10 Tips for Improving Small Business Cyber Resilience

Introduction

This article is part of a series of articles called “The Small Business Owner’s Introduction to Cyber Risk”. Each article is dedicated to an important topic that the owners of small businesses should understand as they get started on their journey towards peace of mind from cyber risk.

There is a companion video series available on the Surviving Cyber YouTube Channel and an eBook available for download at: https://pages.survivingcyber.com/ebook

The cyber threat to small businesses has never been at a higher level than it is right now in the post-COVID era. Small business owners are in a uniquely exposed situation because of the close link between their financial livelihood and the fortunes of their businesses. Both could be severely impacted by a cyber-attack.

As the owner or manager of a small business, you may be confused by cyber risk right now, and if you are, you’re not alone. Most people who own or manage small businesses are concerned about the cyber exposures of their businesses. A lot of people are confused by the complexity of the topic and the large number of solutions promoted by the cybersecurity industry.

I understand the small company perspective. Lack of time, money and expertise are real problems for small businesses, but these should not prevent small business leaders from taking reasonable steps to improve business resilience. In this short series of articles, I hope to show you how.

 In today's article, I list 10 tips that will help small businesses improve their cyber resilience, ensure their data is safe and retain the trust of their stakeholders.

1.  Prepare for the inevitable

Breaches in cybersecurity happen every day, all around the world. These can lead to disastrous consequences if they're not detected quickly. Small businesses are frequently targeted by professional hackers and for these small companies, a cyber-attack can cause mayhem. It could cause the business to fail, resulting in financial ruin for shareholders, creditors and employees.

Even if a business continues operating after a cyber-attack, serious damage can be inflicted on customer trust. The company's reputation, in which so much time and effort have been invested can be irreparably damaged. The best defence is to develop a cyber-resilient business, one that can survive a cyber-attack.

It's widely accepted now that a cyber-attack is inevitable for most businesses. It is simply a matter of when, and not if, you will be attacked. If you're a small organization, you should ensure that you're prepared for a cyber-attack because the impact could be disastrous. No cybersecurity is perfect, and the threat environment changes all the time, so you need to ensure that your entire team is prepared. This includes conducting regular cyber training and awareness exercises for all staff and having a tested incident response plan that sets out the steps that will be taken in the event of a cyber-attack. 

The arrival of the COVID-19 pandemic, and the overnight radical transformation that it brought to the business models and cyber risk profiles of small businesses all over the world, show just how important it is to be prepared. 

2.  Protect Personally Identifiable Information (PII)

 The General Data Protection Regulation or GDPR came into effect in 2018 and it transformed the data protection responsibilities of all businesses concerning the PII that it processes. Severe fines and penalties are possible now for breaches of GDPR. In fact, article 32 of GDPR requires that businesses implement appropriate technical and organizational measures to ensure a level of security appropriate to any potential risk. Now this place is the onus on the business to decide what level of security is appropriate to any potential risk - not an easy task for any business owner.

In addition to the financial and legal penalties, a cyber breach can lead to brand damage and reputational damage for the impacted company. GDPR regulators were previously focused on data breach fines, but more recently, civil liability actions are coming to the fore throughout Europe, and they allege this failure to ensure "appropriate technical and organizational measures". The trend toward greater demands for data protection is a global one, as 128 countries now have data protection and privacy legislation, and 154 countries have cybercrime legislation, and those figures come from the UN in December 2020. So, there is no avoiding the risk of maintaining personally identifiable information.

 3.   Control physical access to devices.

Physical access to computers and devices is still a very popular method for cyber attackers to exploit your business. This can easily happen through theft or the loss of a computer device. Perhaps surprisingly, the Verizon Data Breach Investigation Report found that an asset is lost over 100 times more frequently than it is stolen, so negligence can play a part here. Other research found that 39% of incidents involve devices that were stolen from the victim's workplace.

The ability to control physical access to devices has become more difficult with the widespread remote working brought about by the COVID-19 pandemic. When devices are removed from the office, they can be easily stolen from employees’ cars or homes. If your employees need access to sensitive company information when they are working remotely, you should consider investing in professional business laptops, which offer a wide range of security features. Full drive encryption on all devices such as computers, laptops, tablets, flash drives, and memory cards is worth considering. The encryption will prevent malicious access to information even if cyber criminals gain access to the lost or stolen device.

 4.  Control Information Access

 You should control the level of access granted to business information on a need-to-know basis. Negligence continues to play a big role in data breaches and hackers are increasingly gaining access to huge volumes of personal information through employees. Remote working practices can increase this risk. One of the best ways to control this risk is to control access to sensitive information. Create unique accounts for every employee and ensure that appropriate access privileges are set for everybody. Restrict administrator access to those employees who really need this privilege and control the powers of administrators. These measures will reduce the chances of unauthorized employees or third parties accessing sensitive information. You should also encourage a strong password policy and enforce it throughout the business.

 5.    Work remotely would care

Flexibility might be more convenient for employees, but it can create cyber risks for the company. Remote working practices, which became commonplace during the COVID-19 pandemic and have stayed with us, created a golden opportunity for cybercriminals. The switch to remote working took place without adequate consideration of the cybersecurity implications of the new business model. For example, many small businesses allowed employees to use their personal devices for company work without considering the implications of that. Most companies now offer working-from-home flexibility or remote working opportunities as part of a new hybrid working business model. While this flexibility is more convenient for employees, it does create cyber risks for the company that have to be assessed and mitigated.

 Businesses need to ensure that these devices used by employees are secure, that the data being processed is securely stored and that the apps and the programs being used on these devices are secure. Remote working can take place from any location. When employees are in a public place like an airport or a restaurant, they may be offered free internet in exchange for sharing some personal information. Keeping your information safe can be a challenge when accessing the internet using public Wi-Fi. Unfortunately, sensitive data such as passwords might be accessible. Staff should be warned about the risks and consider very carefully whether to connect to the internet using public Wi-Fi unless they can use a virtual private network to do so. Every business needs to review its new business model following the pandemic-induced changes and ensure that its cybersecurity has kept pace with its business model.

6.   Educate your employees

Cybersecurity resilience can't be achieved if your staff are not educated on the risks and threats that they could face in their day-to-day activities. Your staff are your first line of defence against many forms of cyber-attack, such as phishing or malware. Train your staff to identify and recognize the threats and encourage them to report incidents every time by establishing a "no blame" culture. Educating staff to spot common signs of phishing, such as misspelt email addresses, poorly written emails, text messages, and documents with unexpected attachments can be highly effective. Malware is often hidden in documents created using popular software programs such as Microsoft Word or Excel. With the benefit of training, your staff will know never to click on the suspicious link or download something suspicious to your systems.

 7.    Test your cyber resilience

It's important that you test your company's cyber resilience regularly. Testing your cybersecurity as if you are a malicious attacker will help give confidence to the company's ability to survive a real attack. Penetration testing can be arranged with specialist firms who take on the role of a professional hacker and they try to penetrate your defences. This will give you a point-in-time picture of your resilience. For more regular visibility, a continuous intrusion detection and prevention system is needed. Even if sophisticated tools are beyond your mother's cybersecurity budget, a focused effort to review your cybersecurity and consider cyber resilience with your IT service provider or in-house IT team can achieve a lot.

 8.   Investigate new technologies

The cyber environment is continually changing, both on the attack side and the defence side. Important new technologies such as artificial intelligence, big data analytics, and machine learning are used by cyber criminals to attack, and they're also being used by the biggest companies as defence mechanisms. Before long, these tools may be within the reach of the budget of smaller businesses. And in the future, it's hoped that automated systems may orchestrate the protection of networks as soon as a cyber threat is detected, and advanced behavioural analytics could ensure new levels of protection are put in place automatically. As soon as these tools become viable for small businesses to use, they'll be offered by IT and managed service providers, but until then, keep a watchful eye on these developments.

 9.  Consider cyber insurance

Given the fact that cyber-attacks are becoming increasingly common, you should consider cyber insurance sooner rather than later. In fact, this insurance is increasingly difficult to arrange as cyber insurers have been hit by large insurance losses and have adapted their underwriting requirements accordingly. Prospective insureds are increasingly required to prove the state of their cybersecurity prior to arranging insurance. This need to provide evidence of your insurability is expected to continue in the future.

Cyber insurance ensures a transfer of the risk that your business does not wish to retain to an insurance company. If your company suffers a cyber-attack, you will have access to a panel of expert responders and you will have the financial protection to ensure that your business does not incur financial losses that are significant. Your commercial insurance broker may be able to advise you on this important risk management issue.

 10. Keep up to date on current threats

The pandemic showed us just how quickly the cyber risk environment can change. Most businesses had to change their business model very quickly to survive. They were unprepared for this dramatic change, and they had to scramble to continue trading online. Staying up to date with an ever-changing threat environment is a challenge for small businesses. Lots of information is available, but help is often needed to focus on what's really important. Your adversary the cybercriminal is highly motivated and well prepared. So a "head-in-the-sand" approach to cyber risk will likely lead to disaster for your small business.

Peace of mind from cyber risk

Small businesses are "big business" for Cybercriminals. If you lead a small business, you may struggle to make sense of this complex environment. You could be concerned that you may not be doing enough to prepare your business and your people for a Cyber incident.

If this is your situation, I hope that this article has been useful in providing these ten tips on steps that you could implement in your small businesses. I also hope it has convinced you that cyber risk is a business-critical risk that can be, and needs to be, managed like any other business risk.

In the final article in this short series, I will explain "5 Common Cyber Threats to Small Businesses".

Don’t forget to have a look at the series videos on the on the Surviving Cyber YouTube Channel and download the eBook that accompanies the video series at: https://pages.survivingcyber.com/ebook