A Guide to Computer Security for Small Businesses
According to one report, 43% of cyberattacks are aimed at small businesses, and only 14% of small businesses are well-prepared for such attacks. This lack of preparation may be due to sparser security resources, compared to larger companies. However, considering the potential for loss of revenue, sensitive information, and reputation, it is prudent for a company of any size to invest appropriately in cybersecurity measures. Smaller companies may in fact be at greater risk of long-term, devastating consequences to their business, due to their smaller resource pool.
The Changing Landscape of Cyberthreats
American working culture is going through many significant shifts that are, in turn, having an impact on cyberattack strategies. Prime among these shifts are the rise of remote work, the gig economy, and increasingly common ‘bring-your-own-device’ policies. Furthermore, the COVID-19 crisis has sped up many of these changes in the American workforce, due to the need to maintain social distance and/or supplement income.
The use of personal devices, devices that are not connected to a VPN, and devices that are used for multiple purposes, all constitute potential cybersecurity risks. Yet, they are staples of our changing economy. Therefore, it is more important than ever to assess security risks such as information handled on remote devices, and determine how to securely manage digital infrastructure.
Legal Responsibilities
The legal responsibilities of businesses when it comes to data storage and security are currently a strong point of contention. While the European Union has instituted the GDPR, the United States does not have comparable, comprehensive data security legislation on the federal level. Instead, the United States employs a patchwork of relatively modest regulations on the state and federal level. Therefore, it is important for business owners to research regulations relating to data storage and security for their state and industry.
Generally, these regulations only require that businesses take “reasonable precautions ” against cyberattacks. These “reasonable precautions” often take a lenient stance on the behalf of businesses or maintain vague parameters that are left to be interpreted in court. However, typically, reasonable precautions include secure data storage methods, reliable security protocols, and consumer transparency to some degree.
Common Types of Cyberattacks
Cyberattacks can come in all shapes and sizes, but some types of cyberattacks are more common than others. These may include:
-
Ransomware
This is a type of malware that is utilized for the sake of holding a user’s personal information or digital access hostage.
-
Phishing
This is a cyberattack that involves using a fake and/or authoritative identity to steal sensitive information.
-
Advanced Persistent Threats
This kind of cyberattack involves long-term, undetected, malicious intrusion on a device. This term often applies to attacks from government entities.
-
Distributed Denial-of-Service
This type of attack uses a botnet to intentionally overload a server and prevent access to other users.
-
Man in the Middle Attacks
This sort of attack intercepts information in transit without the knowledge of users.
-
SQL Injection Attacks
This kind of attack utilizes malicious code inserted into an entry field of a target database.
-
Zero-Day Exploit
This is a cyberattack that takes advantage of a cybersecurity flaw that has not been identified “in the wild,” or that has been recently identified but not yet patched.
How to Assess Risks
Before you choose and/or implement a cybersecurity solution for your small business, you should first do a risk assessment. Thereafter, cybersecurity risk assessments should be repeated on a regular basis to update measures and account for new risks. A general risk assessment usually includes the following steps:
- Take stock of your resources: Consider your finances, personnel, hardware, and software. Determine how these resources can be allocated to cybersecurity and/or whether you need to expand your resource pool to securely manage them.
- Consider the trajectory of your business: Think about how your cybersecurity needs may change based on business growth or other developments.
- Anticipate common threats: Research and understand the most prevalent cybersecurity threats to businesses.
- Identify your high-value resources: Determine what sensitive information your business manages, who has access to it, and how it is accessed and discussed.
-
Develop a thorough system of cybersecurity protocols: Research cybersecurity best practices and apply them to the findings from your assessment. Use this to create specific cybersecurity protocols.
- Review and update: Constantly reassess threats, best practices, and your own cybersecurity protocols. Regularly review your cybersecurity measures and consider where there may be room for improvement.
Risk Assessment Tools and Resources
There are many tools and resources available to help you assess cybersecurity risks to your small business, including:
-
FCC’s Cyberplanner :
This resource allows you to compile a personalized cybersecurity plan for your business.
-
National Cybersecurity Assessments and Technical Services :
This can connect businesses with free vulnerability assessment resources.
-
Global Technology Audit Guide :
This is a comprehensive guide to cybersecurity risk assessment.
General Risk Prevention Best Practices
Cybersecurity risk prevention best practices include:
- Staying informed about cybersecurity risks: Small business owners should regularly research new cybersecurity risks, as the cybercrime landscape is constantly evolving.
- Determining your legal obligations: It is important to ensure that you cover all of your legal bases first and foremost. Your legal obligations may vary depending on factors such as your location and industry.
- Adopting digital transformation as appropriate: Many analog and legacy systems can be digitally updated to fit within the new security infrastructure.
- Updating systems regularly: Security updates must be done on a regular basis to ensure that security systems are running optimally.
- Securely backing up information: Find a secure way to store information, such as a cloud server.
- Managing digital infrastructure: Establishing a well-organized and secure infrastructure will facilitate data management.
- Properly training employees: Many data breaches are caused by employee error. Ensure that employees fully understand cybersecurity protocols.
- Restructuring as appropriate: Buy-in from all levels of the company is vital for proper cybersecurity management.
- Maintaining transparency: Everyone within the company should understand why cybersecurity is important and why diligence is required to ensure there are no lapses in compliance.
- Consulting an expert: Because cybersecurity is so important and complex, it often is very helpful to seek the experience of a cybersecurity expert.
-
Integrating security applications: Security applications can help you manage cybersecurity software in a simple and intuitive way.
- Enforcing security protocols: Once established, it is important that security protocols are consistently enforced.
Data Breach Response
In the event that a data breach has occurred, the following basic steps should be taken:
- Secure your access points: Until the breach vector is identified, access to sensitive information should be limited.
- Identify the source of the breach: A major priority throughout the follow-up process will of course be to identify how the cyberattack breached security. The source may be quickly identified, or it may take further investigation using additional steps in the data breach response.
- Reach out to law enforcement: Law enforcement can help your business investigate the breach. It is also a matter of due diligence to notify the authorities about a breach if it involves sensitive information.
- Reach out to affected individuals: Whether information compromised by the breach impacts customers, employees, or government entities, it is a matter of due diligence to notify the affected individuals or entities.
- Consult professionals: Cybersecurity professionals can help you investigate the breach and assist you in updating your security protocols to prevent future breaches.
-
Interview personnel: Employees may be able to help you identify the source of the breach or may have additional, relevant information.
- Review and update: Conduct a thorough review of your cybersecurity protocols and update them accordingly.
Cybersecurity Resources for Remote Employees
-
Society for Human Resource Management :
This is a general guide to cybersecurity for the remote workplace.
-
MIT Sloan Management Review :
This guide explains why remote workers are at high risk of cyberattack, how to assess risks for a remote workplace, and how to develop a cybersecurity strategy for the remote workplace.
-
CIO.gov :
This outlines cybersecurity best practices in the remote workplace, as identified by NSA and CISA experts.
Resources for Data Breach and Recovery
-
IT Disaster Recovery Plan :
This resource provides data backup and recovery strategies for a variety of scenarios.
-
Data Breach Resources, Federal Trade Commission :
This is a series of guides and videos prepared by the FTC to walk data breach victims through what their next steps should be.
-
The Hartford :
This page explains data breach and cyber liability insurance.
Training Resources
-
National Cybersecurity Alliance :
This website catalogs a wide range of cybersecurity information, as well as provides access to training programs.
-
U.S. Small Business Administration :
This page catalogs upcoming cybersecurity training events.
-
Cybersecurity & Infrastructure Security Agency :
This page can redirect users to courses and other training materials relating to cybersecurity that have been developed by the Department of Homeland Security.
Government Cybersecurity Resources
-
National Initiative for Cybersecurity Careers and Studies :
This resource documents major cybersecurity challenges in the U.S. identified by experts in the field.
-
National Initiative for Cybersecurity Education :
This site provides news and information about events related to cybersecurity.
-
Cybersecurity & Infrastructure Security Agency :
This site has a series of guidelines sponsored by the federal government to help small-to-midsize businesses manage their cybersecurity.