5 Cybersecurity Questions Small Business Owners Must Consider
If you’re like most small business owners, cybersecurity is probably a big question mark. The digital world is constantly evolving and it’s hard to keep up. For small and medium businesses (“SMBs”) or companies with 1-999 employees, the statistics are alarming. While you’re busy doing what you do best and running your small business, hackers are actively trying to find new ways to breach your company. They want to compromise your system, steal your data and profit from the damage they cause to you. Even worse, this damage is “life-threatening” for small businesses. 60% of SMBs that are breached go out of business within six months. It is estimated that more than half a million SMBs shut down each year because of cybersecurity breaches. To address this substantial risk, your business is in a bind: It wouldn’t be cost-effective to pay for full-time IT security personnel or expensive consulting firms. But you know you need to address this issue that could impact your company’s future. For a business owner who understands the importance of cybersecurity and wants to begin to see what you’re up against, here are five questions to consider.
Ask Yourself These 5 Cybersecurity Questions
1. Are your employees your first line of defense… or are they holding the door open for hackers?
As a small business, the percentage of employees who have access to business-critical data and systems is much higher than at a corporate giant. This means more than ever, your employees are your first line of defense. If one of your employees is breached, it’s much more likely they have access to sensitive information than one of the tens of thousands of employees at a Fortune 500 company. So cybersecurity is “all hands on deck” for your small business — is your entire team prepared for this responsibility? We recommend holding regular training seminars and sending frequent security bulletins to keep employees in the know about the latest threats. If they don’t know what to look for and how to react, they might inadvertently expose your company to any number of harmful IT risks.
2. What are you doing to prevent a breach from happening at all?
In the news, you only hear about breaches after they happen. Of course, it isn’t front-page news when a breach doesn’t happen! That doesn’t mean diligence isn’t important. What is your company doing to prevent these risks from ever happening? Installing up-to-date antivirus software on all your employee’s devices is a great start. However, it’s only the beginning of the complete prevention strategy you need to have. Do you have the right IT processes and policies in place, and if so, do you know how well your employees follow them? Do you have a regular employee training and IT risk prevention program? Have you secured sensitive data access to appropriate personnel only? These are all questions your business must consider to ensure a disaster isn’t on the horizon. You should have policies in place that guarantee continued security and plan for regular audits to make sure your plan is working.
3. If a breach does happen, how will you handle it? Have you planned for the worst?
Despite your best efforts to fend off hackers, sometimes they make it through. They’re quite crafty and inventing new techniques every day. Are you prepared to react if a breach does happen? Based on what data was lost or which system was compromised, how will your business proceed? Do you have cyber liability insurance or a validated backup of your data? When a breach happens, it’s important to react with speed and authority. When Equifax was breached in 2017, the company’s reputation suffered significant damage. In large part, this was due to the manner in which they addressed the situation. Perhaps Equifax could have avoided a breach altogether if they had the appropriate policies in place, and they could have reacted with more poise if they had an advance plan for what to do. (Fox Business described it as “a story of crisis response gone very, very wrong.”) Per CNN Tech, Equifax was aware of the security flaw for two whole months before hackers exploited it to access data. In the CNN article, a security expert called the way Equifax addressed the security flaw as a “systemic failure of process.” Of course, this is partially a PR question, but it’s also a matter of closing the breach, convincing customers the right systems are in place to avoid the same situation in the future, and resuming normal business operations as soon as possible. If a critical breach like this happened to your business, could you recover?
4. Are your systems and software exposing your business to any security risks? Is your sensitive data protected?
You now have more useful software and data at your disposal than ever before. Since these technologies can give you a powerful competitive advantage, you’re probably using a wide variety of software, cloud applications and devices. Each of these is a potential doorway into your company. For example, all the benefits of cloud applications are paired with comparable risks. It’s great for employee productivity. They can access their work from anywhere and collaborate with their colleagues more seamlessly than ever before. But it’s riskier to store data in the cloud than the “old-fashioned way” on your local network. This doesn’t mean you should go back in time a decade and close up all your cloud access and collaboration applications. It’s just important to ensure your sensitive data is secured. Consider conducting “penetration tests” and vulnerability scans to confirm your internal and external system access are protected. If hackers gain access to internal emails about organizing an employee’s retirement party, it’s probably not the end of the world. But it’s a different story if they get their hands on customer financial information, proprietary business processes, or trade secrets that give your company an edge. Your company should have some basic cybersecurity principles in place and processes to audit adherence to these practices. Examples of such principles are granting employees access only to the data and applications they absolutely need, prohibiting open access to networks that also store sensitive data, and preventing employees from emailing sensitive attachments to people outside your company. Defining these policies and sticking to them will give you more peace of mind that your business is protected.
5. Do you have a plan in place for ongoing oversight of your company’s cybersecurity?
It’s not enough to perform an audit of your cybersecurity every now and then. Your business needs to commit to a cybersecurity program involving IT policies and employee education to stay safe going forward. Companies are too often reactive to breaches that have already occurred. While it’s necessary to make cybersecurity a proactive focus, the stakes are too high to merely wait and hope you’re protected. After you initially audit your cybersecurity and determine your risk exposure, prioritize a list of policies and processes you’ll need to stay compliant. Ensure your employees and vendors are on the same page. Establish routine audits and other measures to evaluate adherence to your cybersecurity policies. And once again, employee education is the most important piece of a cybersecurity strategy. The best enterprise cybersecurity policies won’t protect you if your employees are exposing your business to risks.
What Should You Do?
As a small business owner, you may not know the answers to these questions yourself. Ask your IT staff, vendors, or whoever is responsible for managing IT in your business. Whatever it is, do something. It is time to be proactive and begin to develop an understanding of where you stand from a cyber risk standpoint. It’s imperative to consider your exposure to cyber risks and plan accordingly before a breach ever happens. To learn more about IT Ally™ and our comprehensive set of IT Effectiveness Assessments, please schedule a 30-minute consultation with one of our key advisors.