Cybersecurity is a major concern in our inter-connected world. NH SBDC is taking small, vetted steps to provide NH small businesses with information on the topic. Thank you to Anthony Perkins, Eric Langland, and Daniel Kelly McCue, Bernstein Shur, for contributing this article series.
The frequency of cyber attacks on small and medium sized businesses (SMBs) is increasing. From 2017 to 2018, in a survey of SMBs with 100 to 1,000 employees, the percentage of SMBs that experienced a cyber attack increased from 61% to 67%. Of those companies that reported an incident, the average spending was $1.43 million in the aftermath of an attack. In addition to attack-related expenses, the disruption to normal operations cost an average of $1.56 million.
While the larger enterprises skew these expense figures upwards, according to the 2018 Verizon Data Breach Investigations Report, 58% of cyber attack victims were small businesses with fewer than 250 employees. These expenditures help frame the discussion when considering what preventative steps to take. So what can be done?
1. Begin with a risk assessment of the company’s information security practices.
- Consider unique aspects of the business’ business that may make it vulnerable to a certain type of attack (e.g. what type of information does the company handle?).
- Carry out an audit of any company data assets and consider a full data mapping exercise.
- Assess the business’ use of mobile and personal IT devices, the strength of passwords, and the level of encryption for sensitive data.
- Draft a clear outward-facing data security policy and document in detail all internal procedures.
2. After assessing potential risks, implement the new security controls.
- Malware protection: make sure to install anti-virus software that is kept up to date.
- Computer network: should include firewalls, proxies, and access controls.
- User privileges: should be allocated based on need with controls in place to prevent unauthorized access.
- Consider installing user verification methods, including use of digital signatures, and restrict use for removable media such as USB drives.
3. Take a look at the company’s cloud computing practices.
- Inventory the business’ cloud-based platforms.
- Analyze whether it is appropriate to be sending that information to the cloud (i.e. is the information of a sensitive nature?).
- Review the company’s vendor management agreements and seek to understand how third-party vendors are safeguarding their data during data transfers and while stored in the cloud.
- Remind clients to check the addresses of any emails purportedly sent by the firm, especially if they relate to any financial information or requests for payment.
4. Take steps to make cybersecurity a part of the business’ regular risk-management procedures.
The end goal is to try and make cybersecurity awareness part of the firm’s culture. One way to do this is to review systems and procedures regularly and incorporate tests to improve security. A good practice is to dispose of programs or physical devices that are no longer needed. If the company experiences a cyber attack, remove any ongoing threats and then conduct a post-breach review, including compliance with any relevant breach notification laws.
5. Consider cyber insurance coverage.
In general, cyber insurance policies will protect against the loss or damage of electronic data. With the increase in cyber attacks in recent years, these policies are becoming more popular. Not only do they help to mitigate financial risk, but they also provide an ally who is familiar with the company if a breach does occur. Without a cyber insurance provider already in place before an attack, a firm will be left to deal with security companies who must analyze the situation based upon their first impression.
Bernstein Shur has developed a checklist with these steps outlined that you can download. Reducing a Small Business’ Potential Cybersecurity Risks Checklist
Cybersecurity image thanks to https://pixabay.com/users/thedigitalartist-202249/