Article written by Dave Hansen of ACES – published in March 2018 issue of Cedar Valley Business Monthly
There is a lot of buzz today around cyber-security in small to medium businesses. If you work for a large corporation, a major medical group or a national non-profit organization, these issues have likely already been addressed at a high level within your organization. I probably cannot bring many new ideas to the table for these organizations.
My focus is assisting small to medium businesses and organizations. Those with maybe 10 to 100 employees or so who make up a large portion of our economy here in Eastern Iowa. These are the organizations who often historically have not dedicated many resources to cyber-security and, because of this, are likely to be at the greatest risk in this era of rapidly growing cybercrime.
There is a misconception that these smaller businesses are not targets for cybercriminals. The truth is because smaller businesses are often less prepared for a cyber-attack, they are often easier to victimize. Criminals do not typically discriminate as to who they attack. They usually look for easy targets with some promise of pay-out and a high likelihood of getting away without being caught.
The internet has opened the channels of stealing from a small business on the other side of the world with almost no fear of being caught or punished. Small businesses that choose to ignore this fact will be victimized at some point, it is just a matter of when and how much damage is done.
How do you combat this threat?
First, you must make a commitment to take steps to determine where your organization stands in terms of cyber-security. What do you have already in place that is working to your advantage? If you don’t know, talk with someone in the industry. Engage with a company that provides these services and have them help you determine where you are at in terms of network security.
I recently talked with a small internet service provider in a small town in rural Iowa. He was very proud to tell me about his multiple firewalls that he uses to “protect” his customers’ internet connections. The problem with this mindset is that it indicates someone who believes that if you buy a good firewall, run your internet service through it, you are secure. Nothing could be further from the truth and thinking that this “box” alone makes you secure is providing a false sense of security.
Having a truly secure network requires implementing and actively managing multiple layers of network security. A managed firewall is just one layer of security. Greater security requires more layers. Anti-virus that is regularly updated, patching tools that update applications on your network as new threats are uncovered, email filtering designed to block most SPAM emails and emails with potentially malicious links or attachments, web filtering tools designed to block users from accessing websites that spread malicious code, and other security technologies all add layers to your cyber-security.
The value of a robust data back-up system also cannot be overstated when it comes to combatting a cyber-attack. While everyone seems to understand the importance of keeping data backed-up, few seem to understand what may be required to recover data and restore your systems to a full operating state. You should consider how long your business can survive without having access to your data – accounts payables, accounts-receivables, product pricing and data, client records, email, calendars and other critical business information.
If restoring this data within minutes rather than in days or even weeks would be crucial in keeping your business moving forward, you should evaluate your back-up system. There are many reputable back-up systems that are automated and include a cloud storage component. However, very few of these systems have the capability to recover quickly. Talk with an expert about what it takes to have a system that includes a service that verifies the success of your regular data back-ups AND, when the need arises, can quickly restore your systems to a point where you can continue operating your business.
These issues are just touching on the technical side of security. You must also consider that humans are the weakest link in securing your data whether it be a matter of trust or just not having the proper training to recognize when someone is attempting to trick them into giving up vital security information. You must develop network security policies that people are accountable to, provide training to staff to help them understand and avoid cyber-attacks and actively promote security in your organization.
You might even consider cyber-liability insurance. Policies are designed to protect you from damage done by a cyber-attack. They cover things like paying ransoms to recover data encrypted in a ransomware attack, cyber-forensics expenses to help determine the cause of a data breach, lost business, lost customers and other financial damage that can occur in a cyber-attack. Talk with an insurance professional who specializes in business insurance. They will have options for you to protect your business against losses due to cybercrime.
I understand that all of this can be overwhelming when you have so many other things to consider in your business. The best way to deal with this is to talk with an expert in this industry. Get an analysis done so you know where you currently stand with security on your network. Then determine how important it is to you to be protected against this growing threat and work with a professional to develop an appropriate plan of action.