I had the privilege of being on the cybersecurity panel at a recent NHBR event, alongside some wonderful industry experts. As always, cybersecurity is a terrifying and fascinating topic.
One of the key topics discussed is that security is never black and white – it’s not “you have it or you don’t.” It is always about levels of risk – minimizing business risk with calculated cost (in both dollars and inconvenience).
The Internet has turned our world into an interconnected globe, with data and access unprecedented in the annals of human history. Unfortunately it has also turned into a battlefield for countries who practice espionage and a target-rich environment for criminal organizations.
We all have heard of the breaches at Target, Home Depot, and Sony. We may be less aware of the small business down the street whose data was held hostage by an international cyber attacker. The local school district whose HR files were compromised. Or of the small town whose online access to their bank account was compromised, resulting in the theft of tens of thousands of dollars.
All organizations hold something of value. Increasingly, small businesses, nonprofits, schools, and towns are the targets of cyber attackers. It isn’t enough to simply keep antivirus up to date and hope for the best. Strategic decisions must be made about investment into security to combat the real and growing threats.
Unfortunately, there is no one thing anyone can do. Any reasonable security model contains literally hundreds of items necessary to combat risks ranging from physical intrusions to infected USB drives to ransomware to phishing emails.
So as a small organization, aware that we are an increasingly vulnerable target, what do we do?
The good news is that there are a few steps that every organization can take to help mitigate growing risk. Here are 5 takeaways:
1. Manage passwords effectively!
There is no excuse not to have complex, unique passwords. Passwords can be compromised (and ideally are supplemented with “two factor authentication”) but a weak password just invites being hacked.
2. Ensure your IT team is fanatically disciplined about security.
Ask some questions around patch management, application management, and environment hardening to ensure your IT team is aware and empowered to reduce risk. Reducing cybersecurity risk takes knowledge, discipline, and prioritization.
3. Train your staff.
And then train them again! Staff awareness and training is one of the most important things to protect the IT environment. From awareness of phishing emails to sensitivity to social engineering to safe browsing, much of the risk depends on each staff member.
4. Procure cyber insurance.
Policies are relatively affordable and help mitigate in case of severe damage or downtime. And the very act of filling in a cyber insurance application provides a high level audit of IT policies, systems, and controls, which can be very valuable.
5. Follow a security model.
There are fantastic models available from resources like the National Institute of Standards and Technology. Pick one, and follow it.
Of course we’d love to work with you on your IT security. We believe in a holistic, proactive approach that follows a framework for small and mid sized businesses. Contact us today to discuss how we might be able to help!