I have limited time and budget; how do I get started?
The Internet has been a huge boon for business in recent years, helping companies of all kinds reach unprecedented levels of productivity, profitability and visibility. Yet, along with the Internet’s many benefits comes the real and growing threat of cyber attacks that can put a business’s revenue, reputation and customers in peril.
Cyber security is a concern for businesses of all sizes, but small and midsize businesses (SMBs) are particularly vulnerable. SMBs were victim to 60 percent of all cyber attacks in 2014, according to Symantec’s 2015 Internet Security Threat Report, and that trend is expected to continue.1
This may surprise SMBs who believe hackers wouldn’t waste their time on a business their size, but cyber criminals can now launch automated attacks upon thousands of businesses at once and profit from economies of scale. SMBs make easy targets because they often lack the robust security that can keep hackers at bay. This not only puts the SMB’s information assets at risk, it can provide an electronic gateway into the networks of larger companies with which the SMB does business.
SMBs may not fully appreciate their Internet risk exposure, nor have the time, money or expertise to invest in the sophisticated technologies and internal programs that their big business counterparts are able to afford. But there are steps SMBs can take to improve security and mitigate their potential financial loss even with a limited budget. These three controls are a good place to start.
1. Build a Security-aware Organization
Cyber security isn’t just about preventive technology; it requires the awareness and participation of everyone within the organization. A top-down approach, beginning with policies and procedures that are sanctioned by the business owner or a team of senior managers, conveys to employees the importance of information security and the need for their collective effort to protect the company’s assets.
Security-aware organizations have the following key components in place:
- A written information security plan that identifies the organization’s security policies, goals and priorities. At a minimum, set forth policies for network security; use of company email, social media, instant messaging and the Internet in general; the handling of proprietary company information; and activities that are prohibited on company-owned devices, networks and other resources.
Many state regulators request written information security plans when investigating organizations that have experienced a security breach. Having a plan in place not only establishes internal policy for employees, it can also demonstrate to regulators and customers that security is a priority for the organization.
- An inventory of the business’s core assets and sensitive data, where it is stored and who within the organization has the authority to access it. Include personally identifiable information (PII) for employees and customers (such as social security numbers, healthcare records, credit card numbers, etc.), bank account data, company intellectual property and any other information that could damage the business if it got into the wrong hands.
- Access control. Limit access to computers, company networks and confidential data based on an employee’s need to know.
- Employee training programs. Workplace security depends upon a workforce that is trained in company protocol, alert to the signs of a potential breach and knows how to respond. Training on basic security practices and policies is essential. Phishing awareness exercises can further help employees recognize and avoid email, websites and phone calls that are designed to infiltrate company systems or steal personal information.
2. Establish Security Safeguards
The following baseline measures are recommended to help safeguard SMBs’ sensitive data from unauthorized access and use:
- Encryption for laptops, desktops and mobile devices. Encryption encodes information so that only the person (or computer) with the key can decode it. While it is not a full security solution, encryption remains highly recommended for all devices, especially those that contain sensitive information. Most newer model mobile phones and tablets come with auto-encryption software pre-installed. Many privacy and consumer protection statutes also recognize the importance of encryption in protecting customers’ information and provide safe harbors within the statutes to incentivize businesses to adopt the control.
- Cloud service providers. Outsourcing security management to cloud-based providers is an increasingly viable alternative to an in-house security program. Cloud providers offer expertise in identity and vulnerability management that the SMB needs but often lacks while helping to lower the SMB’s operating costs. However, SMBs should negotiate with providers to ensure they get the security and privacy services that best serve their company’s protection needs.
- Password protection and authentication controls. Passwords are the primary means for controlling access to sensitive data resources. Change default passwords and require complex passwords with a variety of types of characters that must be changed every 90-120 days. Multi-factor authentication may be required depending on the type of data being accessed or the source (such as remote users).
- VPN (virtual private network) for remote access. For organizations with remote users, VPN provides a secure channel through the Internet to the SMB’s private network. VPN controls include encryption of all data that is transmitted over the channel, multi-factor authentication, strong passwords and automatic timeouts after a period of inactivity.
- Vendor security. SMBs need assurance that any vendors with which they share company information makes security a priority. Before entrusting your data to a third party, get in writing the vendor’s specific controls for protecting sensitive information and augment them with additional controls if necessary. Also require the vendor to return or destroy all sensitive information upon termination of the contract.
3. Prepare for the Worst
A security breach is a near certainty for businesses today – more a matter of when, not if, one will occur. For SMBs, preparedness is key to surviving the fallout.
An incident response plan (IRP) prescribes the way a business will respond to and manage the effects of a security attack. Its goal is to limit the damage and reduce recovery time and costs. All SMBs should prepare an IRP that includes the following components:
- Identification of an incident response team that includes, at minimum, security staff who are system-savvy and a manager authorized to make decisions on behalf of the business
- Clear delineation of possible incidents (such as unauthorized access or malicious code) and how to identify and contain them based on the business impact (confidential customer data vs. intellectual property)
- Procedures for eradicating the root cause of the attack and all traces of malicious code, restoring data and software, and monitoring systems for any remaining signs of weakness
Always work with your insurance carrier to ensure that any procedural requirements for coverage are integrated into your final plan.
Find an Insurance Carrier that Provides More than Just Coverage
Having appropriate cyber insurance coverage is just as important as having best practice-based policies and procedures in place. Partnering with the right insurance carrier can help SMBs proactively improve their cyber security posture and reduce financial losses. Experienced carriers like The Hartford provide full breach risk management solutions to help SMBs prevail in the face of an inevitable security event.
Publicly Available Resources
These resources provide in-depth information that can help SMBs develop cyber security policies, plans and procedures to keep their business safe:
National Institute of Standards and Technology (NIST) Cybersecurity Framework
“Security and Privacy Controls for Federal Information Systems and Organizations,” NIST Special Publication SP 800-53
“SANS: 20 Critical Security Controls You Need to Add,” Network World, October 13, 2015
About the Author
Tim Marlin is head of cyber underwriting for The Hartford. He has over 15 years of cyber, technology errors and omissions, professional, and management liability insurance. Tim can be reached at firstname.lastname@example.org.