You change your passwords. You stay off public WIFI. You only have a few employees and you trust all of them.
Don’t fool yourself into thinking your business is not vulnerable to a cyber-attack. Consider almost one-third of data breaches affected small businesses last year, according to the Verizon Business 2020 Data Breach Investigations Report, the industry standard.
1 – No matter the size of your company, consider yourself a target.
Whether you’re a Fortune 500 company, a mom and pop operation or something in between, if you use the internet to conduct business, you’re at risk for a cybersecurity attack.
Engel’s take: “Cybersecurity attacks are often automated. You don’t necessarily have to have a big web presence. You just have to have a hole somewhere. If it gets discovered by an automated tool, a breach can occur.”
2 – Take stock of the data you are collecting, storing and sharing.
You probably are aware that you have personal information on customers, including credit card numbers. But take inventory of everything. For example, it’s easy to overlook pricing structure. Would you want that internal information shared publicly so one client sees a competitor is getting a cheaper rate? Don’t forget about the identifiable data you have on employees — their health information is protected by privacy laws.
Engel’s take: “Go beyond the fact that you actually are a target. You probably have at least some information that would be damaging if exploited.”
3 – Be aware of the regulatory requirements governing the data you have. While no single law governs data privacy, there are multiple sector-specific laws and regulations you must be aware of as a business owner.
Engel’s take: “Know your industry, and research your requirements. If you are a retail merchant and accept credit cards, there are mandatory standards to protect consumer information. If you provide products or services to the government, there are multiple cybersecurity laws to keep in mind. Make it your business to know which regulations affect you.”
4 – Examine your IT to determine if you want to maintain it internally, outsource it to a service provider or a combination of both. Ask yourself what you are doing now in terms of information security and consider how feasible it is if you decide you can continue to do it on your own. Small business owners wear many hats and often overlook the cybersecurity one despite the threat of vulnerability that can essentially ruin a company.
Engel’s take: “If you’re a business owner, you’re in the business of providing the good or service that generates revenue. If you don’t have expertise in cybersecurity, then you need to bring in someone who will help you understand the best way to reduce risk that fits your budget and goals. And with cyber, no one is an expert in everything — it’s important to understand that you don’t know what you don’t know.”
5 – While setting up a cybersecurity consultation is a good idea — Strategic Cyber Partners offers a half-hour consult free — you can start doing some things today.
Engel’s take: “Use two-factor authentication whenever it’s available. If you’re a business owner using a laptop, make sure the hard drive is encrypted so if you lose your laptop, that information is unreadable. And every company should have a strategy for backing up information. Whether you subscribe to a cloud backup service or buy an external hard drive, this step is nonnegotiable.”
6 – Have a “what if?” plan.
Most small businesses understand the importance of communicating regularly with their clients. Many have crisis communications plans in place. Yet often those worst-case scenario handbooks don’t include cybersecurity breaches.
Engel’s take: “Having a crisis communications strategy before you need it is key to a successful response if you have a breach. Make sure your emergency communication plans include a template for a cyber breach. Don’t count on being able to email employees, customers and partners — email may be part of the incident.”