Trending financial topics
Secure your small business with the same care it took to build it.
While it’s the major breaches that make the headlines, there has been a persistent level of cybercrime targeting smaller organizations over recent years. The good news is that according to the 2020 Verizon Data Breach Report, the numbers for 2019 look considerably brighter than for 2018, with 28% of data breaches targeting small businesses, down from 43% the year before. The Report speculates that with the rise of platform-as-a-service and software-as-a-service, the security behavior of smaller organizations is much more similar to larger ones than in years past. As their behavior becomes more similar though, so too do the threats leveled against them. Small businesses must increasingly be on the lookout for phishing and data theft targeting credentials, personal data, and other sensitive information like payment and medical data.
Although the trend toward small business as the low “hanging fruit” is now beginning to shift in a more positive direction, the fact remains that the sector, at close to one-third of all 2019 data breaches, can still be an easier target for cyber threat actors than large businesses. There are a number of reasons for this: First, due to their smaller size, they may lack the resources, the team and the infrastructure to better protect their data and systems. Second, they tend to more frequently outsource integral business functions (such as administrative tasks) than large businesses. In doing so, they open themselves to risks introduced by third-party entities, including cyber risk. Compounding the hazards of exposure to third-party entities is another: small businesses also tend to be more willing to adopt up-and-coming technologies, often developed and sold by third-party technology vendors. And in many cases, these vendors are small businesses themselves, subject to the same vulnerabilities.
Finally, although some cyber threat actors may be insiders trying to obtain competitive intelligence, ultimately most are opportunistic cybercriminals looking to turn a quick profit out of data theft. Since small businesses may have laxer security measures than large businesses, they are viewed by these cyber criminals as an easier and faster way to obtain confidential information.
If you are a small- or medium-sized business, cybersecurity needs be a top priority at every level of the company—from C-suite to mailroom. Below we’ve provided a list of tips that we believe are most essential to the security of your business.
1. Include cybersecurity as part of your general business plan and strategy. Treat it as you would any other business area, like bookkeeping, that requires a solid strategy. Set and enforce cybersecurity-related policies.
2. Consider cyber risk as a subset of financial and legal risk. The aftermath of a cyber-attack or data breach can be devastating—the costs of recovering can be high, and often include lost revenue and damaged reputation. If leveraging a third party, include cybersecurity assurances and liability as part of contractual arrangements.
3. Gain an understanding of your online use and your digital assets to better secure them. Create an inventory of devices (e.g., laptops, tablets, mobile phones); applications/software (email, spreadsheets, word processors etc.); and the type of data that you handle, store or transfer (e.g., business financials, payment data from customers).
4. Follow the regulations to protect data per your industry and jurisdictions. If you are a doctor’s office, for example, you need to follow the provisions of the Heath Insurance Portability and Accountability Act (HIPAA). Enforce local, national and even international data laws, such as the California Privacy Law of 2020 and the European Union’s General Data Privacy Regulation (GDPR).
5. Set processes to keep data, particularly consumer and payment data, secure. Use secure and reputable point-of-sale systems and actively monitor issues. (There has been a recent spike in malware targeting these systems).
6. Assess and manage third-party risk. Use reputable third-party services for any type of business (e.g., banking, tax advisory, facility management), and be careful with the access you provide them to your facilities, devices or information. Be very cautious when using technology vendors and services (e.g., Internet and cell phone providers, point-of-sale systems). Inquire about their own cybersecurity procedures.
7. Set firewalls in your networks and change their default passwords to unique, hard-to-guess passwords. Invest in an IT expert—especially if you have set up a website that processes payments or other sensitive information. That website needs to be encrypted (e.g., following TLS, the Transport Layer Security protocol).
8. Make employees aware of threats, including ones recently surfacing, and provide training on technology use and best practices for online behavior and data handling.
9. Cybersecurity and physical security are connected: keep devices locked and docked, protect access to facilities, and secure paper records. Always shred documents when disposing them.
10. Don’t forget about mobile security or employees’ use of their own devices (something that preferably should be avoided; it is better to provide a company mobile phone/laptop). Make sure that employees understand the importance of exercising caution and are using only the approved email service or application for work-related communications.
It comes down to basics
It is always important to practice proper cyber hygiene; but it is particularly important for small businesses where the weight of the individual (whether an employee or a machine) is perhaps felt more greatly. As a small business owner, it pays to keep a few basics in mind:
Enforce strong password policies:
Backup your data and systems:
Protect your systems:
Be extremely careful with email:
The foregoing article is intended to provide general educational information about cyber security.
Some information provided herein was obtained from third party sources deemed to be reliable; the Bank and its affiliates make no representations or warranties with respect to the timeliness, accuracy, or completeness of the information provided. Any information provided is subject to change without notice.
Get in touch with The Private Bank
Build a financial partnership to last a lifetime.