Information Security — The protection of information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide confidentiality, integrity, and availability.
Cybersecurity — The ability to protect or defend the use of cyberspace from cyber attacks. —”Glossary of Key Information Security Terms”, NIST IR 7298
In today’s digital world, threats to cybersecurity are everywhere. Data breaches are rampant and indiscriminate, affecting businesses of all sizes from small mom and pop shops to massive organizations like Target and Massachusetts General Hospital. Cybercrime is one of the fastest growing illicit activities today, and businesses are now wondering not if they will be a victim of cybercrime, but when. With key preventive measures including employee education, established policies, and implemented best practices, proactive companies can avoid becoming yet another statistic in the world of cybercrime. As longstanding experts in sensitive data security, SEM is pleased to share these 10 cybersecurity tips for small business.
1. Educate Employees
The fact that human error is by far the biggest contributor to data breaches cannot be overstated. Educating employees on safe email usage, avoiding phishing scams, ensuring safe social media practices, and safeguarding personal information is critical to the success of any cybersecurity policy. Ensure that employees are using password best practices including updating passwords every 90 days, at a minimum. Also, educate employees on the importance of secure socket layer protocol and to never submit company or personally identifiable information (PII) over an unsecured network.
2. Implement a Device Policy
As business becomes more mobile, so do the possibilities of data theft. If employees’ devices such as phones or laptops have access to confidential company data, require that employees encrypt data, password protect their devices, and understand reporting procedures in the event of a data breach. Employees who work from home should be required to protect their home network behind a firewall.
3. Always Update
Antivirus protection, operating systems, system software, and company firewalls only work to protect against breaches when they are kept up to date. As security threats constantly evolve, so do software patches and updates. Install updates as soon as they are released and implement a clear software update policy.
4. Establish IT Best Practices
Standardize a backup plan for all data on the network, including HR files, payroll information, spreadsheets, documents, and all other critical information. Only allow IT staff and key personnel to install software or have administrative rights to company devices. In addition, credentials should be required for access to any company device, and all employees should be given their own unique user names and strong passwords. Encrypt and hide the company’s WiFi network to avoid outsider access.
5. Identify Threats, Vulnerabilities, Likelihood, and Risks
Threats come in the form of cyber or physical attacks, human error, accidents (natural or manmade), or resource failure (software, hardware, etc.), while vulnerabilities are the causes of these threats and include items such as outdated software and hardware, untrained staff, and minimal policy enforcement. Likelihood combines the threat with the vulnerability and assigns a rating. For example, the threat of being exposed through a phishing scam combined with inadequately trained staff equates to a high likelihood rating. Once threats, vulnerabilities, and likelihood are explored, a risk assessment can be formulated along with resulting consequence. At that point, the decision to accept or mitigate the risk can be made. Acceptance of the risk should only be considered if the consequences or the likelihood are low.
6. Establish a Data Breach Response Plan
Just as an Emergency Response Plan (ERP) is critical to minimizing loss of life during a natural disaster, so a Data Breach Response Plan is critical to mitigating data loss and resulting expense in the event of a data breach. An effective Data Breach Response Plan should include items such as the following:
- Documentation of events prior to and immediately following the discovery of a data breach
- Transparent and immediate communication to all employees including how they should respond to external inquiries and the press
- Activation of a designated response team, in particular legal council, to determine if regulatory agencies or law enforcement should be notified
- Identification of what caused the breach as well as implementation of a plan of action to fix it
- Plan of action based on legal counsel with regard to compliance regulations and other mandates affecting messaging, notification, and possible compensation to breach victims
- Messaging and schedule for notification of those with compromised data
As with an ERP, a Data Breach Response Plan must be continually updated — annually at a minimum.
7. Communicate ROI
Many companies discount the implementation of a sound cybersecurity policy due to costs that are not easily justified. While the fact remains that no tangible Return on Investment (ROI) for a cybersecurity policy exists, the potential cost of NOT implementing one could be catastrophic. According to the 2017 Cost of Data Breach Study, the cost per record for a data breach was $255, with the average total cost of a data breach being $3.62 million. A cybersecurity policy, and the associated costs, are critical to the protection of a company’s data — and resources.
8. Talk to a Professional
Businesses who do not have dedicated IT professionals on staff or whose IT staff is not fully trained in cybersecurity should consider hiring an outside consultant to implement their cybersecurity policy. As previously stated, ROI for such a hire is not readily apparent. However, one breach can spell disaster — including business closure — for some smaller companies. The cost of hiring a professional to set up an effective data security policy far outweighs the potential risk and subsequent cost of not doing so.
9. Establish an Information End-of-Life Policy
Often overlooked, information end-of-life policies are critical to a successful cybersecurity plan. The most comprehensive cybersecurity policy still presents high risk if retired or failed data storage devices are improperly disposed of or discarded. Security-minded organizations must identify the confidentiality of the information, the media on which it is stored, and any required regulatory compliance measures. All PII should be considered confidential information that needs to be sanitized prior to disposal. Several methodologies of data disposal exist, from erasure to degaussing to shredding to disintegration, and the best solution is typically identified through a consultation with a data disposition expert.
10. Explore Cyber Insurance
Cyber insurance is not for everyone, but it makes sense to have the conversation with an insurance broker — but only AFTER a security program is already in place! Rates and qualifications have not been standardized and are solely based on overall business security health and ensuing risk.