As a small business owner, you might feel that no one outside of your organization is interested in the data that you handle. They are. Small and medium sized businesses are vulnerable to cyber-attacks seeking the financial and identity-related information of their customers and employees. According to the 2015 Data Breach Investigations Report released by Verizon, no organization is immune to the threat of cyber-attacks regardless of their size and industry. Still, according to a 2014 survey, nearly one-third of small businesses are not taking any active measures to protect against these threats. That’s why we created a cybersecurity checklist that no small business should be without.
Here are the key steps that you need to take in order to safeguard data, and quickly detect and respond in the event of a cybersecurity breach. We broke it down into three phases: plan, prepare and assess.
- Develop Policies & Processes:
- Social Media Policy: Most small businesses rely heavily on social media for their marketing and client acquisition, but many of them still do not have a social media policy in place.
- Remote Access Policy: While remote access is essential in today’s world of virtual workplaces, it is essential to maintain proper logs of remote accesses to your network, review them periodically to identify breaches, and limit access to sensitive data through.
- Password Policy: Have a password policy in place that ensures critical passwords are changed regularly and stored securely. Also, make sure that you do not retain default passwords for any software that you use.
- Bring-Your-Own-Device (BYOD) Policy: This is critical if you allow mobile phones at the workplace.
- Establish an Internet & Electronic Communications Policy.
- Incident Response Process: While trying to prevent a cyber-attack is important, what is even more important is how quickly and effectively you can respond if such an incident should occur. Have a clearly defined process for different levels of attacks and a list of experts whom you can call in the event of a breach.
- Create a Data Inventory: Before you can take steps to secure your data, you need to create an inventory of sensitive data in your organization and write down who can access it, as well as the various means by which access is permitted. (Is data available through mobile apps? What about social media? Is any of your vulnerable data placed in an insecure cloud?)
PREPARE: Once you have documented policies and processes and trained your employees, the next step is to protect your network and devices.
- Invest in an enterprise-class anti-malware suite. Small businesses usually rely on free security software that comes pre-loaded with the desktops or in consumer-grade security software products. While these are better than no protection at all, they are inadequate in an environment where there are multiple employees with multiple devices. One great idea for a small business which may not have a large IT team or budget is a ‘security-as-a-service’ model.
- Secure your wireless network. Wi-Fi, while convenient, is also more vulnerable than wired LAN networks when it comes to cyber-attacks. Hence, make sure that your wireless network is properly secured.
- Ensure regulatory compliance. If you are in an industry that handles critical data such as health records or credit card data, then make sure that your business is fully regulatory compliant to regulations such as HIPAA and PCI-DSS. Often a small business would find it easier to employ a call center provider rather than train employees, and put in the necessary security infrastructure to ensure regulatory compliance when handling sensitive customer data.
- Ensure timely patch management. Often, software companies release patches for vulnerabilities as they are identified. It is important to ensure that you regularly apply all software patches so that your data is protected.
- Limit device usage. Today mobile phones have become more powerful than previous super computers in terms of computing power and storage capacity. You never know when a malicious employee can steal your critical data. Even if your employees are ethical, mobile devices are a source of security vulnerability. So as a small organization, you should try to minimize the possibility of a security breach that can not only result in data loss and denial of service, but can also negatively affect your reputation. Outsourcing activities such as call answering, payroll processing etc. to professional service providers will help you to minimize data breach risks.
- Configure your firewall securely. Get an expert to do it and err on the side of caution.
- Embrace encryption. Make sure that sensitive data is stored and transmitted after encryption. This is especially important for mobile phones and laptops that have a higher likelihood of being lost or stolen. Have software in place that can remotely wipe these devices, if necessary.
ASSESS: Finally, even if you are prepared, it is important to regularly assess your security readiness through an annual vulnerability assessment, and re-mediate any potential risks.
While this list may be a deterrent for business owners, the reality is that you are never completely safe. However, you need to maintain regulatory compliance by protecting your data to the extent that your security budget allows. We hope this checklist will be a useful starting point in your cyber security journey.