[HR] Protect Your Business From Security Risks
So why should small and medium businesses be concerned with cyber security? You’re probably thinking that your business is so small, nobody would ever want to hack it. It’s easy to think that a small and medium business would never have to deal with cyber security issues, because usually, when you hear about a company being hacked, it’s a major brand like Yahoo, Target, Citigroup or Sony. But these aren’t the only targets. It may sound hard to believe, but hackers target small businesses too. You just don’t hear about it because the media isn’t going to report on hacks involving small businesses.
Ransomware, DDoS, and other cyber-attacks on personal and corporate data are not new. These attacks are evolving and mutating in order to capitalize on weak spots in the systems we use everyday to store and access our data. These are all things that your IT professionals know, and are hopefully already implementing strategies to protect your system from hacks. Rather than relying solely on IT, there are a few ways for you and your team to do your part in keeping cyber criminals at bay.
Being a small/medium business doesn’t necessarily mean that you can’t get hacked. But if you’re smart — and I know you are — you’re probably wondering how you can protect your company’s information. You have worked way too hard to allow your company to be threatened by a hacker, and in this post, you will learn why it’s important to focus on cyber security. You will also learn how you can protect your business, and what you can do to minimize and manage the risks. Doing these things can protect not only your own system, but also keep a potential threat from spreading within and outside of your company.
There are several reasons why a hacker might go after a small business….
- Many small business owners don’t take cyber security seriously. They think that they’re too small to get a hacker’s attention. However, this is one of the main reasons why a small business might get hacked. Hackers know that most small business owners don’t invest in cyber security.
- You Have Information That Hackers Want – Your business may not be as big as Target or Starbucks … but it doesn’t matter. You do take payment for your products and services, right? That means you have something that hackers want. You have your customers’ payment information. You have your employees’ information.
- Small and medium business owners tend to think they have nothing worth stealing. This makes them an easy target.
Let’s discuss some best practices on how to protect your small/medium business.
- Develop A Password Strategy/Policy – You should make sure that your employees are required to create strong passwords, that include a combination of uppercase and lowercase letters, along with numbers and symbols. Its also a good idea to prohibit employees from sharing their passwords with anyone, including the IT department. Yes it might be a bit of a pain, but it’s totally worth it.
- Beware Of Internal Threats – This may be a surprise, but most of the cyber security issues that happen are the result of someone inside the company. It’s true. Here’s a hard truth: 55 percent of all cyber attacks come from inside – 31.5 % by malicious employees and 23.5 % by employees who mistakenly leave the company vulnerable to an attack. Make sure that you are keeping an eye on your internal authorization requirements. Be careful when you’re deciding access to sensitive data. This will help you prevent “internal hacks.” Don’t feel guilty for watching your employees’ activities; as the owner of your business, it’s your duty to ensure that you and your team are being protected. I get it. You don’t want to micromanage. The key is to find the balance between being safe and being big brother. It’s different for every company, but if you work at it, you will find that balance.
- Educate and remind your staff regularly – Cyber criminals are always learning new ways every day to take advantage of weaknesses in software and operating systems. This means that you cannot solely rely on your IT team to take care of potential threats to your digital assets. Clicking on links in phishing emails, opening attachments from unknown senders, using weak passwords—these are just the most obvious examples of how individual team members’ actions can create vulnerabilities. Train employees, regardless of access rights, on information security as part of the onboarding process and provide periodic security awareness reminders. Provide additional training to all employees authorized to access sensitive information. All training should include information on what events constitute a security incident and how to report a security incident internally. Training should also include information on how to recognize and report phishing emails. Employees commonly are responsible for activating malicious software, such as ransomware, by clicking on a link or opening attachments in emails. Educating people and then regularly emphasizing their individual responsibility can go a long way towards reducing your company’s risk.
- Conduct Background Checks: Job applicants, temps, and contractors who will have access to sensitive information or administrative privileges for information systems should be subject to a thorough background check before they start working, and periodically thereafter, focused on evaluating trustworthiness.
- Confidentiality Agreements: Consider requiring all employees with access to sensitive information to sign a confidentiality agreement that not only requires non-disclosure of confidential information, but also describes steps employees must take to safeguard the employer’s confidential information.
- Update! – Don’t keep hitting the “Remind me later” button! Software updates are made available for a reason, and that reason is often to supply a patch to a weakness within the system that could open it up for attack, or to fix a bug that could potentially destroy important data. So the next time you get that notification, consider what is at stake, and take the few minutes to run the update and/or restart your computer.
- Back up! – Backup Everything you don’t want to Lose. Saving everything in two places is becoming a standard practice among most businesses. Most work should not only be saved on a local hard drive but also on the cloud in some form. This ensures that if any system is compromised, you can still access your data online. This best practice crosses over into your personal data as well. Backup everything that is important to you.
- Prepare For A Security Incident – Even companies with robust Information security programs will experience a security incident. Incidents should be reported to HR professionals or in-house employment counsel, such as the disclosure of employee information in response to a phishing e-mail or the mis-direction or forwarding of an e-mail with an attachment containing sensitive business or employee personal information. HR professionals and in-house employment counsel should develop and put in place plan for responding to these “non-IT” security incidents.
- Speak With An Expert – the first inclination is not to be bothered with this, but you should. Paying an IT security consultant might seem to be a little expensive. But it’s a great investment. If your house sprung a leak and water was building up in your kitchen, would you try to fix it yourself? Probably not. You would probably call a plumber, right? The same principle applies to IT security. If you’re concerned about cyber security, you should consider speaking with an IT security expert.
- Consider Cyber Security Insurance – Insurance is not just for your car, house or medical bills. You probably already have some sort of business insurance, but there is also cyber security insurance. If you’re a small or medium business, you may well need this. Cyber liability insurance is designed to protect your business from various cyber security threats. If there is a security breach, and your company is held liable, you may end up having to pay out tons of money in a lawsuit. This can cripple most small businesses. If you buy the right type of insurance, your legal costs will be covered.
You don’t want your business to suffer because you didn’t take the appropriate steps to protect it. You owe it to yourself, your employees and your customers to make sure that your business is secure. Preventing cyber attacks should be one of your top priorities. If you take the right steps, you won’t have to worry about endangering your business.