How small businesses can protect themselves from cyber attacks
These days, we constantly see news of cybersecurity attacks in the headlines. Ransomware attacks. Phishing scams. Malware and viruses. Small business owners have plenty to worry about, and understanding how to protect yourself from these attacks can be overwhelming. Furthermore, overcorrecting on cybersecurity can often cause unnecessary slowdowns to your business.
While this post is not meant to be a comprehensive guide, and every business is different, you can use these tips to get your cybersecurity program headed in the right direction.
What are the top information security threats that face your business?
Every business faces different threats. Fraud is usually a big concern for e-commerce and retail businesses, while businesses that have a heavy technology stack may be most concerned about vulnerabilities introduced through their software suppliers. Every business needs to be aware of and understand its risk.
One common approach to this is to keep track of your risks — as well as the impact and likelihood of the risk — in a risk register. The qualitative risk score is the result of multiplying the impact and likelihood of risks together. Risks that have higher scores should be addressed by adjustments in your business (controls) that reduce the likelihood or impact of that risk. The residual risk score is the remaining risk once a set of controls have been applied.
By looking at this diagram, we can conclude that our efforts would be best placed by addressing the “Employee laptop theft” risk. Controls for this risk could include enabling disk encryption and installing software that allows IT administrators to remote wipe the device.
As mentioned before, every business is different, so there is no silver bullet when it comes to protecting yourself. But, if you understand the threats your business faces, you will be better prepared to prioritize them and protect your business.
What are some things you can do to protect yourself and your business from cybersecurity threats?
There are some things that industry professionals have identified as activities that can clearly reduce the risk of cybersecurity attacks to your business. The Verizon 2022 DBIR report for small businesses lists the following things small businesses can do to avoid becoming a target:
Use two-factor authentication
Do not reuse or share passwords
Use a password keeper/generator app
Be sure to change the default credentials of Point of Sale (PoS) controller or other hardware/software
Ensure that you install software updates promptly so that vulnerabilities can be patched
Other things that are critical to protecting your business:
Remove unauthorized users – Make sure that you have a process for removing employees that have left your organization from the systems and applications to prevent unauthorized access. Also, make sure that employees that change departments don’t keep access to systems and data they no longer need.
Provide security awareness training to your employees – This can be as in-depth as required, but your employees should understand their roles and responsibilities to protect your business from cybersecurity threats
Assess the risk – Your leadership team needs to understand all of the risks your business may face, including cybersecurity risks. Companies with complex risk landscapes should keep a Risk Register to track the impact and likelihood of risks, so that they can be prioritized and addressed.
Test your response – It’s always good to talk about and walk through how your business would respond in the event of a cybersecurity incident. Once you understand what risks your business faces, you can run a tabletop exercise with your team to see what the response would look like, much like a fire drill. These efforts can go a long way during a real event if you analyze the response and make changes accordingly.
Follow trends that may affect your industry – There are new threats emerging constantly. It’s important to be aware of new challenges that similar companies are facing.
How do we prevent our information security program from crippling our business?
You can’t do everything at once. The best approach to improve your cybersecurity posture is to identify items that can make the most impact.
When considering how to address cybersecurity risk, it’s also important to consider what impact the mitigation will introduce to your business. For example, if you require all of your customers to verify their identity in order to prevent e-commerce fraud, your conversion rates may suffer as a result.
The business should determine whether these tradeoffs are worth it. If not, other controls should be considered.
Conclusion
In this day and age, cybersecurity risk is not something any small business can afford to ignore. But if you’re thoughtful about your strategy and take the right precautions for your business, you can focus on what’s most important — serving your customers.
Written by David Jones, Chief Information Security Officer
David Jones, Chief Information Security Officer at Madwire, has been with the company since 2010. He is a Certified Information Security Manager and holds a CISO Executive Certificate from Carnegie Mellon University. Prior to his work at Madwire, he owned and operated a successful information technology consulting business in Northern Colorado. David believes that technology adoption enables small businesses to achieve a competitive edge that was previously out of reach and he is passionate about ways businesses can protect themselves from an evolving threat landscape.