Small and midsized businesses may understand their data is at risk, but managers often lack the time and resources to secure information systems and processes amid the pressure of daily operations.
The fact is small and midsized businesses are hit by 60 percent of all cyberattacks, and for good reason. (1) Companies without the deep pockets of major corporations more often have easily detected vulnerabilities to cybercriminals and a lack of security measures or training.
It is possible for companies to begin protecting themselves without a major capital investment. This starts by creating and enforcing data security policies for accessing and sharing information. Other policies to consider may include:
- Mobile devices: Can employees use personal devices for company purposes?
- Network access: Unsecured Wi-Fi, personal email addresses and virtual private networks all pose potential risks.
- Cloud-based file storage: Convenient, especially when using mobile devices, but how secure is the off-site server?
Cybercriminals are increasingly sophisticated
Forget the hacker stereotypes of a tech-savvy loner looking to make a quick buck from stealing credit card numbers. Cybercrime organizations have taken on corporate structures and now include asset-recovery departments, call centers, marketing departments, and quality assurance staff; many are even sponsored by foreign governments.
For cybercriminals, it’s a numbers game. They know that every incident requires its own investigation and legal process, which dilutes law enforcement resources and is very slow. Yet most email phishing scams take less than two minutes before a user clicks on a malicious link. (2) So the more attacks cybercriminals launch, the harder they are to track down and catch before the next attempt. However, not becoming a stepping-stone for these criminals can be achieved with a few simple, low-cost measures.
Four simple steps to help protect your data
Complying with your industry’s data security regulations is important, but you’ll also want to conduct a thorough risk assessment to identify vulnerabilities.
- Review existing security policies, procedures and technology. At the very least, begin developing these policies and procedures and put them on paper. You can’t enforce a policy if it’s not documented. This may include implementing and enforcing new password policies because password-cracking software is becoming increasingly sophisticated.
- Activate existing data security software. This technology, too, may need to be updated.
- Implement a disaster recovery plan. Your business needs to have a detailed plan of how it will respond to a cyberattack or data breach due to employee negligence. These considerations include: key stakeholders who need to be involved in the assessment and recovery plan, how to escalate resources depending on the severity, and a list of whom to notify and when, just to name a few.
- Review vendors. Even the heating and air-conditioning vendor for your building may have access to your confidential data. What data security measures do your vendors have in place? What is the vendor’s plan for a breach or cyberattack?
Start today for a secure tomorrow
This article only scratches the surface of what may need to be done to protect your business’s data. However, it should motivate you to investigate the security of your company’s most precious resource (behind your employees, of course): your data.
Getting started today by assessing your vulnerabilities and existing security measures is a good first step. Only by understanding where you stand can you begin to take a step toward safeguarding your data and your company.