How Can Small Businesses Achieve Optimal Information Security?
Are you a key decision-maker within a small or medium-sized business (SMB)? If so, you probably realize that you never have enough internal resources to address all cybersecurity matters. Naturally, the lack of resources leaves you picking and choosing which security matters to deal with first and how much you should invest to manage your security program.
Unfortunately, many small businesses fail to plan and design their security capabilities with respect to their overall business objectives. This can be for a variety of reasons, such as inadequate budgets, not enough time, or a lack of information security experience and skills within the organization.
Another common factor is the lack of executive commitment to information security. According to Ponemon Institute’s 2017 State of Cybersecurity in small & medium-sized Businesses (SMB), 60% of small-business owners say that cybersecurity threats are becoming more targeted and more sophisticated. However, conflicting priorities, budgets, and time constraints cause small-business owners to put information security on hold.
Regardless of the reason, it’s dangerous for small-business owners to think that cybercriminals will refrain from attacking their companies because of their size. Hackers typically search for the easiest targets to exploit. With many SMBs not understanding how to defend their companies against cyber attacks, and without sufficient resources to do so, there has been an increase in attacks targeted at SMBs. This trend will inevitably continue until SMBs adopt a focused approach to cybersecurity.
Therefore, SMBs should seek to adopt a strategy that addresses growth before attacks occur. Organizations should consider how their IT infrastructure and operational needs will change as they evolve from a team of individuals working on laptops into a full-fledged business with a network. As IT needs change, so does the responsibility to maintain and secure newly introduced technologies.
So how does your small business avoid being a victim of a cyber attack and achieve optimal information security? Here are eight small business cybersecurity best practices:
1. Understand your data and how it traverses through your supporting technology
It’s impossible to achieve an optimal level of security without first understanding the data you are trying to protect. Having a clear understanding of the types of data that is valuable to your organization is paramount. Once you achieve this, you need to understand how this data is traversing through your IT systems, services, third-parties, etc. Within smaller organizations, this is often challenging, as the end-users have a lot of autonomy on how this occurs.
For instance, end-users may be given a laptop and start storing company data in a variety of cloud locations (e.g., Dropbox, Box, Google Drive, OneDrive, AWS, etc.). Organizations that do not define and communicate acceptable data usage and storage practices will have a difficult time managing data security.
2. Document your cybersecurity policies
The importance of documenting your cybersecurity policies is becoming increasingly critical for adhering to regulatory compliance initiatives established by the industry or even federal, state, local, and international law.
Additionally, documenting and frequently reviewing your policies makes you continuously evaluate what is “stated” and what is “reality.” In many instances, organizations discover that there is a gap between existing policies and the practices within their daily, weekly, and monthly operations. Maintaining a comprehensive set of policies gives organizations a solid reference point for acceptable practices and helps educate staff on how to improve and modify security behaviors.
3. Educate all employees
Employees within SMBs often wear many hats, which means they might have access to more information than they would if they had a distinct role within a company. Therefore, employees accessing company data need to be trained on how to protect different information types and systems.
Additionally, to ensure understanding and agreement with company policy, and to hold employees accountable for their roles in protecting information, it is beneficial to have employees sign a document stating that they have been informed of the policies and understand the corrective actions when they don’t follow such policies.
4. Enforce safe password practices
Passwords are still a major cause for concern for organizations of all sizes. The Verizon 2016 Data Breach Investigations Report found that 63% of data breaches happened due to lost, stolen, or weak passwords. Thus, SMBs should implement password policies that make sense for their organizations and, most importantly, ensure that such policies are followed and technically enforced.
5. Routinely back up your data
The rise of ransomware over the last few years has alerted more businesses to accomplish one of the most basic IT functions – data backup. Once you understand which data is of value to your organization, you need to establish a plan to back up such data.
However, backing up your data without ensuring that your backups are secure will hurt you more than if you had not backed up at all. Therefore, take the necessary precautions to affirm that your backups are safe and stored in a separate location in case of fire or flood. Also, check your backup process regularly to ensure that it is correctly functioning and so that you can always have the latest backup whenever you need it.
6. Install anti-virus and anti-malware software
We all know that connecting our devices to the internet increases our chances of getting infected with viruses and other malware. However, even the most tech-savvy individuals fall victim to phishing emails, which can lead to unintended malware downloads or identity-stealing scams. Since the intent of many phishing attacks is to deliver malicious software by urging employees to click on seemingly harmless links, the need for anti-malware is imperative to protect the organization and all its employees.
7. Use multi-factor identification
Since passwords are still one of the easiest ways to gain access to information systems, it’s important for SMBs to sensibly introduce Multi-Factor Authentication (MFA) to provide additional levels of security. For many SMBs who use cloud-based services, such as email and Infrastructure as a Service (IaaS) solutions (e.g., O365, Google, AWS, Azure), it makes sense to further restrict unauthorized access by leveraging MFA. Any minor inconvenience to employees pays off, as the added security value far outweighs the risks of its absence.
8. Restrict data sprawl as much as possible
SMBs need to define where their data should be stored, which goes back to understanding the different types of data and their locations. Also, acceptable storage policies and practices make it easier to grow into future security-related solutions and initiatives, such as Data Loss Prevention efforts, and ensure appropriate analyses are performed when evaluating potential vendors.
If your organization is beginning to experience data sprawl, it’s urgent you explore options to regulate it and protect corporate and sensitive information. The sooner you take action, the easier it will be to manage and enforce as you grow.
Security Starts Now
Security is a continuous process that never stops. To protect your data as much as possible, it’s essential that every employee makes cybersecurity a top priority. To ensure awareness and observance of security measures, leaders and managers must spearhead the effort and adopt information security as a necessary endeavor to protect the organization and its future.
For those SMBs who do not believe they have adequate in-house resources to address information security matters, they should start their journey by contacting Hancock & Poole Security (HPS). HPS offers free one-hour consultations to help guide SMB owners through the difficult landscape of cybersecurity and start to craft successful information security solutions.