Cyber Security Strategies for Small Businesses
The internet has helped increase productivity for many businesses along with amplifying visibility and profitability. For small businesses the internet has also helped level the playing field and created more opportunities on a local, national and international expanse. However, along with the internet’s growing number of benefits comes the growing possibility of cyber attack threats.
In 2014, small and mid-size businesses were victim to 60 percent of all cyber attacks, according to Symantec’s 2015 Internet Security Threat Report. The average cost of a cyber security incident ranged from approximately $36,000 for U.S. companies with under 100 employees to $102,314 for companies with 1,000 or more employees as reported in the 2017 Hiscox Cyber Readiness Report.
The Hiscox Report also indicates that nearly half of all U.S. companies surveyed reported taking two or more days to discover a cyber security incident and a little more than half reported taking two or more days to return to “business as usual” after a breach. Yet, 20 percent of small businesses also reported making no changes following a cyber security incident.
So while initially it may surprise small businesses that hackers would waste their time on smaller companies, they also are experiencing additional shortcomings by their lack of dealing effectively with cyber security’s continuing challenges. In some respects small businesses make easy targets because they may lack the robust security needed to keep their assets safe as well as those of their larger business associates.
A limited budget should not stop small business owners from carefully considering what they can do to prevent a cyber attack on their organizations. Several steps are offered in Property & Casualty April articles to help small business start protecting themselves.
Step 1 – Create a Security-aware Organization
Begin with developing a formal written information security plan that address the following areas:
- Identifies security policies and priorities
- Put in place policies for network security, including the use of company email, social media, mobile technology and the internet
- Spells out clearly how proprietary company information is to be handled and what activities are prohibited on company-owned devices
Next, take inventory of the business’s core assets and sensitive data, which employees have access to it and where it’s stored. Finally, train employees on basic security practices by practicing phishing awareness as well as helping employees to recognize and avoid certain websites, emails and phone calls.
Step 2 – Safeguard Sensitive Data
- Organizations need to provide encryption for laptops, desktops and mobile devices
- Consider outsourcing security management to cloud-based providers
- Require changing default passwords to complex ones that must be changed every 90-120 days.
- Use VPN access for employees who work remotely
- Clarify with vendors who are being entrusted with sensitive data about their specific controls
Step 3 – Establish an Incident Response Plan
To be prepared for a security breach, small businesses should develop a plan that details the way the company will respond to and manage the effects of a cyber attack. Companies need to limit the damage and reduce recovery time to limit the cost. Savvy staff needs to be involved to help identify possible problems and outline procedures for eradicating the root cause and restoring software and data.
Lastly, companies may want to consider having comprehensive cyber insurance, depending of the nature of their business. At the very least there is value in working with an insurance carrier and providing details of the incident response plan as part of a best practices approach.
Property & Casualty 360. 3 Steps for Better Cyber Security that Won’t Break the Bank. April 2017. PP16-17.
Additional Cyber Security Resources
Interested in learning more about cyber security? Learn the top cyber security threats that face small business, and what steps and processes can be implemented to protect and recover from cyber security threats during our October 24, 2017 webcast: Top Cyber Security Considerations for Small Business.