[BreachExchange] The Biggest Risk to Your Business: Inadequate Cybersecurity

[Audrey McNeil]

https://www.nav.com/blog/cybersecurity-biggest-risk-to-your-business-30447/


Most consumers today have been a victim of theft. While not everyone has
had the harrowing experience of a home burglary or stolen car, a
compromised email password or Social Security number has affected almost
everyone. The FCC reports the theft of digital information has surpassed
that of physical theft in the U.S. to become the most rampant type of fraud
today.

As a small business owner, your risk is even greater. Any commercial task
you conduct through the internet is especially prone to exposing your
customers to this often-devastating criminal activity. How then, should a
responsible company approach cybersecurity? Here are some of the best
practices that wise entrepreneurs are implementing today.

Understand the Value of Data

While no single piece of stolen information can be damaging on its own,
fraudsters are experts at aggregating data to create whole online
“personas” that can then be used to make purchases, wire money, or even
claim benefits. An email here and a password there can result in a major
headache for customers, if in the wrongs hands. While it usually takes a
couple of pieces of info to do major damage, even credit card numbers
without the accompanying security code (the 3-digit number on the back of
VISA/Mastercard and the 4-digits on the front of AMEX), can be used in “no
card present” transactions. Because of the potential for harm to your
customers, it’s wise to treat every single bit of data as sensitive. Don’t
allow customer info to be shared, stored, or used in anything but a secured
environment.

Train your Employees

You are only as secure as your most careless worker. Shared passwords,
log-in info, or even desktops should be discouraged. Keep each employee
accountable for their own tasks and data trails. Know where and when info
is being accessed. Also, all employees should understand the ramifications
of properly securing data, even if they don’t deal with it during the
course of their workday. Have an easy process for reporting suspected data
breaches, and regularly update workers on best practices – as well as new
security concerns that could affect the company.

Don’t Skimp on Security

Even the small company with just a few computers needs to invest in
solutions that are secure. Consider hiring a professional to implement a
security protocol and ensure networks and devices are properly secured and
maintained. Set up reminders to update tools regularly, and avoid using
“freeware” or unproven software products for your firewall, antivirus, and
browser protection. Recognize the difference between the types of risks,
such as malware, spyware, viruses, and ransomware.

Take Security on the Road

If you have road warriors working for your company, ensure they know the
drill for connecting to public wi-fi and using computers at hotel business
centers. Know the difference between working on a secured “intranet” and
standard “internet.” Regularly check work laptops and phones for malicious
programs and apps, as part of a work device maintenance program. Have
conversations with your team about what’s acceptable to discuss in public
(on a cell phone call, for example) and what should remain in the boardroom.

Backup, Backup & Backup Again

If you had a qualified and dedicated IT, team, they should be performing
weekly (if not daily) backups of your data. Ask about what options are
available for backing up information to both physical drives and the cloud.
For smaller companies with just a few computers, it’s still necessary to
create a means for retrieving data in a computer crash, power loss, or
service outage. Look at creating a plan that keeps data both secure and
accessible for when the worst happens.

Get Serious About Social

Have you heard of social media cyber-vandalism? It’s a new but scary
occurrence of a hacker getting control of a business’ social media account
and using it in an unauthorized manner. Not only can this type of
cyber-hijacking cause damage to your brand’s reputation and messaging, but
it can also put customer and fan information at risk. The SBA has created a
comprehensive guide for how to prevent cyber-vandalism on platforms such as
Twitter, Facebook, Instagram, and more. The basic standards for securing
your accounts include:

- Create a team to develop, execute, and respond to social media
communications and issues
- Understand each platform and the limitations
- Implement and communicate best-practices for each platform
- Utilize two-step authentication, when available
- Use templates and pre-approved messages, when possible
- Regularly monitor accounts for suspicious activity
- Recover compromised accounts promptly by working with social media teams,
platform customer service, and your own internal security stakeholders

While a compromised social media account can be embarrassing, and sometimes
damaging to your company’s sales or reputation, a quick and efficient
recovery plan can make all the difference.

Consider Insurance

What if, despite your best efforts, you do experience a security threat?
Fortunately, you are not alone, and there have been developments made in
the ability for small businesses to get on track. One of these
opportunities is through insurance coverages. While most companies have
insurance plans that cover liability and some types of damages, standard
plans often don’t protect against cyber-attacks. Specialized cyber
insurance is the only way to recoup damages from cyber-attacks, Despite
this fact, however, only 21% of small US companies (fewer than 250
employees) have invested in cyber insurance – compared to 58% of larger
companies. Ask your insurance agent if this type of coverage is appropriate
for your business.

What to Do If You’re Targeted

The cost associated with cybercrimes is high, and both the FCC and the SBA
have dedicated significant resources to ensuring that today’s businesses
are prepared for the newest cybersecurity crime (whatever they may evolve
to look like.) If you find yourself the victim of a crime, inform local
police, as well as your state attorney general right away. Stolen finances
or identities should also be reported to the IC3 unit, and fraud should be
brought to the attention of the FTC. Hopefully, your report can help others
avoid a similar incident.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20180709/7f020530/attachment.html>