You’ve probably heard the warnings and the statistics over and over and over—but Hala Furst still believes these facts about cybersecurity attacks bear repeating:
- One in five small and mid-sized businesses were hit between 2014 and 2016.
- On average, $32,000 is stolen or lost in an attack.
- There are 430 million types of malware online—up 40 percent from just three years ago.
But this last statistic is where Furst, cybersecurity liaison for the U.S. Department of Homeland Security (DHS), hopes small businesses will realize the importance of cybersecurity: Roughly 54 percent of security breaches are caused by human error.
“A lot of people think they’re too small to matter,” said Furst as she kicked off the 2017 Cyber Security Summit in Minneapolis this past October. “But small business partners are carrying more of the risks for breaches when working with larger companies.”
If human error is the main symptom for data breaches, then Yan Kravchenko says you should have no reason for his IT service providing company, Atomic Data. As chief information security officer for Atomic, Kravchenko observes business owner after business owner failing to take simple, incremental steps toward securing their companies’ networks.
Protecting your data, your customers’ information, and your business partners’ data is no joke, and at the Cyber Security Summit, both Furst and Kravchenko laid out some tips for ensuring top-notch cybersecurity at small businesses.
Your Resources
Furst dedicated her hour-long presentation to the three main cybersecurity resources available to each and every small business in the country:
National Vulnerability Database
First, you’ll want to understand and address common vulnerabilities. The National Vulnerability Database provides several guiding documents and processes for assessing your network’s security.
In particular, SAMATE (Software Assurance Metrics and Tool Evaluation) provides a process for ensuring your network is free from vulnerabilities, which can be either intentionally designed into software or accidentally inserted at any time.
Information Sharing and Analysis Organization
Furst also believes it is in your business’s best interest to join an Information Sharing and Analysis Organization (ISAO), in which businesses share and respond to cyber risks in real time.
“Organizations that share information about cybersecurity incidents play an invaluable role in the collective cybersecurity of small businesses,” she says.
Through public, open engagements, the ISAO Standards Organization develops best practices to align with the needs of any industry group.
U.S. Department of Homeland Security
Of course, Furst would like to highlight the DHS, which provides myriad programs and resources for small businesses. She says several documents available online provide great starting points for assessing a business’s cybersecurity.
In particular, the Critical Infrastructure Cyber Community (aka C³) Voluntary Program assists the enhancement of critical infrastructure cybersecurity. Members of the community are provided a “C³ toolkit” that outlines the cyber threat landscape, the C³ Voluntary Program Outreach and Messaging Kit, and a hands-on resources guide for ensuring daily cyber protection.
Through these resources, Furst says you can put your business can develop a plan your employees will buy into and by which they feel protected.
“Cybersecurity is another hat you have to wear on top of everything,” she says. “You need simple steps that are digestible by staff. It needs to be consumable so it doesn’t overwhelm them.”
In fact, Kravchenko dedicated his speech to ensuring small business owners can pull that off.
The DIY Cybersecurity Assessment
Kravchenko wasn’t kidding when he said you have absolutely no reason to utilize his IT service providing company, Atomic Data—especially when you consider that an assessment from a third party, on average, totals $30,000.
“It’s much cheaper to use common sense and look inward,” he says. “You should [enhance your business’s cybersecurity] yourself with some straightforward steps.”
To encourage just that, Kravchenko developed the Atomic Data DIY Toolkit, which includes additional step-by-step information for the tips listed below. To provide a glimpse into all the offerings of that toolkit, Kravchenko broke down a DIY cybersecurity assessment to three easy steps.
Talk About Security
Cybersecurity is not just an administrative issue—everybody on staff should understand the importance and who’s at risk when cybersecurity is weak.
“Talk about security with employees,” Kravchenko says. “It should be out in the open and discussed at meetings. Employees know how much you care by how much you tell them.”
And one of the easiest ways to ensure cybersecurity is top of mind is developing a security policy that contains concrete guidelines and rules the company must follow.
Form Security Policies
Kravchenko encourages establishing regularly scheduled meetings with IT companies to understand what vulnerabilities are making the news. Then perform ongoing risk management and be aware of potential security breaches.
While the policy should be comprehensive and cover your bases, it should also be brief and to the point so it’s easily consumed by employees. For a sample of a security policy item, see the sidebar provided by Kravchenko.
Sample Security Policy
—
Policy Item
Email usage.
Description
This policy describes the appropriate usage of email.
Applies to
All employees.
Rationale
Email has become ubiquitous. We require it to conduct our day-to-day business. The company provides email facilities to the employee with the primary intention of conducting company affairs. Although using it for personal purpose is not prohibited, the company will not be held responsible for any repercussions caused by the personal usage of email. Any data maintained on the company's email server remains company property and can be viewed by any authorized company government officiant.
Implementation guideline
- You must sign the email data confidentiality agreement
- You must not attach any executable file with the email
- The attachments must not be encrypted
Escalation point of contact
In case you need any clarification, or if you feel you’ve violated the email policy, contact the immediate supervisor.
Violation repercussions
Any violation to this policy may result in liabilities, including employment termination, fine, or criminal litigation.
Improve IT
Nine times out of 10, security breaches can be traced back to poorly kept IT.
“Without IT hygeine, there’s little you can do about security,” Kravchenko says.
He says companies (especially small businesses) will rarely spend large amounts of money on IT security—fortunately, you don’t have to. Here are a few basic steps to clean up your business’s IT:
Document your network. Documentation is key for a solid backup and disaster recovery plan. From private wikis to Excel spreadsheets, it’s important to develop an organized system of recovery.
Improve password management. This is a habit Kravchenko believes everyone should adopt in their personal lives as well as for their small businesses. Be sure to regularly update your passwords and increase the length and complexity of the passwords. He even recommends considering a password manager that locks and stores passwords.
Identify where sensitive data lives. You should always identify where sensitive data is stored, from your customer database to banking information to business partner data. Document where all of this information is stored and develop a “data flow map” that will depict sensitive information in all of its forms, origins, paths and exit points.
