The digital revolution is roaring at breakneck speed with technologies touching nearly every part of nearly every business. Software and systems are shaping not only the way we interact with others, but how we share, collaborate and explore innovation. With the increasing shift to cloud services, the digital threats organizations face grow more ominous, leading to the question — is technology moving more quickly than it can be protected?
In a recent study by the Ponemon Institute, the resounding answer was "YES." More than 60% of business leaders responded that despite technological advancements, their organizations remain unprepared for the cyber threats they face. The same survey revealed that just more than half (52%) of all small businesses have a clearly defined cybersecurity strategy, and 65% of small businesses reported that they failed to act following a cybersecurity incident. Less than a quarter (21%) of small businesses reported having a standalone cybersecurity insurance policy, compared to 58% of large companies. In an era in which a single cyberattack can create wide-ranging chaos, business uncertainty, and revenue losses in the millions, small businesses own the responsibility to protect their people and assets from the clear and present danger of cyberattacks, yet many remain at high risk.
Here are a few simple strategies to help SMBs shore up their cyber defenses:
1) Identity critical business systems, processes and personnel
Before buying expensive products or services, it is critically important for business owners to perform a detailed assessment to understand critical business processes, systems and personnel so that priority actions can be quickly determined. In alignment with best practice, priority actions should be mapped to short, medium and longer-term items to ease the burden of allocating precious business resources. The most exposed and potentially most costly vulnerabilities need to be addressed first and foremost, followed by those that are less likely to be exploited over the near term. Taking a prioritized approach to securing your systems, process and personnel will provide a fundamentally strong foundation for a more robust cybersecurity program.
2) Implement multi-factor authentication
Phishing attacks continue to plague all organizations, despite expensive security tools. Because more than 80% of cyber breaches happen due to weak or stolen passwords, it behooves every business — small, medium, and large — to adopt multi-factor authentication (MFA) to provide an additional layer of identity authentication throughout the organization.
3) Draft an incident response plan and exercise your plan
This is oftentimes the biggest hurdle for many small- and medium-sized businesses. Drafting an incident response plan is a collaborative exercise and can be intense and extremely time-consuming. The plan should consist of a series of business-relevant scenarios with incident types along one axis and the level of severity along the other. The leadership team, in conjunction with business operations, information technology specialists and cybersecurity experts (either in-house or outside consultants) must brainstorm the most likely scenarios and determine the most likely effective responses. The plan must also define the roles and responsibilities of each member of the leadership team in the event of a serious cyberattack because an all-hands-on-deck approach is often needed. The plan will be most effective if practiced in regular tabletop exercises. Each exercise should be different to truly test the capabilities of the plan and the people who are carrying it out. The more small business leaders exercise the plan, the more ready their team will be when an attack occurs.
4) Obtain cyber insurance coverage
As mentioned earlier, small businesses are far less likely than larger organizations to have standalone cybersecurity insurance coverage. And while that may have been okay a decade or so ago, it is not okay anymore as cybercriminals are savvy enough to understand that smaller companies are often an easier target to attack. There are a lot of cybersecurity insurance plans on the market, many of which are designed for SMBs and their specific needs. Costs vary, small business leaders are advised to shop around and find the deal that works best for them.
In an era of heightened cyber risks with potentially devastating impacts, it is no longer enough to wait for an attack before acting. Small- and medium-sized companies need to be proactive in the development of their cybersecurity plans and protective measures. Specifically, they must accurately identify their most critical business systems, processes and personnel to understand their vulnerabilities. Then, they must act by implementing multi-factor authentication and developing and testing an incident response plan. Finally, all SMBs need to analyze and obtain the appropriate cyber insurance coverage they need to ensure that they will be protected in case of attack. As often learned in childhood — it’s better safe than sorry and there is no better time than the present.