These five actions can help you create an effective cybersecurity plan.
A recent study conducted by the U.S. Small Business Administration found that 88% of small business owners feel their business may be vulnerable to a cyberattack. Yet many do not take action because they feel they don’t have the time or financial resources to invest in cybersecurity — or they simply don’t know where to begin.
Here’s the thing: You might not be able to afford the security infrastructure of a large corporation but there are basic security principles that any business can follow, no matter its size.
Your first step: Developing a cybersecurity plan. Creating a thorough plan is worth the effort, as it will help prioritize your next steps and determine what your business really needs. To begin, consider the following steps.
Identify your assets and potential threats
- Create a document that lists all your physical technology assets, such as computers and servers, and catalog who has access to each.
- Create a separate list of digital assets, such as customer records and intellectual property, and note where that information is stored. Note any cloud-based systems you use — any software or data you access via the internet vs. a local computer drive.
- Once these documents are complete, use them to identify your most important assets and list potential threats to each. As you develop your cybersecurity plan, ensure that these threats are addressed.
Revisit your plan often. Plan to review your cybersecurity plan at least yearly to make sure it stays relevant to your business.
Review your vendors’ standards
- All of your technology and Software as a Service (SaaS) vendors need to be compliant with regulatory requirements and other emerging standards, such as American National Standard Institute and National Institute of Standards and Technology, commonly cited as ANSI/NIST, SOC 2 Type II certification for data security, and Payment Card Industry Data Security Standard (PCI DSS).
- Review vendor practices at least annually to ensure continued compliance with industry standards.
- Make sure your service agreements with your technology vendors address any security concerns — cybersecurity needs to be built into any agreement.
- Check that your SaaS providers are protecting sensitive customer data such as credit card details or other personal information.
- Make sure your financial institution’s approach to cybersecurity fits your own: look for multifactor authentication, strong encryption practices, and continuous monitoring of all account activity.
Avoid physical theft, too. Keep computers and servers with sensitive information in a secure office location.
Create technology guidelines for employees and contractors
- Establish and communicate standards for password complexity and frequency of change.
- Use strong authentication measures. Explore the possibility of using two-factor authentication and single sign-on (which unifies login information with the various third-party software portals your company may use) to lessen the odds and impact of a compromised account. To investigate these options, you can download a free authentication generator or purchase a package from a trusted security provider.
- Devise a tiered system for assigning administrative rights to users, so that not all employees have access to all information. Also be sure to revoke access when an employee leaves the company or when a contractor’s work is complete.
- Train employees and contractors to recognize and avoid security risks and report suspicious activity. For example, ransomware attacks often succeed when an employee opens a malicious file on a work device through a personal email account or USB device. The Federal Trade Commission’s Cybersecurity for Small Business site has educational tools that can help.
Protect those access points! Unauthorized access is one of the biggest threats with public clouds, according to 58% of organizations.
Implement the use of specific tools for protection
- Set up core protections such as antivirus, firewall, and anti-malware tools. Also make sure you’re using the encryption tools available on your computers, workstations, and servers.
- Implement software to monitor network traffic and identify suspicious behaviors — both free tools and more multifaceted packages are available, depending on your budget and business needs.
- Explore whether your business may be able to protect and isolate sensitive data within your network using multilayered encryption. Approaches to encryption vary in complexity from business to business, so consider which elements make most sense for your business to encrypt.
- Decide when and how systems will receive software updates and patches.
- Frequently back up local data to the cloud and other local storage to preserve data in case of an attack. Consider a trial run of any new solutions so you can fully assess if a product will suit your needs.
- Use encryption on Wi-Fi routers and provide separate networks for guest access.
Change your router’s admin password. Default passwords are often easy to guess or find on the internet — and a hacker could undo your security settings if they gain access.
Define your leadership response
- Know who is responsible for the plan. Make it clear who is responsible for reviewing and updating the cybersecurity plan, and how often.
- Make training part of the job. Determine who is responsible for training users, enforcing standards, and managing/monitoring installed software.
- Outline a response plan in case of a cybersecurity problem. Determine who is responsible for responding to an attack, and how. This plan should include provisions for straightforward incidents as well as those that require an escalated response.
- Make sure the plan is available and easily accessible. Ensure all those who are responsible for implementing the plan have a copy in the event of an incident. And keep in mind that it should be not stored on the cloud in case the cloud goes down.
Test your cybersecurity knowledge with the online quizzes from the Federal Trade Commission. Share them with your employees, too!
Following the five tips outlined above can help any business — including yours — develop an effective cybersecurity plan over time. And while you work to put your plan in place, there are several key actions you can take today to make your business safer.