For large organizations with deep pockets, an information security breach is an expensive and embarrassing debacle whose ramifications can last years. But for small and medium-sized businesses (SMBs), a severe incident could mean the end of their business entirely. Centered around people, processes and technology, there are steps organizations of any size can and should take to protect themselves and their clients.
According to Global Market Insights (registration required), the cybersecurity industry was worth over $120 billion at the start of 2017, and it grows by the minute as more frequent and more sophisticated attacks are reported. With data breaches in large corporations and government agencies getting the most attention in the press, it would be easy to think that a smaller company doesn’t have much to worry about. Unfortunately for many SMBs, the growing number of security attacks says something very different.
In 2018, SMBs were the target of 43% of cyber attacks, according to the small business mentor group SCORE. Often, hackers use smaller, more vulnerable companies as a way into larger targets that they do business with. This can ruin the smaller organization’s reputation and its ability to partner with other businesses in the future.
It’s not all bad news, though. Most attempted security breaches can be thwarted with some planning, vigilance and basic precautions. Here are some tips that you can follow as a business owner to get the most out of your information security efforts:
- Bake security into your systems and software.
Security shouldn’t be an add-on or an afterthought, but rather a fundamental part of your organization’s information assets from the outset. It should be part of the foundation of both end-user product design and internal system architecture. Whenever feasible, your systems should be secure by design, following (among other practices) the “principle of least privilege,” where system users only have the access rights needed to do their jobs. It’s never too late, though, to beef up your existing systems. From minor tweaks to total redesigns, it’s worth the effort to protect your company’s assets and reputation.
- Embed cybersecurity in your company’s culture.
Unfortunately, even the most secure systems in the world have one Achilles’ heel: people. People are almost always the weak link in the chain when it comes to cybersecurity. Whether due to a lack of awareness or an unwillingness to follow security practices, one non-compliant employee can potentially render all of your security efforts useless. For SMBs without the capital to recover from a major incident, everyone’s jobs are on the line. Training and frequent refreshers are critical, but you should also strive to embed good cybersecurity into the culture of your organization by setting a good example at the management level, as well as emphasizing best practices in all aspects of your operations. Employees should not only be trained on what to do but also why they are doing it. It’s important to remind them of the consequences of a data breach.
- Plan your incident and disaster response.
Part of being proactive is being ready in the unfortunate event of a cybersecurity incident, or a disaster (natural or man-made) that compromises your systems. No organization’s information security strategy is complete without formal, in-depth incident management and response plans, as well as a disaster recovery plan (DRP). Although your IT department is not typically your cybersecurity team, it is closest to your systems and often at the tip of the spear in the event of an incident. They should be prepared, both through training and through involvement in response planning, to work closely with cybersecurity experts during response and recovery. Consider including other departments as well in your response and recovery procedures — and hold mock incidents or drills to prepare everyone for their role.
- Monitor and patch your security.
Hackers can, and do, strike from anywhere at any time. Constant network monitoring is critical for not only detecting and potentially thwarting attacks but also for fast and effective recovery from a breach. Network monitoring software produces event logs that help your security team identify where and how hackers are focusing their efforts. Part of this constant vigilance is to consistently update and maintain the latest versions and security patches of all software on your systems. Software patches shore up known vulnerabilities — servers with out-of-date software become easy prey for opportunistic hackers who are always on the lookout for such an opportunity.
- Think like a bad guy.
Securely designed systems can still have vulnerabilities. Hackers always seem to be a step ahead of both law enforcement and information security professionals, but they also prefer to take the path of least resistance. They are constantly probing their targets for weaknesses and waiting for their moment to strike. You don’t want cybercriminals to be the first to discover a vulnerability that compromises your business, partners or customers. By taking a proactive security approach — with thorough penetration testing — you can use the same tools as malicious hackers, beating them to the punch by finding and closing security gaps in your systems.
- Get an external view of your current security posture.
Large, prominent companies can afford to throw substantial amounts of money at cybersecurity, often employing a Chief Information Security Officer (CISO) and other support personnel to handle all aspects of cybersecurity. Despite recognizing the importance of information security, not all organizations can afford or even need to have the expertise in-house. Consider getting a third party to assess your cybersecurity needs and help you determine what threats and vulnerability your SMB faces or could face as you grow. With this information, you’ll be best equipped to make decisions regarding how to proceed in protecting yourself.
The bottom line is that smaller organizations can no longer afford to put information security on the back burner — the risks are too real and the stakes are too high.