These actions can help you create an effective cybersecurity plan.
A recent study conducted by the U.S. Small Business Administration found that the majority of small business owners feel their business may be vulnerable to a cyberattack. Yet many do not take action because they feel they don’t have the time or financial resources to invest in cybersecurity — or they simply don’t know where to begin.
Here’s the thing: You might not be able to afford the security infrastructure of a large corporation but there are basic security principles that any business can follow, no matter its size. The Federal Trade Commission offers tips and tools to help enhance your small business security.
Keep in mind, Wells Fargo is watching out for you by consistently enhancing our security measures and identifying new and emerging threats to help keep your accounts and information secure. In addition, you can help yourself by taking steps to further enhance your security.
Your first step: Developing a cybersecurity plan. Creating a thorough plan is worth the effort, as it will help prioritize your next steps and determine what your business really needs. Here’s how to start:
Identify your assets and potential threats
- Create a document that lists all your physical technology assets, such as computers and servers, and catalog who has access to each.
- Create a separate list of digital assets, such as customer records and intellectual property, and note where that information is stored. Note any cloud-based systems you use — any software or data you access via the internet vs. a local computer drive.
- Once these documents are complete, use them to identify your most important assets and list potential threats to each. As you develop your cybersecurity plan, ensure that these threats are addressed.
Tip: Review your cybersecurity plan at least yearly to make sure it stays current and relevant to your business.
Review your vendors’ standards
- All of your technology and Software as a Service (SaaS) vendors need to be compliant with regulatory requirements and other emerging standards, such as American National Standard Institute and National Institute of Standards and Technology, commonly cited as ANSI/NIST, SOC 2 Type II certification for data security, and Payment Card Industry Data Security Standard (PCI DSS).
- Review vendor practices at least annually to ensure continued compliance with industry standards.
- Make sure your service agreements with your technology vendors address any security concerns — cybersecurity needs to be built into any agreement.
- Check that your SaaS providers are protecting sensitive customer data such as credit card details or other personal information and are compliant with relevant data privacy laws such as GLBA, GDPR, and HIPPA..
- Make sure your financial institution’s approach to cybersecurity fits your own: look for multifactor authentication, strong encryption practices, and continuous monitoring of all account activity.
- Set minimum security requirements for your suppliers and develop defense with “Assume Breach” in mind. This means a business approaches its cybersecurity anticipating that there is already a compromise.
Tip: Avoid physical theft, too. Keep computers and servers with sensitive information in a secure office location.
Create technology guidelines for employees and contractors
- Establish and communicate standards for password complexity and frequency of change. Passwords should be a minimum of 12 characters (the longer the better) and use a combination of upper and lowercase letters, numbers, and special characters.
- Use strong authentication measures. Explore the possibility of using two-factor authentication and single sign-on (which unifies login information with the various third-party software portals your company may use) to lessen the odds and impact of a compromised account. To investigate these options, you can download a free authentication generator or purchase a package from a trusted security provider.
- Devise a tiered system for assigning administrative rights to users, so that not all employees have access to all information. Also be sure to revoke access when an employee leaves the company or when a contractor’s work is complete.
- Train employees and contractors to recognize and avoid security risks and report suspicious activity. For example, ransomware attacks often succeed when an employee opens a malicious file on a work device through a personal email account or USB device. The Federal Trade Commission’s Cybersecurity for Small Business site has educational tools that can help.
Tip: Protect those access points! More than a quarter of organizations had some type of public cloud security incident in 2022.
Implement the use of specific tools for protection
- Set up core protections such as antivirus, firewall, and anti-malware tools. Also make sure you’re using the encryption tools available on your computers, workstations, and servers.
- Implement software to monitor network traffic and identify suspicious behaviors — both free tools and more multifaceted packages are available, depending on your budget and business needs.
- Explore whether your business may be able to protect and isolate sensitive data within your network using multilayered encryption. Approaches to encryption vary in complexity from business to business, so consider which elements make most sense for your business to encrypt.
- To help protect yourself, ensure all devices on your network are running the latest software. Enable automatic updates and patches to your software to help protect against viruses, malware, and threats.
- Frequently back up local data to the cloud and other local storage to preserve data in case of an attack. Consider a trial run of any new solutions so you can fully assess if a product will suit your needs.
- Use encryption on Wi-Fi routers and provide separate networks for guest access.
Tip: Change your router’s admin password. Default passwords are often easy to guess or find on the internet — and a hacker could undo your security settings if they gain access.
Define your leadership response
- Know who is responsible for the plan. Make it clear who is responsible for reviewing and updating the cybersecurity plan, and how often.
- Make training part of the job. Determine who is responsible for training users, enforcing standards, and managing/monitoring installed software.
- Outline a response plan in case of a cybersecurity problem. Determine who is responsible for responding to an attack, and how. This plan should include provisions for straightforward incidents as well as those that require an escalated response. Ensure the plan outlines the roles and responsibilities of all business and technology stakeholders involved, including subject matters experts, third party vendors, and managed service providers. Also make sure the plan includes service level agreements and current contact information so you’re not scrambling in the middle of a crisis.
- Make sure the plan is available and easily accessible. Ensure all those who are responsible for implementing the plan have a copy in the event of an incident. Keep multiple copies of your plan ─ a local network copy, a backup stored on the cloud, and a physical (printed) backup stored at a secure offsite location in case your digital copies become unavailable.
Tip: Test your cybersecurity knowledge with the online quizzes from the Federal Trade Commission. Share them with your employees, too!
Following the five tips outlined above can help any business — including yours — develop an effective cybersecurity plan over time. And while you work to put your plan in place, there are several key actions you can take today to make your business safer.