What 2020 will bring directly depends on you… and your perception of cyber security.
We won’t be wrong if we say that large companies with enormous budgets and innovation opportunities have always been a desirable target for cyber criminals.
At the same time, their developed security systems designed to protect against an unauthorized entry strengthen their position in the cyber space (although not 100% of time – that’s a different story).
However, the latest trend is that SMBs are at hackers’ gunpoint nowadays just as (if not more often than) large corporations.
Simply stated: lack of cyber security means and management controls.
And here’s the bad news: in the case of SMBs, a data breach can often equal to a cruel end of the whole organization.
Don’t sweat, we’ve got some good news: there are ways to protect your business against today’s cyber threats, and it is essential for organizations to consider cyber hygiene.
We’ve rounded up 3 cyber security tips for SMBs in 2020. Let’s have a closer look!
Know Your Cyber Security Risks
“Think your business is too small to be targeted by a hacker? Think again. If your business handles any financial information or valuable data about your customers, then guess what? You’re a target for cyberattacks.” – Chris Stoneff
Here is the deal: companies tend to underestimate cyber threats and the terrifying consequences coming from those.
In our experience, lack of cyber awareness and, more importantly, resources may put the company’s confidential data (and in most cases reputation) into jeopardy. This adds more headache to SMB owners who tend to have quite a few items on their list daily (trust us, many of our key clients are in the SMB space).
But how do you know where a cyber threat may come from?
We recommend conducting a cyber security risk assessment first to identify the weakest areas within the organization and determine the appropriate controls to be implemented. This is what we at Genieall did as part of the ISO 27001 certification requirements.
Many SMBs think of cyber security risk assessment as a confusing and long activity. The reality is that you don’t have to reinvent the wheel and rather understand the context of YOUR organization. In other words, define the internal and external issues that are relevant to the objectives of YOUR organization, as well as list the interested parties (suppliers, partners, clients, etc.) with the applicable requirements for each of those (e.g. business, legal, regulatory, etc.).
Based on the context of the organization (internal/external issues and interested parties), you can determine cyber security risks for your organization. This can be done (as an option) in the form of a list of scenarios that may put the business into jeopardy. For instance, the file server gets compromised, or there is a service outage (internet, email, etc.).
Next, based on the assessment results, the organization should classify and prioritize each risk (e.g. based on the impact and probability although there are different ways). That will help to focus on the most sensitive areas that may require an immediate attention/solution.
Suffice it to say, risk assessment is not a one-time activity, but rather a process of continuous improvement and reevaluation of cyber security risks (also one of the ISO 27001 requirements). What seems as a non-critical item today can easily become a real risk next year, quarter or even month.
Incorporate Cyber Awareness into the Organizational Culture
“Cybersecurity is a shared responsibility, and it boils down to this: in cybersecurity, the more systems we secure, the more secure we all are.”- Jeh Johnes
Unfortunately, even the most protected systems have vulnerabilities. Believe it or not, the technology is not always the weakest link – in many cases, human factor plays a significant role in keeping cyber systems secure.
Making mistakes is what makes us human beings after all. What important here is that each organization regardless of size must be aware of cyber security risks and solutions to mitigate those. Cyber security awareness is one of the most effective yet often overlooked tools any organization can and should utilize.
Suffice it to say, 52% of businesses admit that personnel is the big weakness in IT security where cyber importance is underestimated resulting in dramatic results for the organization they work. According to Kaspersky, the threat comes from sharing data via mobile (47%), physical loss of the device (46%) and careless use of IT resources (44%).
Particularly, social engineering attacks (e.g. phishing) are the most popular threats which are targeted at human factor.
You might now think: “How possible is it to develop cyber awareness among employees?”
Believe it or not, everything starts from the right approach to cyber security within the organization. The secure approach should be “baked” into all parts of the system.
We have prepared some tips for you:
- Establish cyber awareness framework that will incorporate types of common threats (their impact and ways to recognize them) with real-life examples as well as best practices to mitigate the risks of those.
- Conduct regular cyber awareness sessions internally followed by a small assessment (e.g. quiz) to evaluate the level of understanding among the attendees.
- Make cyber awareness a part of onboarding process.
- Lead by example: take cyber security seriously and do more than what you ask your personnel to do.
Implement Cyber Security Incident Response Plan
“The best preparation for tomorrow is doing your best today!”- H. Jackson Brown Jr.
Let’s be honest: nobody likes surprises. Especially SMBs.
Unfortunately, everything going well today doesn’t mean that tomorrow will be the same in our interconnected world. Thus, an organization will need a cyber security incident response plan in place to be prepared to “surprises”.
We won’t be wrong if we say that cyber security strategy will be incomplete without such plan.
What you would include into your plan will depend on your risks, internal organization and any applicable industry or regulatory standards (e.g. breach notification threshold). Believe it or not, an organization can now be a subject to fines for failure to notify applicable parties within the set time frame (not to mention the impact of the incident itself).
From our experience, the typical cyber incident response plan includes the following components:
- Classification of security events (can be as simple as minor vs. major with the defined examples);
- Roles and responsibilities of the response team members (everyone involved must clearly know what to do);
- Containment (e.g. isolating the compromised network or system);
- What caused the incident?
- When did it take place?
- How sensitive was the information compromised?
- What was the extend of the unauthorized activity?
- Were there any unauthorized alterations to user data or software?
- Reporting (during the investigation);
- Recovery (having backups is important at this stage);
- Prevention (including the review of the plan and lessons learned from past incidents).
No doubt, these are just the high-level items which may seem ambiguous at a first glance. For that reason, we will be releasing a whole blog post to talk about cyber security incident response plan in detail. Stay tuned!
There is nothing surprising: it is time for small and medium organizations to change their cyber perception. It is no longer possible to keep data security on the back burner.
There have been many talks on the importance of technology (and don’t get us wrong – it is essential) in the constant battle with cyber criminals, but in our experience it all comes down to how an organization manages all this technology.
Without knowing cyber security risks, training personnel and being prepared to cyber adversity, SMBs are often left on their own and are only able to deal with cyber challenges in a reactive manner.
The 3 cyber security tips presented in this post are aimed at helping SMBs to be proactive on the cyber frontier and to gain growth and sustainability in 2020.