There are all kinds of statistics related to cybersecurity. One of the most alarming to me is a recent study by global cybersecurity company BlackFog: 61% of small businesses in the U.S. and U.K. were victims of a successful cyberattack over the last year. Unbelievable.
By comparison, according to statistics compiled by the National Fire Protection Association and the U.S. Census Bureau, a business has a 0.05% chance of a fire in an occupied building. Those numbers show it doesn’t take a brain surgeon to figure out where to spend time and resources to best protect your business. Ironically, most business owners and executives struggle with where to spend their energy on this problem. If cyber insurance didn’t exist, and you still had to figure out the best ways to protect your company, where would you start? From that premise, here are seven things you can do to move the needle in the right direction.
- Figure out what is most important to you. Depending on your industry and business, there are four main things you could lose in a cyber event: money, data, reputation and ability to operate. Most businesses could experience more than one of these, if not all, but not prioritizing could be your biggest mistake. If you are a retailer focused on online sales, you probably need to focus on credit card data and money rather than health data. Some of this seems so simple, but many people just do the generic things and don’t take the time to fully identify which of these are the real business killers for them.
- Implement multifactor authentication. After identifying your specific priorities, this is the No. 1 thing you can do to protect your business from a cyberattack. Multifactor authentication is nothing more than a second layer of verifying you have authorized access to get to specific spots in your system. In other words, you need more than just a password. According to Microsoft, implementation can make you 99% less likely to get hacked. However, to be most effective, it should be implemented in multiple parts of your network, including backups, administrative access, virtual private networks and network infrastructure. Don’t just stop with your email.
- Back up your data and frequently test.Backing up your data is extremely important, but you have to test it to make sure the data is accurate. There are all kinds of ways that systems can unintentionally compromise your backup data, and testing it frequently will ensure you can best recover from a shutdown.
- Keep systems and software up to date. Most third-party information technology providers will perform “patch management” as part of their services for you. Take advantage of it. Those patches typically account for security updates and defend against the latest malware. If you are operating on outdated software or systems, seriously consider upgrading.
- Train your employees. Think about the analogy of the TSA at the airport. You could have the most advanced screening equipment in the world, but it doesn’t matter if someone simply lets the criminal on the plane. Your employees are your first line of defense. Training them to avoid clicking on bad links or going to fraudulent websites is an effective way to prevent a security event.
- Use strong passwords. A survey by privacy and security informational website All About Cookies found that 52% of computer users had five or fewer passwords for all their login sites. A friend of mine has more than 200 different logins. We highly recommend getting a password manager that generates random passwords or use passphrases that are long and difficult to hack.
- Develop a cyber-response plan. If you have an event but nobody knows what to do or who to call, you are losing precious time that will compound in getting your systems back up and running. Many cyber insurance companies have resources to help you develop a plan, which will pay huge dividends if you have a cyber event.
Nothing is perfect in preventing cybercrime, but starting with these will help protect the future of your business.
Jeff Eiserman is a risk adviser at Ollis/Akers/Arney. He can be reached at firstname.lastname@example.org.