Each year, 71% of all cyberattacks target small to mid-sized businesses. Why, you ask? A simple underinvestment in cyber protection.
With the advent of the Internet of Things (IoT), all business owners need to remember that every access point into a device has become a potential vulnerability point. Furthermore, by 2020, there will be more than 20 billion connected devices ranging from our smartphones to industrial machinery. While many business owners list cybersecurity as a growing burden, their companies still struggle to maintain proper cybersecurity measures.
With cybersecurity concerns only continuing to rise, alliantgroup held a Technology, Economic, Legislative and Policy Summit at its Houston headquarters this fall. Tom Ridge, the first U.S. Secretary of Homeland Security, led an insightful keynote panel on cybersecurity with other technology experts. As the discussion went on, many business owners, CPAs and financial advisers were shocked to learn about the deficiencies of conventional security measures and how vulnerable their data and systems may be.
Our experts agreed that while no single solution would solve every potential threat, there are best practices for what we call good cyber hygiene. Chuck Wilson, the executive director of the National Systems Contractors Association and a special guest at the event, provided the checklist below to help businesses take the necessary steps to protect themselves.
All this begs the question: is your business doing everything in its power to ward off cyberattacks?
1. Perform a cybersecurity technology audit. Ensure this audit checks spam filters, malware protection, etc.
2. Conduct internal process reviews every six months and bring in an outside security consultant at least once a year.
3. Conduct internal risk audits and then have a third party assessment done of this audit. Make sure your third-party assessor is following the standards set by the National Institute of Standards and Technology (NIST).
4. Have an up-to-date anti-virus software and use it to scan your systems regularly.
5. Bring in an “ethical hacker” or computer security expert for an assessment of potentially vulnerable points (i.e. internal and external penetration testing).
6. Include a detailed Cybersecurity Awareness Training in your employee on-boarding that covers topics such as data integrity, proper use of email, what looks suspicious, etc.
7. Have monthly or annual “digital refreshers” to remind employees of cybersecurity protocols. These ongoing awareness training sessions should be required for all employees and include on-site training, cybersecurity videos, phishing simulations or webinars.
8. Have proper device audits of what each employee has been given, and take regular inventory of all devices given out. When employees use company devices outside of the office, ensure there are multiple security checkpoints on it or the drive.
9. Have zero tolerance for BYOD (Bring Your Own Device) or COPE (Company-Issued Personal Enabled) policies for any web-enabled device coming in or out of your building.
10. Have at least one IT professional on staff educated in and adhering to NIST standards or UL 2900 standards practices.
11. Add first-party and third-party cyber risk insurance to your business practice coverage.
12. Read and evaluate all client contracts for liability stemming from breaches and possible business interruption damages caused by your engagement.
13. Use outside expertise to verify your internal security practices. Don’t place enough trust in any single employee to the point where that employee knows everything that can go wrong. Keep some segregation of duties to protect the organization.
14. Limit your network vulnerabilities by patching and updating your systems regularly as needed. These updates include your computers, servers and IoT devices such as security cameras, A/V devices, etc.
15. Find a source for any threat notifications. An example: if DocuSign or Google Docs is breached, you need to be aware of where that breach came from.
16. Have an incident response plan! If you do have a breach or are hit with ransomware, it is crucial to have a plan and know next steps to keep your business disruption limited.
17. Cybersecurity has a physical side to it as well! Control visitor access, and keep physical access to networks limited and controlled to protect against physical attacks.
Chuck Wilson is executive director of the National Systems Contractors Association. Dhaval Jadav is CEO of alliantgroup.