Cybersecurity is one of the fastest growing areas of concern for any small business owner today in our highly connected world. There are now more risks than ever and more people trying to access our systems than ever before. No longer is this just something to be aware of, it has now become a strategic initiative for companies.
Small businesses are not immune from the threats posed by cybercriminals. It doesn’t just happen to the big companies, it hits every company, especially small businesses. Almost half of all cyberattacks in the U.S. are directed at small businesses. Most small businesses either think they are too small to be attacked or they believe they don’t have enough information that someone would spend time to attack. Both of these are false statements…small businesses are under attack every day.
Often times cybercriminals will target smaller businesses because they know they generally don’t think they will be attacked and they usually don’t invest sufficiently to ward of these attacks. In recognition of this serious problem, in August 2018, President Trump signed into law the NIST Small Business Cybersecurity Act, requiring the federal government to provide resources to assist small businesses in reducing their vulnerability to cyberattacks.
How Can You Reduce Your Risk of Attack
It is critically important to take the necessary steps to protect your business’s data, reputation, customer, and employee information. While there are many aspects to protecting your company, here are a few of the most important ones every small business should consider putting in place to improve your odds against an a cyberattack…
- Establish cybersecurity policies for your company…The best place to start is to create some very specific and easy to understand cybersecurity policies and guidelines for your organization. These should be included with your employee handbook and policy manual. In addition to being included in the employee material, there should be regular training on the specific actions each employee should take and be responsible for.
- Employees should protect customer and business data…Every employees should be required to take the necessary steps needed to protect customer and business data. Some specific common practices should include, but not be limited to…
- Separate user accounts for each employee
- Strong passwords for all laptops, tablets, and smartphones with a requirement to change them every three months
- Prohibiting the installation of any software on company computers, tablets, or phones without permission from their manager
- Limiting administrative privileges to only key employees who have a need to know this level of information and IT staff
- Restrict employee access…It is important to restrict (or limit) access to the business’s information and systems that are needed for the employee to do their specific jobs. And when an employee leaves the organization, make sure he or she no longer has any access to this information and all privileges are revoked.
- Keep software and systems updated…Make sure your software, web browsers, and operating systems are updated regularly to defend against viruses, malware, and other online threats. It is equally important to install hardware and software firewalls on all of your computers and networks even if you use a cloud service provider or VPN (virtual private network).
- Backup, Backup, Backup…I can’t emphasize enough the importance of having your data backed up in case of attack. Frequently backup all of your business’s important information and store copies in a separate location or in the cloud. If you incurred an attack and had to do a restore of the data, this would be a much simpler process if your data was backed up regularly.
- Have special rules for mobile devices…If employees use mobile devices that can access the business’s network or confidential information, they should be required to have them password-protected, encrypt their data, and install security apps to safeguard information when the phone is on a public network. Specific procedures should be put in place for instances in which mobile devices are lost or stolen.
Understanding Your Liabilities with Security Breaches
As mentioned above, it is critically important to take proactive steps to guard against cyberattacks. However, while these are critically important to protect your business’s financial welfare, they are also necessary to avoid liability under data privacy laws. If your customers’ or employees’ personal information is obtained by unauthorized parties, you may be vulnerable to civil liability if your business did not take the steps required by state law or steps reasonable under the circumstances to protect their information.
To add even more risk to your organization, if a data breach occurs you could also be liable for civil penalties or claims brought by the affected individuals if you don’t act to mitigate the harm or remedy the situation. For example, you should be providing notice to those whose personal information was affected, even if your business initially took the proper steps to avoid such a breach. The key is to put the proper plans in place to avoid any potential liability suits or litigation stemming from a cybersecurity attack.
How Can You Reduce Your Risk of Attack
What to do next…
Since our primary goal is to help business owners/leaders lower their business risk, this is a key area in helping you accomplish this goal. Do an assessment of your own business and see if you are vulnerable to cyberattack and the liability that may arise if your business is affected by one. Every business is different, and your cybersecurity strategy should take the nature of your business into account.
If you ever have any questions about cybersecurity or any other aspect of your business, just ask and we’ll be happy to answer them. Or if you want to better understand how you can minimize and lower your risks (which every business owner wants) then please read some more about risk management and how you can help determine your own risk. I’d also be happy to meet with you (complimentary of course) to discuss your own personal situation further and give you some insights about how you might want to proceed.
I hope you have found this helpful and given you a different way to look at your business. If it has, please share this with others inside your company and your colleagues who are running or leading other businesses. Our primary mission at Generations Law Group, LLP is to help everyone find productive ways to lower their business AND personal risk. This is just one way you can start to do this…but it will tell you a lot about you and what has happened over the past few years with regard to your business risk. Let’s make sure your risk is as low as it can be while you continue to grow.