Cybercrime. It’s a buzzword that probably conjures images of nefarious characters hunched over a computer screen filled with lines of code or recollections of news stories about attacks at Target, Anthem or Sony. What it doesn’t cause most small business owners in Indianapolis to think about are the threats facing their organizations. Too often, we hear, “I don’t have anything to steal.”
But that isn’t true.
You do have something to steal. You maintain a mix of confidential personal and business information such as employee social security numbers, user names and passwords that cybercriminals leverage for money.
“Who cares about my little manufacturing company?” you may ask. They probably don’t care about the business. What they care about is your bank account and they’re looking for ways to access it.
If cybercriminals electronically steal from your business, and take less than $100,000, the FBI likely won’t help. You’ll need to rely on insurance or absorb the financial loss.
To safeguard your business, reputation and employees you need a strong, comprehensive offense. Following the 7 steps outlined below will create a business protection strategy that safeguards your organization against cybercriminals.
1. Be Proactive to Prevent Cybercrime
The cheese has moved. As Spencer Johnson shared in his classic book, you have to deal with the fact that business has changed – and so has the need to pay attention to your security. You must be proactive to avoid becoming a victim. Anti-virus and a firewall are not enough. There isn’t one single tool that will keep you completely protected.
A true business protection solution will have layers of security and documented processes.
You do NOT want to wait until there is an event. The damage could be permanent and irreversible. Once your cash is gone, you may never get it back. The social security numbers and data you store about employees and clients are a target for cybercriminals who sell them on the dark web.
2. Ask Your IT Team for Business Protection Documentation
Ignorance is not bliss when it comes to security and you should never assume your IT team or managed services provider has you fully covered. Ask for documentation detailing the protection and security tools and policies currently in place for your company.
Word to the Wise: IT support and cyber security, while related, are very different disciplines.
Never assume your IT team “has you covered.” They may not have enough background in security to even know if you’re adequately covered.
Have a trusted third-party security expert review the document to identify potential gaps and risks you should address. You may need to hire a trusted third party for a brief project to review it and provide improvement recommendations. Spectrum offers extensive experience guiding Indiana businesses through this type of review process.
3. Provide Employee Training
Employees represent the weakest link in a business’ security chain. Most breaches and losses occur because people don’t understand the risk and unintentionally do things such as click malicious links.
Cybercrime usually isn’t obvious, and you likely won’t know until after an incident. You must be proactive about training your staff and ensure everyone knows the warning signs. Tactics used by cybercriminals and technologies available to them change rapidly so plan on training your team at least annually.
4. Ask for Proof of Backups
Backups protect your business from data loss and are the best defense against ransomware. You never want to pay a ransom and, even if you do pay, there isn’t a guarantee you’ll get your data back.
If your company would suffer significantly if you lost data, don’t just ask IT if they’ve done backups. Ask them for proof of a successful restore. The risk is too high not to know.
Honestly answer these questions:
- Are your systems backed up?
- How do you know?
- Have you seen any proof recently?
5. Enforce Password Best Practices
Using the same password on multiple sites is not a best practice and you should never document all your passwords in a Word or Excel file. Even if the file is password protected, cybercriminals can easily defeat the protections. Consider using a password management product. This is far more secure than any Word or Excel document you can create.
Here are a few best practices to share with your staff.
- Don’t reuse passwords.
- Don’t save passwords in a file on your device or in the cloud.
- Do have everyone in your organization change passwords every 90 days.
- Do use a password management product that is more secure than encrypted files.
6. Review Your Insurance Policy with an Agent
Like car insurance, how well a cyber insurance policy protects your business depends on the policy. Carefully review policy options before selecting coverage to avoid any “gotchas” or coverage gaps.
Some policies have exemptions such as, “If the issue is caused internally, there is no coverage.” That means if your employee clicks on a link in an email from their work email address that causes widespread outage, there is no coverage because it was caused internally.
Word to the Wise: Most breaches originate within organizations, like employees clicking links.
Do not accept a cyber policy with an exemption for internally caused breaches.
We suggest meeting with an agent to understand the coverages you have in place. You should do this before accepting a policy and if you already have cyber protection.
7. Develop a Response Plan
Document the processes you will follow if you experience a cyber event. Clearly define what you will do and who you’ll call. Just as you have a plan in case of other business disasters, have a plan in place for a cyber situation.
Bonus Business Protection Tip!
Some technology partners you work with have tools that can monitor your business for security threats 24/7. At Spectrum, we offer this service to our clients and can assist with each step outlined above except for conversations with your insurance agent.
Download our free business protection guide and use it to secure your business against cyberattacks. It could save you money – and your business.