MENU
You don’t have to look far to see the repercussions of a business’s failure to protect sensitive information. Equifax, Adobe and Target, among many others, have been victims of significant data breaches that hurt their reputations and bottom lines. [Learn how to manage your online reputation.]
Indeed, failures in cybersecurity countermeasures have significant costs for businesses. In the U.S., cyberattacks cost small businesses more than $8,000 annually, on average, according to Hiscox. That’s enough to dent a large hole in any small business’s cash flow.
We’ll share 17 ways to protect your sensitive information from a cyberattack. Rather than focusing on the technical aspects, we’ll look at how to educate your staff and create a culture of cybersecurity across your business. Then, we’ll explore three primary attack vectors used by cybercriminals and explain the merits of cybersecurity insurance.
Cybersecurity starts at the top of the business. Your staff will be compelled to make cybersecurity a priority only if it’s important for the organization as a whole.
To create an effective cybersecurity plan for your business, first you need to carry out a cyber risk assessment that lists what is valuable and may be vulnerable to theft. Then, you must understand how your current IT infrastructure and your co-workers could help enable such an attack.
Once you understand the specific cyber risks, implement plans and procedures to protect against these vulnerabilities. If you don’t have an IT department at your business, it’s wise to hire an outside expert to help you create and implement a plan. It might cost money now, but it could save your business in the long run. A consultant may recommend that you establish an annual cybersecurity budget for equipment, software and training.
Here are 17 important cybersecurity best practices to follow.
Any cybersecurity expert will tell you that, no matter how stringent your firewalls are or how much your IT equipment costs, the biggest vulnerability to your business is not the technology itself. Instead, 88 percent of all data breaches result from mistakes by employees, according to Tessian.
That’s because your staff is either unsure what to do when confronted with a particular circumstance or they don’t perceive it as a threat. For example, a request to click a link in an email to reset an account experiencing “unusual activity” is likely an attempt at cyber extortion, as is an allegedly internal call from IT asking for a user’s password.
In your training, emphasize that the most significant risk comes from criminals trying to trick your employees into doing something, rather than from people hacking into the company’s Wi-Fi. The key is to teach them the signs to look for and, when something seems wrong, what they need to do about it.
Monitor how your staff does post-training, and encourage managers to give feedback. When someone does spot and prevent an attack, celebrate it among your team and reward them.
Regardless of how much you trust your employees, it’s wise to use internal controls to limit your risk of employee fraud. Otherwise, employees could misuse company funds or steal customer information.
Limit each employee’s access to the information they need for their job. Make sure your systems log the information each employee accesses. Segregate duties to prevent a single employee from having too much responsibility. For example, instead of having one employee make purchases and go over expense reports, split those tasks among two employees.
Cybercriminals are a curious mix of devious and ingenious. The rewards of a successful hack can be so great that they will work for weeks or months to find “zero-day vulnerabilities,” which are obscure ways to sidestep the internal security workings of a popular program to infiltrate companies’ computer networks.
No app or software is 100 percent secure at the time of launch. Loopholes and exploits are found all the time, and in response, vendors release patches and updates to protect their clients. As part of your new cybersecurity policy, ensure that every time a vendor releases a patch, you update your version of the software the same day.
If your vendor no longer supports a product, this represents an escalating probability of disaster. In this case, switch to an alternative that is supported.
Computer security experts have advised consumers and businesses for decades to choose secure passwords for logging in to computer networks, online accounts and business apps. This is still superb advice.
To take more control of this, consider instituting centralized password management across your business. In addition, use multifactor, fingerprint or biometric authentication as a second line of defense.
Business Wi-Fi is not as safe as you might think. Although it’s getting faster, especially since the release of the 802.11ax standard, it’s only as secure as the protocols you put in place.
Here are some tips for protecting your wireless networks:
Encryption transforms data into something called ciphertext, which is indecipherable to anyone without an encryption key. There are three types of data: in transit (data that’s going from one place to another), in use (data that’s being used by a device in a process), and at rest (data that’s not being used at all).
All three types of data are at risk, so it’s better to use encryption across your entire network, including cloud connections, so that if a breach were to occur, a hacker would not be able to make sense of the data.
In a ransomware attack, a hacker will hold your computer network, data or both hostage until you pay them. If your data exists only on your internal network, you are vulnerable to a ransomware attack. Even if you do pay up, there is no guarantee that they will release your data; they may still destroy it or distribute it for all to download online.
If you back up your data every day and a ransomware attack occurs, this is still serious. However, your IT team or contractor can work to release control of the PCs without worrying that doing so will destroy the only copy of the data. When the problem has been solved, your IT team or contractor can safely load the software and data back onto your network.
Cyberattacks can be very costly for businesses. In addition to losing valuable information, companies must pay up to remedy the problem and often lose revenue as a result of reputation damage. According to IBM Security, the global average cost of a data breach was $4.45 million in 2023.
Many companies want to keep their data on physical hardware on company premises, but more businesses are switching to storing data exclusively in the cloud or using a hybrid approach. Cloud services automatically back up your data online every time you or a colleague takes an action.
Cloud encryption is often far superior and harder to crack than any internal solution you have to protect your on-premises networks, thus affording your data an even greater degree of security.
Cyberattacks may be a more common threat, but lost or stolen documents can be just as bad. Whenever documents contain sensitive information, It’s important to keep them safe from prying eyes. Store documents in a locked file cabinet or room that only your most trusted employees can access. Dispose of documents by running them through a shredder.
Consider allowing only authorized devices to log on to your network, cloud and software. That way, staff can still store and transfer information via laptops, smartphones, tablets and flash drives, and if you operate a bring-your-own-device policy, colleagues still have the access they need.
But if a device is lost or stolen or a member of your team who regularly uses a device to log in to your system moves to a new employer, you can remove that device from your inventory permanently.
The more information you collect about your customers and employees, the more you need to protect them. Companies often save more information than is necessary, and their customers are the ones who suffer if a data breach occurs.
To limit what hackers could steal, save only the information you absolutely need to run your business. This is called data minimization. If you need information only temporarily, get rid of it properly after you’ve used it.
For business expenses, the best and most secure payment method is a business credit card. Most will have zero-liability fraud protection, and if you need to dispute a transaction, you won’t lose any money during that process. You can set spending limits on employee cards and receive immediate notifications of transactions via text alerts.
Any payment method has its risks, but credit cards have the most safeguards and security features. Security isn’t the only benefit of business credit cards; they also provide detailed expense reports and the opportunity to maximize your travel rewards.
Any employee account is a potential hacker’s portal to your most valuable information. To protect your business from employee account hacks, you should analyze their logs and behavior while setting rule-based alerts. In doing so, you can identify unusual login attempts that often indicate a hacker inside the account.
In all your job contracts, include text that forbids your employees from sharing certain types of information. Every time an employee shares information, they transmit data through a channel that, even if highly secure, could theoretically be breached. If this information isn’t shared in the first place, it can’t be accessed.
You always need to be prepared for a worst-case scenario. How you respond to security incidents can be the difference between a minor data loss and a costly breach. Your plan should include the following steps:
A cybersecurity program can protect your business from malware and other threats. Look for a paid program that can secure your network and every device on it. The money you spend is well worth it, as a breach could cost you much more. Once you have your cybersecurity program in place, install all updates immediately.
For example, in recent years, machine learning tools have been successfully used to stop spear phishing attacks. The money you spend to protect your staff from exposure to phishing and other extortion attempts will be a good investment.
The 2017 Equifax breach, which affected 143 million people, occurred because the company failed to update Apache Struts, according to sources who spoke to Bloomberg.
The nature of cybersecurity threats changes constantly as new attack vectors are identified and exploited. Run a cybersecurity risk assessment at least once a year to check that your previous assumptions are still true. Ask yourself whether the ways you currently deal with them are effective.
For newly identified threats, use the same approach to identify what’s valuable and vulnerable to those threats and the best way to defend it with your technological and human firewalls.
Businesses face many types of threats, including ransomware, phishing, data leaks, hacking and insider threats. Here’s more about some of the threats businesses face:
Phishing is an attempt to trick users into revealing sensitive data. It usually involves an email designed to look like an official communication from a legitimate, reputable company, but the email asks the recipient to log in to an account or share information to supposedly prevent something drastic from happening. This information then goes not to the reputable company but to the bad actor. You’re best off not responding, no matter how legitimate the email looks.
To determine whether an email is a phishing attempt or a legitimate communication, check the email address that sent it. It’s easy to not think of doing so when you receive concerning emails, but the one second this takes can strongly protect your business. And if you’re not sure whether the email is legitimate, call the company that allegedly sent the email.
Research from the University of Pittsburgh found that about 1 in 10 laptops will be stolen, and 98 percent of those will never be recovered. A stolen laptop, if not password-protected, gives anyone who uses it full access to your information.
This security threat is easy to avoid: Always keep your password-protected laptop with you or within sight.
When you password-protect your Wi-Fi network, you block hackers from stealing your information. That’s because computer-savvy unauthorized network users can access any information, including credit card numbers and passwords, that you transmit via your Wi-Fi network.
Use a combination of strong passwords, multifactor authentication and endpoint security to help prevent security breaches.
Many small and midsize businesses now include insurance in their cybersecurity budget. There are many options, and most business owners choose either cyber liability insurance or data breach insurance. Note that these are different from general cyber insurance policies.
Here’s a quick guide to what each type of policy covers:
Coverage | Cyber liability insurance | Data breach insurance | General cyber insurance |
---|---|---|---|
Electronic data breach | Varies | Yes | Yes |
Data theft or loss not from computers, like printed documents | No | Yes | Varies |
Business interruption due to a cyber event | Varies | No | Yes |
Cyber extortion, like ransomware | Varies | No | Yes |
Cost of notifying affected parties | Yes | Yes | Varies |
Reputation damage mitigation PR | Yes | Yes | Varies |
Legal advice costs | Yes | Yes | Varies |
Data recovery costs | Varies | Varies | Varies |
Legal defense costs | Yes | No | Varies |
Settlements or judgments | Yes | No | Varies |
Regulatory fines for noncompliance | Yes | No | Varies |
Liabilities from network security breaches | Yes | No | Varies |
To choose the policy that’s most suitable for your business, you need to run your own internal cyber insurance risk assessment. You’ll be able to reuse much of the information from the risk assessment you carried out prior to implementing your company procedures.
In your initial risk assessment, you already identified your key assets and major threats. Also keep these considerations in mind:
Preventable security issues have brought down many small businesses. Although you can’t eliminate the possibility of data breaches or fraud, with the right security practices, you can reduce their likelihood and minimize the damage if one does occur.
Max Freedman contributed to this article.