With large corporations focused on hardening their security infrastructure, cybercriminals are increasingly targeting small to mid-sized businesses. Cybercrime complaints increased by 7% from 2020, according to the FBI’s 2021 Internet Crime Report. And “the majority of those victims were small businesses,” FBI Supervisory Special Agent Michael Sohn told CNBC. Therefore, a proactive approach is the best way to protect your business from being hacked.
The National Institute of Standards and Technology (NIST) provides a cybersecurity framework to prevent attacks, and the Cybersecurity and Infrastructure Security Agency (CISA) offers guidance for small businesses. Using this information, we developed the following recommendations for reducing cyber risks.
Assess your cybersecurity posture and critical processes
Awareness is key to preventing, detecting, responding, and recovering from a cyberattack. An assessment helps you learn which activities and hardware are vital to operations, identify potential threats, and evaluate vulnerabilities. Managed service providers (MSPs) offer cybersecurity audits and assessments, or your information security team can handle them in-house.
NIST suggested that small businesses start with its internal report, Small Business Information Security: The Fundamentals. It provides templates and details ways your company can systematically and proactively reduce risks.
On a basic level, your assessment should include:
- A list of mission-critical business processes and assets, like protecting customer data or keeping payment software functioning.
- An inventory of your hardware and software, including on-site, remote, and cloud-based applications and devices.
- A flowchart of how collected information enters your business and where it goes (i.e., public cloud or software as a service (SaaS) cloud storage).
- A cybersecurity risk assessment that identifies and documents threats, consequences, and risk levels. TechTarget’s five-step process is easy to follow.
[Read more: CO— Blueprint: Defending Your Business From Cyber Threats]
Develop a cybersecurity program
All businesses, regardless of size, should designate a security program manager, establish a zero-trust security culture, and outline cybersecurity policies and procedures. Additionally, your program should include regular training for all employees and leaders. However, according to NIST, “organizations have unique risks—different threats, different vulnerabilities, different risk tolerances—and how they implement the practices in the Framework to achieve positive outcomes will vary.”
Your incident response and disaster recovery plans are part of your larger business continuity plan.
In short, there isn’t a one-size-fits-all cybersecurity solution. But taking no action isn’t an option. The FTC’s Cyberplanner helps you build a custom cybersecurity plan, and SANS offers security policy templates. Also, check out the Cyber Basics for Small Businesses Training and free cyber awareness videos.
Secure your IT infrastructure
CISA provides an expansive list of free cybersecurity tools and resources to protect your business from being hacked, assess threats, and respond to incidents. Take a multilayer approach using various tools and services to detect malicious activity and secure your organization.
Here are suggestions from NIST’s small business report for securing and hardening your infrastructure:
- Use multifactor authentication, privileged access management tools, or password managers.
- Regularly update and patch software and firmware for all assets listed on your inventory sheet.
- Apply the principle of least privilege to control access to systems, applications, and hardware.
- Set up firewalls on all business networks, including those of remote employees.
- Use an Intrusion Detection / Prevention System (IDPS) to analyze network traffic.
- Follow best practices for configuring your wireless access point and networks.
- Consider requiring remote employees to use an encrypted virtual private network (VPN).
- Install email and web filters to reduce spam and block unsecured websites.
- Back up your systems and applications regularly.
[Read more: 8 Best Practices for Keeping Customer Data Secure]
Craft incident response and recovery plans
Time is critical when your business is under attack. Everyone should follow role-based steps when responding to and recovering from a cyber incident. Your incident response and disaster recovery plans are part of your larger business continuity plan. Together, these living documents help your business remain operational.
NIST’s Incident Response Plan (IRP) Basics offer these recommendations for protecting your company from a hacking attempt:
- Have an attorney review your plan.
- Conduct attack simulation exercises regularly.
- Go over your documents quarterly.
- Keep printed copies of your incident response plan and contact list.
- Have a press response ready.
- Know what outside firm you will use if under attack.
- Print cyber insurance policy information.
CO— aims to bring you inspiration from leading respected experts. However, before making any business decision, you should consult a professional who can advise you based on your individual situation.
CO—is committed to helping you start, run and grow your small business. Learn more about the benefits of small business membership in the U.S. Chamber of Commerce, here.
