Five Tips for Better Small-Business Cyber Security
We live our lives increasingly online, and businesses are reaping the benefits—some say that data is more valuable than oil. Technology’s rise has, unfortunately, also exposed businesses to more cyber threats. While big, well-known corporations seem like the primary targets, smaller ones are increasingly falling in the crosshairs and are, often, more vulnerable.
Nobody knows this better than Sean Gibson, PRL’s Cyber Practice Leader. With a background in complex commercial litigation, Sean is no stranger to the evaluation and mitigation of emerging risks.
“There is a misconception that small organizations are not on the radar. We must work to correct it, as this misconception is of considerable benefit to these criminals,” says Sean. “Perpetrators have, and will continue to, shift their focus to small and mid-size companies, concentrating on those that, though they may have healthy revenues, do not possess the IT security budgets of larger organizations or the cash reserves to manage the downtime and expenses arising from a cyber attack.” By doing so, “these opportunistic threat actors can yield large returns by casting a wide net for, relatively speaking, many smaller fish rather than trying to harpoon a whale.”
Small-business owners may feel overwhelmed by the work it takes to stay ahead of cyber threats, but it is better to start small and build up your defences incrementally rather than wait for disaster. Sean recommends these five first steps to getting on track:
1. Identify Your Assets
Take an inventory of all hardware and software in your network, prioritize their importance and necessary protection. Doing so will help you identify any deviations or irregular activity, increasing your chances of detecting an intruder quickly. “This step is often overlooked,” says Sean. “If you know every device and application that’s connected, you’ll see the big picture of what needs to be protected.”
2. Pinpoint Your Vulnerabilities
Hackers look for known, fixable issues – such as when a commonly used software provider announces a patch – and target users least likely to respond promptly. If you cannot afford dedicated on-site IT security staff to, for example, monitor for updates, there are other, scalable, options to help protect you, such as automated alerts and third-party outsourcing.
3. Limit Administrative Privileges
Which employees are currently system administrators – and do they really need to be? “Perpetrators are looking for the user who has the keys to the kingdom,” Sean warns. Restricting data access to the people who absolutely require it forces threat actors to work harder to ‘hit the data jackpot’. In doing so, they are either more likely to be detected or they will simply move onto an easier target. “This is a business for these threat actors! They wish to maximize their returns,” says Sean. “With an abundance of ripe low hanging fruit there is little need for these criminals to focus their attention on the top of the tree.” Strong password management is essential. So is implementing logging and multi-factor authentication for enhanced user privileges.
4. Get Everyone Involved
Cyber Security often emphasizes the technical details, but effective security relies upon people and processes just as much as it does on technology. The interaction between technology and users can completely change the effectiveness of a company’s security strategy. The human context and its potential for exploitation is a necessary consideration for better cyber resiliency. A company can foster a culture of cyber safety throughout the whole organization, ensuring staff training on security awareness and threats (e.g. phishing, ransomware) as well as through the creation and implementation of disaster recovery plans.
“The manipulation of employees continues to be one of the key drivers of cyber incidents. The creation and maintenance of a comprehensive security apparatus is simply not possible without the necessary education and training to ensure that it functions as designed.” Otherwise, Sean warns, “businesses will see that the best laid plans of mice and men will be led astray by an employee opening the front door and laying out the welcome mat by clicking a link in an email that they shouldn’t or using the same password for their work account as they use on a 3rd party social media site that is about to be hacked!”
5. Seek the Right Insurance Policy
Proper coverage protects your business both financially and legally. If a breach occurs, a cyber policy can respond to cover costs of mitigating the effects of the breach and repairing/recovering your data as well as protecting against third-party liability that may accrue from a breach. In evaluating their risk, every company should be asking themselves the following questions:
- What would a cyber incident cost, from both a resource and financial perspective?
- Can/should we shoulder those costs?
- Should we look to transfer the risk of these costs through insurance?
“Nobody is forecasting a Luddite revolution,” says Sean. “Business will increasingly rely on technology to operate. At the end of the day, cyber threats are here to stay. Doing nothing is no longer an option.”
Digital threats are constantly evolving, but businesses that consistently prioritize, plan and practice their cyber security strategy stand the best chance of resiliency, regardless of size.
Your company’s insurance broker is an excellent resource who can help your organization uncover where you’re likely to be exposed and build a customized, adaptable, end-to-end insurance and risk management strategy for your unique business needs.
To learn more about cyber coverage contact:
Sean Gibson, JD
Cyber & Transactional Risks Practice Leader, 647.695.3386, firstname.lastname@example.org