By Reg Harnish
It’s that time of year when many of us start evaluating the past year and what goals we want to aspire to in the next. And although cybersecurity might not have as much allure as a six-pack (depending on who you ask), it’s crucial for your business’s well-being.
With an estimated $3.1B in losses and rising from cybercrime–whether from financial fraud, ransomware, or breach– it’s important to understand the sheer scope of the challenge. Although small businesses are increasingly adopting and investing in cybersecurity, 62% of small businesses are affected by cybercrime because the reality is that the bad guys are getting better faster than we are.
Embarking on a cybersecurity strategy can seem daunting, but at the core, we believe that cybersecurity success comes from doing the absolute minimum necessary to achieve your business mission. At a high level that means understanding how cybersecurity is affecting and contributing to your mission, and proactively and methodically thinking about how to apply controls (whether HIPAA, PCI, or other industry regulations) to:
Protect your intellectual property
Combat cybercrime
Minimize disruption and loss
Protect against reputational issues
To understand how cybersecurity can best contribute to your mission, follow these 8 recommendations:
1. Understand Your Goals Establishing the right goals is about understanding your business:
a. What is the mission? (Protecting intellectual property? Patient data, etc.?)
b. What does your risk tolerance look like, including your business culture?
c. Regulatory mandates (HIPAA, NIST 171, PCI, etc.) are important, but what is the right defensible goal for your business?
2. Do a Risk Assessment When considering risk in cybersecurity, it’s all about the risks to your data. Do you have a remote or hybrid workforce, or process a lot of financial transactions? Do you send and receive sensitive data? Identify the areas of greatest data risk in your business.
3. Build an Incident Response Plan Even with a strong cybersecurity strategy in place, breaches can and will happen. Prepare for breaches with a strategic plan for detection, response, and recovery. When an incident occurs you want to be in a position of defensibility – did you put in reasonable protections and respond effectively – and resilience – how did the breach impact your business? We recommend yearly Incident Response Tabletops. Incidents can be chaotic and emotional, and drills simulating financial fraud, breach of regulated data, or loss or theft of a device in a safe environment can prepare your team like few things can.
4. Conduct Employee Awareness Training Empowering your team to recognize and prevent cyber threats, like phishing attacks, is the single biggest way to minimize your chance of experiencing cyber incidents. Cybersecurity awareness programs should be frequent. That’s because we know that short continuous drips of training, testing, and skills assessment are much more effective than a single annual training. Training every month combined with the expectation that it’s part of an employee’s job description is a powerful and effective combination.
5. Get a Cyber Insurance Policy For the same reasons I discussed needing an incident response plan, and why we get fire insurance, getting cyber insurance is crucial to mitigating potential financial losses and aiding in incident response. The cyber insurance industry is changing quickly as cybercrime needs change, and it’s important to work with an insurance company that focuses on cyber insurance.
6. Reinforce your Financial Processes When you evaluate the resilience of your financial processes, it’s important to review both the technology you’re using, such as Multi-factor authentication and alerts on email rule changes, as well as your people processes. Strong employee training and testing, a Culture of Security focused on protecting your data, and procedural measures that inherently reduce risk, like segregation of duties, are critical to preventing breaches. For example, a vendor calls and wants to update their ACH routing number. What processes will you use to ensure that is a legitimate request?
7. Use Grit Cybersecurity isn’t about going toe to toe with bad actors from a technological standpoint, it comes down to building a ‘Culture of Security’ in your organization that fosters a collective commitment to cybersecurity, making it a fundamental part of every role.
8. Find a Good Cybersecurity Partner There are thousands of cybersecurity tools out there to buy, and just as many IT and cybersecurity services companies saying they can help you. Find a cybersecurity partner that works specifically with small businesses, understands cybersecurity is only 1/3 technology, and focuses on what I started with – what is the absolute minimum necessary to achieve your business mission. Anything else is overkill.
Ensuring a more secure organization is all about the fundamentals. It’s also important to ask for guidance and help where you need it. When writing your 2024 resolutions, I hope you consider the cyber resilience of your business as an important goal worth creating a plan.