Last week I referenced the Verizon breach report and some of the key observations among the data.
Small businesses are a favorite target for cyberattacks.
I offered two “stacks” of suggestions: the easy-to-do stack and the more-difficult stack. Each stack represents best practices for improving your cybersecurity posture and reducing data breach risk.
The “easy” stack included suggestions for raising employee awareness, managing backup routines, enabling automatic updates, upgrading password hygiene, and strengthening physical security.
The “difficult” stack is heavy with policy and planning.
Verizon’s report revealed that an incredible sixty percent of small businesses that suffered a data breach were closed within six months of the cybersecurity event.
Why?
Obviously, cost and damage to reputation account for many of the closures. However, given that small businesses often operate on razor thin margins, and, owners are also operators, time is a precious resource.
As a result, expending time on building technology usage plans and incident response plans are not front-burner priorities. Making payroll and improving revenue are vital to the business’ success, not a plan that may never be used – at least, that’s a common thought.
However, let’s suppose you operate a business that is dependent upon mechanical devices. Your ability to produce is dependent upon machines, and, more specifically the efficient operation of those devices.
If a device breaks, many small businesses owners have the expertise to repair their equipment themselves, in fact, their knowledge of the functional side of a business is often the value they depend upon for success. Manuals and a network of knowledgeable resources complement what the owner may lack.
What happens when a data breach occurs?
Choose your own adventure – a hacker breaks into your business software and steals customer data. Or, a ransomware attack is successfully deployed via an email and all of your computers and cash registers are broken. Or, perhaps, a thief smashes a window and walks away with your server.
What do you do?
If a piece of vital equipment broke, you’d employ your knowledge, or, knowledge network to repair the device.
In other words, you would launch a repair plan.
The same must exist with your IT operations. A plan is needed, especially if IT isn’t your core business function.
Enter the IT plans.
A written security policy is necessary for modern businesses. In some instances, a security policy is a regulatory requirement.
In Alabama, the new data breach notification law requires that businesses evaluate and implement reasonable security measures – a security policy/plan will assist in those efforts.
While there’s no penalty for not being proactive, if a breach results, your situation will not be enhanced by not having a written security policy.
A good security policy outlines how you manage customer data, how you protect it, and, if an incident occurs, what you do to respond.
I suggest considering the plan as a blueprint for you and your employees: if something goes wrong, it’s a basic manual for controlling the situation.
A good starting place for policies are templates designed by security experts. Free templates are available at https://www.sans.org/security-resources/policies.
Review the policy templates and tailor them to your specific needs. Share them with your employees and review them, at least annually.
Encryption is another must.
Encryption of your data reduces the likelihood of the data being read by an unintended recipient. Most modern operating systems provide a mechanism by which you can encrypt your local data. By enabling local encryption on your office devices, you reduce data loss through physical theft. If someone breaks into your office and steals a computer, an encrypted device presents a formidable challenge to the thief. Similarly, using encryption for accessing email and other sensitive systems is important. If you employ a commercial email product, encryption is always included in the solution, simply verify that it is enabled.
Backups, part two.
I mentioned the importance of backups last week. However, in addition to establishing a backup routine and testing the quality of your backups, there are a few additional items to consider.
The purpose of a backup is to restore lost data.
If your backup solution doesn’t encrypt your data, you should enable backup encryption. If a data thief gains access to your backups, if they aren’t encrypted, you’ve provided a nice package that enables easy theft of volumes of data from one location.
Also, consider your backup strategy.
Are you depending on a local device for backup, such as an external hard drive, tape? Do you depend on a cloud backup, such as Microsoft OneDrive?
Redundancy is important. If you backup data to a local external hard drive, that’s great – make sure it’s encrypted and stored safely. But, what do you do if the hard drive fails? What do you do if your cloud provider is down when you need to restore lost data, or, if your internet service provider is experiencing problems?
Redundancy provides extra protection and can be accomplished very simply. In fact, for small businesses, the tools are often available with current software subscriptions, the features simply need to be activated.
And, lastly, data destruction and life cycle should be reviewed.
Don’t hoard electronic data. If you have no regulatory requirement or business need to maintain copies of unused data, get rid of it. Dispose of the data properly, use verified tools for deletion of the data. By doing so, you reduce the amount of data that a would-be bad actor can access, and, make your systems run more efficiently.
Last week’s small, easy tasks will enhance your security posture quickly.
This week’s suggestions require more planning and thought. However, there are many free sources for technology, security plans, and, most modern software provide the enhanced features that I mentioned.
Be safe and protect your business and your customers’ data.
Fabella Security 
You must be logged in to post a comment.