Developing and implementing a cybersecurity plan has never been as important as it is today, given mounting threats putting small firms in jeopardy.
Forty-three percent of all breaches target small businesses. And there’s a reason, say experts.
Studies show hackers go after small businesses because they know most lack computer systems and data protection. Despite the risks, 83% of small business owners still have not implemented cybersecurity, according to Advisor Smith research.
When hacked, according to a Security Magazine report in May, some 60% of small businesses who become victims of a data breach permanently close their doors within six months after an attack.
“We hear business owners say it’s never going to happen to them because it has not happened yet,” said Soni Lampert, CEO of KLH Consulting in Santa Rosa.
“Some say, ‘Why would we be a target?’” Lampert said. “Our response is, what’s important is finding ways to avoid the high cost of doing nothing, which is greater than the cost of mitigating the risk – especially when it comes to ransomware and the value of lost, highly sensitive or proprietary information. At the same time, we inform them that no security system is 100% bulletproof.”
Backup is essential
“Business owners should assess their vulnerabilities and the potential liabilities they can face. Until a hacking incident occurs, most firms don’t see the need for change. While attacks can cost a lot of money, the true cost is harm to customers and business relationships,” said Sausalito-based security consultant Craig Hancock.
Most of the people he works with have experienced a financial intrusion. “The first question I ask is ‘have you established a backup system – and did you use it.”
A typical hacker is on a random hunting (or “phishing”) expedition to see what perimeter weaknesses can be exploited. The question is what can be done to identify, address and prevent risks to reduce business costs?
“We talk in terms of developing a security strategy involving policies and procedures, providing user education and adopting both basic and advanced security technology that can be implemented now and expanded in layers or tiers over time within the scope of the available budget,” Lampert added.
Special intrusion protection
Intrusion prevention tools often include anti-spam filters, email fraud detection, antivirus software, firewalls, virtual private networks (VPNs), encryption, network intrusion alerts and security monitoring.
Some advanced solutions utilize system behavior engines, penetration testing, packet analyzer scanning, employee monitoring software and offsite managed services. Workers would be watched to determine key computer behavior such as application use, websites visited and log-on activity.
“When presenting to owners, we focus initially on the human factor and benefits of cybersecurity showing why each action is important backed up by evidence and statistics,” said David Mercer, founder of David Mercer Consulting in Napa.
Limit data access
A lot of “attacks” start with company personnel involvement when someone does something accidentally or on purpose, Mercer said.
“Employees at small companies can be a weak link by having access to software, files and vital data that are usually locked down in the corporate world,” Mercer said. Vital data include credit card and Social Security numbers, financial reports, personnel records and supplier contacts.
“Sensitive data must be controlled and limited with a strict distinction made between which employees have access to what data. This can be spelled out through formal training sessions,” Mercer said.
Emphasis should also be placed on showing staff members how to detect possible scams, why they should not click on, or reply to suspicious emails, as well as the need to record each attempt, and report it to management. Employee education can also lead to a reduction in cyber liability insurance costs.
“We suggest spreading cybersecurity costs across the entire employee base on a spreadsheet to see how much such a plan would be per person, per month,” Mercer said. “Working with clients is not a one-time shot. We support small businesses on ongoing cycles, through periodic audits and reports to gauge progress, effectiveness and fine-tune the process.”
Begin with risk assessment
Company-wide risk assessment is often the first step when developing a plan.
“Audits are necessary to identify possible vector access points and to determine weak points,” Hancock said. Having zero-trust security requires early detection, verification, pinpoint identification of threats and the ability to respond quickly using heuristic tools that scan for anomalies on the network included on a company’s cyber assessment profile.”
He added computer updates and patches are important to make. Simple safeguards also include automatic log out, auto clearing histories, ensuring that VPN is used, DNS (domain name server) addresses are changed, encryption is enabled and backups are done regularly.
“All of the above is affordable,” Hancock said.
How to pitch a boss about improving a company’s cyber defenses
- Explain the current environment(risk factors, examples from firms in the industry).
- Quantify the risk(through an assessment of the infrastructure and by monitoring activity to determine areas of concern and see if the firm is meeting compliance and regulatory requirements).
- Develop relationships with program advocates in the firm and external security vendors who can provide the firm with various information security services.
- Consider a third party (a consultant or managed services firm) to broaden the scope of what needs to be done, initially and over time.
- Simulate an attack. Outside vendors can provide penetration services that can simulate an attack.
- Conduct a table-top exercise for the owner and executive team to validate elements of the proposed company business continuity plan (BCP) and a related plan for accessing required technology and infrastructure for disaster recovery (DR).
Clients lost without a plan
Information security consultant Hugh Duera in Petaluma said smaller businesses may be cutting back because of economic pressures, or believe they are too small to have a person to manage IT issue.
But the cost of that, he added, is that small businesses often cannot engage with large companies, hospitals (Health Insurance Portability and Accountability Act rules), government entities, regulatory entities or defense contractors without cybersecurity measures and cyber insurance.
Duera said this is where an outside security consultant can help.
“The goal is to begin the process, develop a strategy and add necessary protections a step at a time, down the road.”
Having a plan is often required for obtaining cyber insurance. Not putting plan into action can also affect the cost of coverage. Non-compliance also impacts a firm’s viability in the marketplace.
How to convince your board to improve cybersecurity
- Do more prep work. Phrase conversations in a way that resonates with the directors after reviewing their business priorities, big picture initiatives.
- Offer an assessment. Show cybersecurity programs already in place, how to eliminate threats to better serve customers.
- Be honest and transparent. Understand the board’s interests and business objectives: litigation risks, impact of major incidents, rationale for cyber liability insurance, what needs to be done and what tools are involved.
- Prepare to answer difficult questions. How good is existing security? How prepared are we to tackle future attacks? How can we mitigate risks to an acceptable level at a threshold approved by the board. Showcase a solution or possible approach.
- Avoid scare tactics. Provide factual, documented information the board can use to make an informed decision, provide recent updates, address new issues and opportunities.
Criteria for cyber liability insurance
According to AdvisorSmith, a Wall Street-based business insurance and financial services broker also providing research to help business owners succeed and avoid disaster, cyber insurance companies typically ask a series of questions to assess and qualify a firm for coverage based on its existing cybersecurity readiness:
- Who handles cybersecurity at the company?
- What valuable data is at risk?
- What technologies are being used to protect systems and data?
- What policies/processes are in place to address risks?
- What is the company’s history of cyberattacks?
- Does the company comply with industry regulations and standards?
Key industry guidelines include California Consumer Protection Act (CCPA); the National Institute of Standards and Technology (NIST) small business security standard; industry frameworks such as Control Objectives for Information and Technology (COBIT); or privacy groups such as the Information Integration Analysis Center (IIAC); the International Association of Privacy Professionals (IAPP), and the Information System Audit and Control Association (ISACA).