When I began my work in the cybersecurity space many moons ago my friends and family always asked, “do I need to worry?” My response at the time was, “unless you’re a millionaire, politician, or celebrity, don’t worry about it.” Well, unfortunately, times have changed and we all need to worry about it.
Now some of my friends who own small businesses are asking two different questions. “Do I need to worry about security for my business?” Or, “my clients are asking what security policies and procedures do I have in place. What do I need to do?” That second question tends to come with some panic.
Small to medium sized businesses, in any industry or vertical, absolutely need to be concerned with cybersecurity. It’s a fact of life these days. It’s unfortunate because there are so many other things we need to worry about to keep our businesses afloat and successful, but cybersecurity is also an important consideration. And now more than ever clients and customers are demanding their vendors and partners have adequate security. There’s good news, though: doing the fundamentals of cybersecurity is not that hard or expensive. It’s really not! And satisfying those vendor questionnaires is possible without spending millions of dollars.
Chances are you already have a firewall and anti-virus software in place, which is great — but you also need to go one step further. There are a few fundamentals that are just as important as well. By implementing these fundamentals sooner rather than later, you are more prepared for your company’s growth, which of course comes with even more risk. And, as you grow, you evolve from a “nuts and bolts” security strategy with an emphasis on the fundamentals to a more robust and “enterprise grade” program.
There are a bunch of stats that support this. Here’s one that gets a lot of traction: more than 55%of small businesses got hacked in 2016! This is according to the 2016 State of SMB Cybersecurity Report by the Ponemon Institute. This number is likely much, much higher though – for example, many companies don’t report that this occurred while others might not even know they’ve been a victim.
So, what do you need to do?
First, you need a security policy. You most likely have a company policy or handbook of some sort. Start by implementing security into that. The policy needs to address a few things at a minimum: password procedures, how to handle sensitive data, backing up and updating systems, who has access to what, even physical security can be included. Small companies need to address these issues just as much as the big guys do. And once you have the policy, you need to follow it. That sentence is important! A security policy is the foundation of your cybersecurity efforts.
Second, you need to test your network for holes. They exist – and they can create easy access for hackers. Once the holes are found, they need to be plugged. If you have computers connected to the internet, they are on a network – this means that they are potentially accessible to anyone on the internet. It’s not difficult to ensure your network is safe at smaller organizations – you just need to look for the issues and close them. Vulnerability assessments can be conducted to do this. It’s likewise not expensive to do this, so it’s a really useful starting point.
Third, you need to make every single one of your employees aware of cybersecurity. This means they need to know how they can be safe when at work and at home, when sitting at a computer or on their phones. This may be the most important aspect of security. “Don’t click on any links!” We have all heard this a million times. Suspicious links are important of course, but they are not the only things we need to worry about. Continually train your employees (and yourself!) on the dangers that exist. New dangers and scams pop up every day. Be prepared. This can also be done very simply and inexpensively!
This stuff isn’t hard! It does however take some discipline to make sure that you do it and are keeping on top of it. Much like you change the batteries in the smoke detectors in your house, safety sometimes requires some upkeep. Also, don’t just assume your IT person or IT service provider is doing this stuff. They may be… but unless you specifically ask you won’t know for sure (trust but verify). Annnnnd just because you’re in the cloud, that doesn’t mean you’re fully protected either.
If you made it this far and would like a free assessment to determine if your current IT security program is doing what it needs to, contact us at firstname.lastname@example.org or click here. We will be honest and not sell you on stuff you don’t need. And if the case may be that you really don’t have much risk we will give you milestones on when you should start thinking about it.