, network intrusion alerts and security monitoring.
Some advanced solutions utilize system behavior engines, penetration testing, packet analyzer scanning, employee monitoring software and offsite managed services. Workers would be watched to determine key computer behavior such as application use, websites visited and log-on activity.
We focus initially on the human factor and benefits of cybersecurity showing why each action is important backed up by evidence and statistics.
Limit data access
A lot of “attacks” start with company personnel involvement when someone does something accidentally or on purpose.
Employees at small companies can be a weak link by having access to software, files and vital data that are usually locked down in the corporate world. Vital data includes credit card and Social Security numbers, financial reports, personnel records and supplier contacts.
Sensitive data must be controlled and limited with a strict distinction made between which employees have access to what data. This can be spelled out through formal training sessions.
Emphasis should also be placed on showing staff members how to detect possible scams, why they should not click on, or reply to suspicious emails, as well as the need to record each attempt, and report it to management. Employee education can also lead to a reduction in cyber liability insurance costs.
Working with clients is not a one-time shot. We support small businesses with ongoing cycles, through periodic audits and reports to gauge progress, effectiveness and fine-tune the process.
Begin with a Risk Assessment
Company-wide risk assessment is often the first step when developing a plan.
Audits are necessary to identify possible vector access points and to determine weak points. Having zero-trust security requires early detection, verification, pinpoint identification of threats and the ability to respond quickly using heuristic tools that scan for anomalies on the network included on a company’s cyber assessment profile.
Updates and patches are important to make. Simple safeguards also include automatic log out, auto clearing histories, ensuring that VPN is used, DNS (domain name server) addresses are changed, encryption is enabled and backups are done regularly.
Clients lost without a plan
Smaller businesses may be cutting back because of economic pressures, or believe they are too small to manage Cyber.
But the cost of that, is that small businesses often cannot engage with large companies, hospitals (Health Insurance Portability and Accountability Act rules), government entities, regulatory entities or defense contractors without cybersecurity measures and cyber insurance.
This is where an outside security consultant can help.
The goal is to begin the process, develop a strategy and add necessary protections a step at a time, down the road.
Having a plan is often required for obtaining cyber insurance. Not putting plan into action can also affect the cost of coverage. Non-compliance also impacts a firm’s viability in the marketplace.
Criteria for cyber liability insurance
Cyber insurance companies typically ask a series of questions to assess and qualify a firm for coverage based on its existing cybersecurity readiness:
- Who handles cybersecurity at the company?
- What valuable data is at risk?
- What technologies are being used to protect systems and data?
- What policies/processes are in place to address risks?
- What is the company’s history of cyberattacks?
- Does the company comply with industry regulations and standards?
Key industry guidelines include California Consumer Protection Act (CCPA); the National Institute of Standards and Technology (NIST) small business security standard; industry frameworks such as Control Objectives for Information and Technology (COBIT); or privacy groups such as the Information Integration Analysis Center (IIAC); the International Association of Privacy Professionals (IAPP), and the Information System Audit and Control Association (ISACA).
All of the above is affordable!
Pitch a boss about improving a company’s cyber defenses
- Explain the current environment – Risk factors, examples from firms in the industry
- Quantify the risk – Through an assessment of the infrastructure and by monitoring activity to determine areas of concern and see if the firm is meeting compliance and regulatory requirements
- Develop relationships with program advocates – In the firm and external security vendors who can provide the firm with various information security services
- Consider a third party – A consultant or managed services firm, to broaden the scope of what needs to be done, initially and over time.
- Simulate an attack – Outside vendors can provide penetration services that can simulate an attack.
- Conduct a table-top exercise – Validate elements of the proposed company business continuity plan (BCP) and a related plan for accessing required technology and infrastructure for disaster recovery (DR)
How to convince your board to improve cybersecurity
- Do more prep work – Phrase conversations in a way that resonates with the directors after reviewing their business priorities, big picture initiatives.
- Offer an assessment – Show cybersecurity programs already in place, how to eliminate threats to better serve customers.
- Be honest and transparent – Understand the board’s interests and business objectives: litigation risks, impact of major incidents, rationale for cyber liability insurance, what needs to be done and what tools are involved.
- Prepare to answer difficult questions – How good is existing security? How prepared are we to tackle future attacks? How can we mitigate risks to an acceptable level at a threshold approved by the board. Showcase a solution or possible approach.
- Avoid scare tactics – Provide factual, documented information the board can use to make an informed decision, provide recent updates, address new issues and opportunities.
Contact Goliath today and lets talk about how we can help you prepare and manage Cyber, while protecting your brand!