Five Tips on Cyber Security for Startups and Small Businesses
It seems like every week we learn about yet another hacked business exposing their clients’ private information. Is your business protected against hackers? Brian Howell is here to help.
Brian is a business consultant with a background in business process, information security and data analytics. Here are his five actionable tips:
Day after day and headline after headline, we are confronted with the realities of cyber security breaches. This modern day reality is both frustrating and damaging, but it is a reality—both personally and professionally. October is National Cyber Security Month, so here are five tips to consider as you pursue the entrepreneurial dream and/or run a small business.
1. Recognize that being hacked is generally an "when, not if" proposition.
As you may know from many of the more headline-grabbing data breaches, the path taken by hackers are generally recognizable and known ways into systems, whether through known software vulnerabilities or through social engineering attacks focused on obtaining password credentials. Taking an “when, not if” perspective will help you come to the realization that while it may seem like your business is not an attractive target, it is important to protect your business, customers and any business partners within your business processes.
2. Understand what information and assets need to be protected.
Understanding your business and industry will help you identify what information needs to be protected. Some information like business plans, designs, strategy, source code and financial and human resources documents are information that any business would want to protect from the outside. This would be information that would help protect your company.
But what information do you have stored on your customers or potential customers that would compromise their business or personal information? How can you segregate silos of information so that a breach in one area does not extend to another? Thinking through what information should be protected and in the case of regulatory requirements, has to be protected, will help you consider what steps you have taken (or need to act on) to proactively secure your organization.
3. Have a plan in place to guard your business from a breach.
Having a plan makes good business sense to guide you as you constantly guard your systems and processes from being breached.
Always harden your environment. This part of your plan will address constant management and review of system users, routers, IP addresses and data usage trends. Consider setting up monitoring alerts that are easily put in place and not intrusive or burdensome.
Better still, alerts may warn you of an attacker that has already started “casing your business” and how the attack has started. It may also indicate areas where further hardening will justify additional investment.
What to do when you have been hacked. This part of your plan will address what your steps would be if your data were to be compromised. Having thought through this upfront will help you know who will help you identify the scope of the breach, how to shut down the breach point, who you will need to contact (stakeholders, partners, customers, regulators, etc.) and when.
If we rely on tip one from above, the reality is that you will use some aspect of this plan at some point. Being prepared will not only help you recover your business operations, but also maintain a trusted relationship with your customer base despite the breach.
4. Limit your digital footprint. Limit your exposure.
With the number of business applications, SaaS providers and mobile applications to help us efficiently manage our businesses (and personal lives), there is a trade-off in the number of accounts each person and business entity may have.
These accounts range from email, to social media, to financial and operational aspects of our businesses and our personal lives. This fact alone can result in the ever-changing rotation of passwords, which can lead to getting lazy and using the same password across several applications.
You may even think twice about if you need a particular application to help run your business or, if you do need the application, if it is wise to sign up for that particular SaaS service provider. What steps have they taken to protect your company or customer data?
Additional tips in this context are:
Do not share accounts
Do not use the same password across multiple applications
Close dormant accounts
Carefully review, understand and implement service provider security controls.
If available, utilize multifactor authentication
5. Design business processes and systems with security and controls in mind from the start:
Many times in the startup and small business world, the focus of resources (both time and money) is in starting the business and getting off the ground. Effectively believing they can come back and address important concepts like security and other compliance issues down the line. This is a costly mistake on two levels:
The extra development costs to re-engineer a system or process will outpace the cost to design and implement security into the system at the time of the original development.
There is a strong likelihood that the holes will never completely get fixed leaving your organization exposed.
Bonus Tip: Be skeptical about what you receive.
If you are not expecting a link or attachment, you should not open it via email, text or social media. This really should not be the “bonus tip,” but cyber awareness training and actual breaches tell us over and over again that people are still clicking on files that will deploy malware to your device. The result can be immediate in the form of a ‘crypto locker’ attack or a longer-term malware designed to extract user and company data. If in doubt, contact your IT department or vendor for help.
Looking for more targeted advice for your small business?
Send us some info about your needs at our MyPlan page and we will be in touch ASAP with free or low cost connections within our Resource Partner network. Accounting? Hiring? Marketing? Our network has it all.
Brian Howell is a business consultant with a background in business process, information security and data analytics. He is a Certified Information Systems Auditor (CISA) and is the owner of BAR Management Solutions. Find Brian on LinkedIn.