Like it or not, modern businesses are placing themselves in the firing line if they fail to take action to protect themselves from hackers. The recent global cyber breach outlined how important information security is to business. The cost to organizations, including the U.K.’s National Health Service (NHS), is estimated to run into the billions.
WannaCry was the name given to the malware that infected computers running Windows XP. Users logged on only to face a ransom demand, a countdown timer and a Bitcoin wallet to receive the ransom. Thousands of NHS patients had their data locked, including some midway through operations.
Many SMBs don’t understand the extent to which their data is at risk, and those who do often don’t know where to start in addressing this problem. In 2015, the U.K. government issued a press release suggesting that businesses need to plan for a cyberattacks. The research revealed that as many as 90% of big businesses and 74% of SMBs had experienced an information-security breach.
It’s understandable, then, that a large proportion of small-business owners don’t pay the danger much attention, perhaps failing to realize that something as innocent as a social-media post or a USB stick left in the wrong place can be enough to bring down their whole organization. If you’re in this group, you should start reviewing the risks and putting security procedures in place. This guide gives you a starting point, with five steps you can implement right away to improve the safety of your company.
1. Find risks and make a note of where they are.
The starting point for securing your company from cyber threats is to identify where they are through a full risk assessment. This step will show you what your company possesses that may be of interest to a cyber thief. Remember that customer data is often the most important thing to protect, because although the direct cost of losing it may be small compared with research data or intellectual property, you’re likely to lose more through fines and lawsuits. Furthermore, the cost to your public image and the loss of customer trust can take years to recover.
Consider all your company’s data, as well as where it comes from, where it’s stored, who has access to it and what security procedures they must go through to reach it. Are these measures secure enough? Do you use two-factor authentication (additional security beyond basic password protection)? Are your people trustworthy? Do you have strict protocols, policies or automated restrictions in place to protect your networks, email and other systems? Do you encrypt data on your network, and do you dispose of old computers safely? You should be asking yourself all these questions.
If your employees are using their personal laptops and phones at work, you may want to enact a written policy to prevent them from activities that compromise the security of your systems. Or if they use company-provided devices, you may need rules about what they do with those systems at home or how they use social media at the office. Regular staff training on digital security is a must for any organization.
2. Keep track of both internal and external hazards.
Once you’ve identified and documented where you may be at risk, the next step is to focus your attention on those who may have a desire to compromise the security of your business. It’s useful to learn about the kinds of cybercrimes that may threaten you, and how they’re typically carried out, so you can better protect yourself. Cyber criminals come in all shapes and sizes, and although you’re more likely to be under threat from individuals in remote locations, there’s also a risk from people in your organization.
One danger is “undercover hackers,” who join companies to gain easy access to their security systems and to steal data. An unscrupulous employee may also be willing to help cyberattackers in exchange for a share of the financial reward. Or perhaps a staff member who feels wronged wants to bring the business down. This situation is rare, so you need not constantly look over your shoulder or analyze every word uttered in the staff kitchen, but it’s important to be aware of this threat.
3. Identify where your systems are vulnerable.
Now you should have a clear idea of who might target your business and where they are, and you should have taken stock of your assets that may attract these attackers. Next, you must find any weaknesses in your data security before they do. You can use various methods to analyze the security of your systems and networks, and some of them are even free. Such tools keep your software up to date and identify known vulnerabilities.
An intrusion detection and prevention system (IDPS) is similar to a firewall, except it identifies internal threats in addition to suspicious activity outside of your network. As you may have guessed from the name, these systems also protect your networks from identified threats.
Penetration testing is another useful way to keep your systems secure, and you should use it regularly. A penetration test mimics an attack in order to check your IT systems and networks for weaknesses that a cyber criminal could exploit. Penetration-test reports also offer solutions and advice that will help you reduce the risk of a breach.
4. Determine the impact of threats and how likely they are to occur.
A business-impact analysis can help you identify the likely outcomes of various kinds of cybersecurity breaches. Such a breach could have implications that go beyond financial loss—for instance, your operations may be affected as you take steps to recover from the impact and put new measures in place to protect yourself from future attacks, and any damage to your public image and trust rating will have a serious effect on your relationships with existing and potential new customers, as well as the press. It’s vital to take this threat seriously: 60% of small companies cease to exist within half a year of falling victim to cybercrime.
Different types of attacks could have implications for different people in your organization, and the scale of the attack will also determine whether company-wide procedures and protocol changes are necessary or whether a local team can address the situation. Have a business-continuity plan in place to prepare for and deal with any issues that may arise. Or if you want to go a step further, consider implementing a cybersecurity incident-response plan.
5. Prioritize risks and start resolving them.
Now that you know what you might be losing and how you’re likely to come under attack, you should be able to identify your most pressing security issues. Start by drawing up a list of priorities and work through them one by one, putting in place the necessary measures to keep your business as safe as possible. You should extensively test any changes you make to ensure they’re working and they don’t hamper your operations. Some of these steps may require outside assistance; plenty of IT service providers can work with you to keep your systems secure.
Although they most likely have your best interests at heart, don’t forget that your employees are still the biggest threat to your IT security. This doesn’t mean they’re out to ruin your company, but because they don’t necessarily understand the technology they use or the various cyber threats, regular training is necessary to make sure they’re up to date on the latest risks and aware of the importance of avoiding them. Having staff read and sign policies that document best practices is another way of encouraging safe behavior and ensuring accountability.
You can never guarantee that you’ll be completely safe from cyberattacks, so it’s important that you’re well prepared should the worst happen. Make sure everyone in your organization is aware of the risks and knows exactly how to respond. This process includes ensuring they have received the training and resources they require to succeed in this task.
About the Author
Bethany Cornell is a digital-marketing expert focusing on digital PR. Her interests include technology, data and security news.