Cybersecurity for Small Businesses
June 15, 2023
As a small business owner, you may not consider yourself likely to become the target of a cyber-attack. You might think your business is too small for cyber criminals to take notice, or that you don't have anything valuable enough to be worth the effort. However, small businesses, like any other business, have information that is valuable to criminals, including employee and customer records and bank account information. Moreover, small businesses often have fewer resources dedicated to cybersecurity, so criminals don't have to put as much effort into hacking them compared to larger corporations.
Cybersecurity doesn't require a large monetary investment from your business; what it does require is a company culture that embraces and proactively promotes cyber-secure practices both professionally and personally. Studies have shown that companies who engage employees in cybersecurity training both in the workplace and at home experience increased identification of potential threats, reduced incidents, and a greater ability to recover after a cyber-attack.
If you are the owner or CEO of a small business, cybersecurity starts with you. Here are things you should do to help promote cybersecurity in your organization.
Make Cybersecurity Part of Company Culture. Discuss cybersecurity in regular, direct communication with your staff and be sure to outline security initiatives with your leadership. You should stress to your employees that security should be an "all-the-time" consideration.
Select a Security Manager. Once you have goals in mind and your leadership team has set objectives, identify someone in your organization to manage your security initiatives. This person doesn't necessarily need to be a security expert or IT professional, you simply need someone responsible who can spearhead the program and ensure it is implemented as intended.
Create an Incident Response Plan. The Security Manager should draft a written IRP for your leadership team to review. This is your plan of action before, during, and following a security incident. Make sure to involve leaders from throughout your business, not just the security manager and IT team (if you have one). Customize parts of the IRP based on the needs of individual departments.
Keep Your Network Up to Date. Make sure any applications, web browsers, security software and operating systems in your business network are updated regularly. Set antivirus software to run a scan after each update. Make sure your network's systems are protected by a firewall and, if your employees work from home, ensure they follow these same practices with their home system(s).
Make backup copies of important business data and information. Regularly backup the data on all computers. Critical data includes word processing documents, electronic spreadsheets, databases, financial files, human resources files, and accounts receivable/payable files. Backup data automatically if possible, or at least weekly and store the copies either offsite or in the cloud.
Control physical access to your computers and create user accounts for each employee. Prevent access or use of business computers by unauthorized individuals. Laptops can be particularly easy targets for theft or can be lost, so lock them up when unattended. Make sure a separate user account is created for each employee and make strong passwords a requirement. Administrative privileges should only be given to trusted IT staff and key personnel.
Train Your Employees. Promote basic security policies for your staff, such as requiring strong passwords, and establish safe internet usage guidelines. Emphasize to your employees the importance of protecting not only customer data but their own sensitive information. Employees who are encouraged to practice cybersecurity in their personal lives are more likely to prevent cyber-attacks while on the job.
The best protection for any business is knowledge, both for the owner and the employees. Any cybersecurity initiatives should be tailored to your organization's needs, whether that's something more involved like formal training or as simple as a monthly email with tips and tricks. The key is to make cybersecurity a constant consideration for members of your organization.
Many low-cost and free resources are available for businesses looking to get started with cybersecurity training. You can find free training kits from the Cybersecurity Infrastructure & Security Agency which provide an excellent jumping off point for business owners who want to keep their employees engaged. Once you get started, you'll find it gets easier to keep security at the forefront of your employees' minds all year long and strengthen your business' defenses against cyber-attacks.
Stephanie Barton is a Senior Vice President and New Tripoli Bank's Chief Information Officer. She has been working for New Tripoli Bank for over thirty years and has overseen the maintenance and upgrading of the bank's digital infrastructure and security.