This is a guest post by Stewart Wharton, TAPE VP of Operations.
Mr. Wharton is a cybersecurity expert, having spearheaded the cyber capability at TAPE and serving in a variety of cyber roles, including Defense and Intelligence Cyber Sector Lead, at KPMG and with the Office of the Chief of Naval Operations N6 as the Deputy Chief Information Officer for Information Assurance and Enterprise Architecture.
Regardless of the type of small business, cyberattacks are virtually inevitable. While the bad news is that 81% of cyber-attacks happen to small and medium-sized businesses, the good news is that 97% of these attacks are preventable by implementing recommended security practices and raising security awareness among employees.
Recognizing this fact, businesses across the globe are willing to spend more on cybersecurity that ever before. According to research firm Cybersecurity Ventures, the cost of cyber-crime will exceed $6 trillion worldwide this year.
Defining and communicating your company’s cyber risk management regime is central to your company’s overall cybersecurity strategy. To maximize the effectiveness of your regime, senior leadership must support efforts.
Many companies cannot afford a chief information officer or a chief information security officer to lead cybersecurity tasks and strategy. In many cases, companies may outsource information technology infrastructure with very little corporate oversight. Even in the case of outsourcing, corporate leadership must be aware of the risks.
So where should a small company start?
If you are a small company looking to solidify your cybersecurity posture, I’ve created a simple 9-piece approach for creating a cyber risk management regime. I use the term “piece” instead of “steps” because you can implement these strategies in almost any order. When implementing these pieces, assess the risks to your corporate information and systems with the same vigor you would for legal, regulatory, financial, or operational risks.
Here are the 9 pieces:
- Network security. Protect your networks from attack. Defend the network perimeter and filter out unauthorized access and malicious content. Monitor and test security controls. To perform this step, you must know what operating systems and devices you have and ensure to keep up to date with the latest version and patching. Encrypt your data in transit and at rest and use strong passwords.
- User education and awareness. Produce user security policies covering acceptable and secure use of your systems. Include in staff training. Maintain awareness of cyber risks. The Small Business Administration offers free online cyber awareness training.
- Malware prevention. Produce relevant policies and establish anti-malware defenses across your organization. Some typical anti-malware practices include:
- Backing up or archiving business data is essential to recover from cyberattacks, theft of devices, or loss of equipment or media resulting from a flood or fire. Archiving data is also quite easy since the rise of cloud storage. Cloud storage is a simple, fast, and an affordable way to back up your data. Saving your data in the cloud means that your business is protected from certain serious cyber-attacks such as ransomware. Why is this so important for your business? A ransomware attack encrypts all your data and files, making them inaccessible to you. Cyber criminals will demand money in exchange for unlocking these files, ranging from $100 to $2,000 for each infected system. This form of extortion can be devastating on a small business when several or more computers are infected by ransomware.
- Making your business data useless when it falls into the wrong hands is an effective protection strategy. You can do this by encrypting your data. Full-disk encryption software is available from all major computer and mobile operating systems to encrypt all the data you manage and make sure all your company devices have this software activated and updated. When you use data encryption, you must take measures to protect encryption keys from corruption, loss, and unauthorized access. You must also manage activities such as changing keys regularly, controlling and managing how to assign keys and to whom. Small businesses that do not have information technology staff with data encryption skills should consult with professional information technology services providers to identify and deploy their data encryption needs and solutions.
- Conducting regular risk assessment involves identifying, analyzing, and evaluating risk and ensuring that you have picked appropriate cybersecurity controls to protect your business from cyberattacks.
- Consider buying cybersecurity insurance. Cyber criminals work tirelessly to find more targets and breach different security defenses. They can harm any business, even the most security conscious. According to research conducted on data breaches in 2017, the global average cost of one data breach incident was $3.6 million. To mitigate the losses due to data breaches, it is imperative for businesses to invest in cyber-security insurance.