Entrepreneurs and small business owners who are either ignorant of cybersecurity measures or are downright sleeping on them are in for a rude awakening. Thinking mid- and enterprise level companies make better targets, is actually what makes you the best target, and with the global uptick in cyber crime, it’s no longer a matter of IF you will be attacked, but rather WHEN you will be attacked.
The Independent reports that small and medium sized businesses are not investing in cyber protection, despite an increased rate in cyber-attacks not just in the US and UK, but all over the world. In fact, according to Europol, the massive WannaCry attack in May affected private and public agencies both in over 150 countries.
So how do you keep your business safe in a world rife with cyber threats? Prevention and response are the two main routes you can prepare for when up against cyber criminals today, so you’ll want to make sure you take the right steps to protect your business from cyber attacks.
1. Understand How Valuable Your Assets Are
One of the first things any business can do to make sure that they’re protected is to perform a basic cyber security risk assessment. Maryville University’s online cyber security program provides these cyber security risk assessment tips:
- Take stock of your system. This might seem obvious, but you’d be surprised how many people don’t do this. By looking at the size, what type of hardware you have, number of both physical and cloud based access points, and what information is shared with third parties, you’ll have the basis for your assessment.
- Identify potential threats to your system. Many major breaches today can be chalked up to human error, poor data backups, or insufficient encryption. Make sure yours are up to par, and understand that even social engineering is a threat to your business.
- Analyze the environment. How vulnerable are your governing controls, such as the ones associated with admin access, user authentication, and infrastructure data protection?
- Consider probability of different breach types, and play out exactly how you would identify and respond to them. You might be surprised by what you find.
- Final risk assessment. In accordance with Sage Data Security’s method, Maryville recommends you multiply “the likelihood of breach against its resultant damage to determine a risk rating.
2. Make Sure You’re Compliant with Local and Global Regulation
If you’re dealing with credit card data, you’ve no doubt heard of PCI DSS, just like if you deal with health data you’ll also have heard of HIPAA. Either way, most businesses nowadays deal with big data of some sort or another. Make sure that you’re compliant within whatever industry you’re in, and on the lookout for new regulations, such as the General Data Protection Regulation (GDPR), which will be enacted by the EU. Appnovation makes the great point that, even companies outside of the EU will be affected by this new legislation.
“GDPR’s expanded jurisdiction applies to the processing of personal data of all EU residents, even if the controller or processor is located outside of the EU. American and Canadian companies that sell goods and services to EU residents will be subject to GDPR,” they write on their blog.
Another thing to consider would be cyber-insurance, which will help you deal with some of the costs associated with a breach, and which may become a regulated necessity in the near future.
3. Be Smart About Email
FoIP and secure file exchange experts at XMedius put email as their third and final point in their article, “3 Major Data Security Risks Every Business Should Know About,” mentioning that email, as the most prevalent method of communication, is also very insecure.
“With this in mind, IT professionals work hard to protect communications from within their organizational infrastructures,” they write. “One of the best ways to do this is by using encryption, which scrambles email content until it’s unlocked by a recipient. Encryption can be done on the level of servers, networks, and individual messages. The downside of encryption is similar to security issue when using traditional fax: efforts might be made on your organization’s end to keep data secure, but can you be sure about your recipients?”
Christina Foley, vice president of commercial sales for FireEye, agrees that every company should be keeping their eye on email.
“Most attacks involve an email,” she says in an article with Utah Business. “If businesses are using cloud-based email like Office 365, they should also invest in advanced threat protection beyond Microsoft’s basic spam protection. Understand that people will always hack themselves. Attackers are always looking to exploit human trust. Insist on education for every employee who interfaces with your technology.”
4. Adopt a Reliable Backup and Disaster Recovery Strategy
Last but not least, businesses need to invest in a reliable backup and disaster recovery strategy. There’s no way to prevent a cyber attack from befalling your business, but you can absolutely control how you respond. If your business is hit with ransomware, for example, you’ll be forced to pay the attackers to keep your data from being deleted, unless you’re able to do a full system restore. Unfortunately, you won’t be able to do a system restore if you don’t have backups, and will be forced to pay.
Make sure that you test your disaster recovery plan every now and again to see what can be improved as well as how you can decrease downtime. Nothing is worse than have a disaster recovery plan in place only to find out that it doesn’t pass muster during a disaster.
The most important thing to remember is that you cannot control whether or not your business is going to get hit. The odds are that you will. You can only prepare and respond — so make sure you’re ready to move and minimize damages in case cyber criminals do come after you.
Author: Andy Heikkila is a business owner, writer, and musician hailing from the lush Pacific NW. He enjoys running, drinking, and hanging out with his friends when he’s not working. Feel free to drop him a message on Twitter @AndyO_TheHammer.