As more businesses move online, criminals are following them. If you’re still using yesterday’s cyber security strategies, you’re vulnerable to malicious attacks that could permanently damage your business. It’s time to wake up and invest in learning about cyber security strategies.
The Need for Robust Cyber Security Strategies
When you run a small business, you might feel less targeted by cyber criminals. But nothing could be further from the truth. In reality, small and medium-sized businesses are much more prone to attack than large corporations.
Cyber criminals aren’t necessarily hunting for large firms. What they want is easy access and valuable data. “It is the data that makes a business attractive, not the size — especially if it is delicious data, such as lots of customer contact info, credit card data, health data, or valuable intellectual property,” says Jody Westby, CEO of Global Cyber Risk.
Unfortunately, many small business owners (SBOs) don’t recognize this and have cut their security spending. According to PwC’s Global State of Information Security Survey 2015, firms with annual revenues of less than $100 million cut security spending by roughly 20 percent in 2014, while those above that level increased security investments by 5 percent.
The unfortunate result of these cuts is that the majority of small businesses will be victimized at some point in the future. According to Timothy Francis, a leader in the cyber insurance field, 62 percent of cyber-breach victims are small and medium-sized businesses.
The cost of an individual attack can range from a few hundred to a few million dollars. That’s enough to put many companies out of business.
Cyber insurance can offset some of these costs, but it does very little to protect against the initial breach. What small businesses really need are better cyber security strategies. And until owners band together to increase security, they’ll continue to be easy targets.
Six Tips for Protecting Your Small Business
Every firm is unique. Your needs may be dramatically different from those of your closest competitor. Given that, here are a handful of cyber security strategies and tips that virtually any business should consider for better security.
1. Implement Secure Communication Methods
The biggest threat facing your business is unsecure communication. Many companies still choose to transmit information via relatively unsecure channels such as email or direct mail.
In order to mitigate risk — especially if you’re bound by compliance mandates like HIPAA — you need to invest in more secure forms of communication. Here’s a tip that may surprise you: Did you know that fax is the most secure form of communication in the business world?
“When a document is sent by fax it’s converted into binary code (1s and 0s), sent over the telephone network and then reassembled at the other end,” says Karol Waldron of XMedius, a leader in enterprise-grade fax solutions. “Hacking into the telephone network would require direct manual access to the telephone line, and even if a file were intercepted it would present itself as nothing but noise, making it virtually impossible to interpret/read.”
In addition to using fax, you should also review your company’s approach to mobile communications. If your staff uses mobile devices for work purposes, there need to be restrictions on the information devices can access, rules on whether devices can be taken home, and clear guidelines for when IT departments can wipe a device clean.
2. Create a Sophisticated Password Strategy
Believe it or not, a lot of cyber security attacks succeed because passwords are too simple. Hackers have access to technologies that enable them to take encrypted passwords and crack them. Some call this “brute forcing.”
“Brute force is about overpowering the computer’s defenses by using repetition,” tech expert Paul Gil explains. “In the case of password hacking, dictionary attacks involve dictionary software that recombines English dictionary words with thousands of varying combinations.”
This is the sort of stuff you see in the movies, where the hacker cracks one letter at a time using thousands of variations per minute. You can’t prevent 100 percent of password threats, you can make it much harder for hackers and reduce the chances of being compromised.
It all starts with creating a sophisticated password strategy. Here are a few things to know:
- Employees should be required to create passwords with combinations of uppercase and lowercase letters, numbers, and symbols. Furthermore, passwords should be reset every few weeks.
- Administrative accounts should use even more complex passwords. Never set simple passwords like “Password01” or “Admin123.” Hackers frequently try these overused codes.
- Implement actual consequences for employees who don’t follow password rules and regularly conduct audits. Employees need to know you take password strength and integrity seriously.
Even when you follow techniques such as these, you won’t be 100 percent protected. Make sure you have the ability to revoke a user’s access and permissions at any time. This empowers you to respond swiftly should an account become compromised.
3. Use a Secure Backup Plan
You should already have a secure backup plan, but go ahead and review the details. Many cyber criminals use a tactic known as “cyber blackmail” when they attack a small business.
They’ll hold some of your valuable data hostage and demand a ransom in return. If you have an adequate backup plan, you’ll have much more leverage in this situation.
With a secure backup plan, your data should be saved and stored in multiple locations. Ideally, one of these is a cloud solution that’s independent of any physical hardware in your office.
This won’t automatically prevent data from being compromised, but it does ensure you never lose your access to it.
4. Be Aware of Internal Threats
Did you know that 31.5 percent of attacks are carried out by malicious company insiders, and 23.5 percent of attacks are conducted by inadvertent actors (that is, people who pretend they’re unaware of what they’re doing)? This means 55 percent of all attacks come from the inside.
Protecting your business is as much about fortifying your company walls as it is about strengthening internal protocol. By increasing authorization requirements and keeping a watchful eye on any employee with access to secured data, you should be able to prevent data leaks before they happen.
It’s easy to feel guilty about watching employees or questioning their motives, but you owe it to your business and customers to be on the lookout for attacks … even on the inside.
5. Designate a Point Person
The obstacle for small businesses is a lack of resources. SBOs will say things like, “We can’t afford to hire a full-time IT person.” Or maybe: “Our IT person has so much to do, we can’t throw another thing on his plate.”
These are valid claims, but you need to find ways around them. Cyber security strategies are not optional, they needs to be regarded as a core activity. What do you do when your business has a need in a core area? You find a way to satisfy the need.
However it works for your business, find and designate a point person to oversee your cyber security efforts. Even if employees are wearing multiple hats and handling a variety of responsibilities, it needs to be someone’s job to focus on security.
“Your point person has three primary responsibilities: to stay informed of major news and changes in digital security, to know the basic requirements for your business to function securely and efficiently, and to ensure that those requirements are put in place and kept updated,” says consultant Ty Kiisel.
“This doesn’t mean that the person in charge needs to personally do all the work, but that he or she needs to find the right services or professionals who can do the necessary updates and improvements.”
6. Thoroughly Educate Employees
Aside from the point person, the rest of your employees need to be educated about cyber security strategies and their importance. In order to stay secure and avoid attacks, everyone has to be on the same page.
As Kiisel says, “The more informed your employees are, the better they will be at protecting the data that is vulnerable and crucial part of your business.”
There are a number of ways you can educate employees. Start by developing a training program. Employees should be required to participate in some sort of regular training each month. This can be as informal as reviewing industry websites and reading articles, or as formal as purchasing a program with a professionally developed curriculum.
Figure out what works for your business and go from there.
Don’t Wait Until You’re Attacked
The time to develop a cyber security strategy is now. If you wait until after you’ve been attacked, you could end up spending hundreds of thousands, even millions, of dollars to recover. Think about the above tips and work on developing a company-specific strategy that will enable your business to operate without the threat of an attack.
There are many different approaches, but the important thing is that you take action. Now is not the time for indecisiveness or passivity.
Cyber security Photo via Shutterstock