Cybersecurity Basics for Small Business Owners
Cyberattacks are estimated to have cost the U.S. economy over $2.7 billion in damages in 2018. According to the U.S. Small Business Administration, smaller companies are especially vulnerable to cybercrimes since they tend to have fewer resources to secure their systems and to address risks. Over the last few years, every large enterprise has adopted security standards to avoid and be prepared for the inevitable security breaches. These enterprises expect their vendors and service providers, regardless of size, to also protect any data that they may share with them. Additionally, cybercrime can seriously damage a company’s bottom line by affecting their reputation in the market, increasing costs, and impacting revenue. All in all, protecting a company against a cyberattack is now essential.
In 2013, the National Institute of Standards and Technologies (NIST) began developing a Cybersecurity Framework, which resulted in publication of a white paper. This framework, last updated in April 2018, outlines five functions that should be, “…performed concurrently and continuously to form an operational culture that addresses the dynamic cybersecurity risk”: Identify, Protect, Detect, Respond, and Recover.
An organization should understand the scope of the cybersecurity risk to the company, and where it might be most vulnerable: what would a cybercrime mean to your business, what information is most at risk, who would be affected, and what would be needed to continue operations. Tools are available to help businesses identify and detect their vulnerabilities, including a Cyber Hygiene Assessment offered by the Department of Homeland Security.
Once risks have been identified, the next step is to develop and implement appropriate safeguards. These measures can be low-tech, such as training your employees to recognize a phishing email (the most common form of cybercrime agains small businesses), avoiding questionable downloads, and creating strong passwords. Most companies have basic protections in place such as firewalls and antivirus software. However, IT professionals, whether in-house or external, should automatically update and regularly maintain the software, keeping up with patches and newer releases of all tools. All systems and data should be regularly backed up and the backups should be maintained separately from the main storage sites. Sensitive data, including any personally identity information, should be encrypted both while resting and also during transmission.
The next function is to develop and implement ways to identify the occurrence of a cybersecurity event. This involves systems and processes for identifying unusual activity and events, monitoring systems and data at identified intervals, and maintaining and testing the detection systems regularly. A cyberattack or crime should be detected in a timely manner so the response can be swift and hopefully limit the damage.
Once an event has been detected, the organization should already have a plan of action in place to respond. This should include a strategy to inform management, owners, customers, and if needed, law enforcement. The company should have a system in place to analyze the breach especially of sensitive data, so that parties can be informed as quickly as possible. The response plan should include ways to mitigate or stop the damage and a way to document how the plan can be improved if there is a repeat incident.
Finally, organizations should develop activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity incident. These plans should include a way to restore system and data that have been affected. Continuing communications with the internal and external parties affected by the cybersecurity event is also part of the recovery function as a company needs to restore its credibility.
A cybersecurity incident is almost inevitable in our technically connected world. All companies, even the smallest, should have a framework for identifying, protecting, detecting, responding, and recovery from these occurrences.
Business Insights is hosted by the Law Firm of KPPB LAW (www.kppblaw.com).
Sonjui L. Kumar is a founding partner of KPPB LAW, practicing in the area of corporate law and governance.
Disclaimer: This article is for general information purposes only, and does not constitute legal, tax, or other professional advice.
Enjoyed reading Khabar magazine? Subscribe to Khabar and get a full digital copy of this Indian-American community magazine.
blog comments powered by Disqus