Cybersecurity is something you, as a smart business owner, undoubtedly care about, but perhaps you’re not quite sure where to start. Fortunately, we’re here to help. There’s almost nothing more important than making sure you have a plan in place to keep your business safe from cyberthreats. If you don’t take precautions ahead of time, you’ll regret it when your employees’ information is hacked and leaked, your company’s private records are stolen, or you lose data due to a virus or malware attack.
“At the most basic level, cybersecurity is the art and science of protecting your proprietary or sensitive information from inadvertent disclosure,” explains Jim Kilmer, co-founder and division director of the Technology Services division of the Opal Group, “It really doesn’t matter whether you’re selling widgets or doing background checks — there is no such thing as acceptably bad security these days.” We spoke to Kilmer to find out what steps you can take to ensure your business is cyber safe.
1) Train your employees
This is probably the most important thing for small businesses. “Train, train, train; repeat, repeat, repeat,” Kilmer implores. He recommends doing security awareness training, at least once a month, on how to prevent phishing — a form of online identity theft in which the person being “phished” is tricked into sharing personal data or information. Ever hear those horror stories in which a friend receives an email from “their boss” asking to borrow their credit card for a last-minute emergency? Trainings help ensure your team is less susceptible to these kinds of scams. Kilmer also suggests providing online cybersecurity awareness training courses, which offer information about tactics that hackers are using — and how to spot and prevent them. “That is invaluable because you don’t want the first and only training your employees receive to be from the bad guys.”
2) Invest in an endpoint protection product
“For small businesses, there are certain things I would consider table stakes,” Kilmer says. One of those things: Investing in a good, strong endpoint protection product — software that protects your network against cyberattacks — on all of your computers and services. Kilmer cautions that this is not an area where you want to skimp. “In many ways, you absolutely get what you pay for, which doesn’t mean you’ve got to go out there and buy the most expensive thing — price doesn’t always correlate to quality — but if you’re getting ultra-discounted endpoint protection software, there’s probably a reason why and you might want to consider ponying up a little bit more.”
3) Have an incident response plan in place
An incident response plan is your lifeline for when things go wrong. It’s essentially just what it sounds like, a set of protocols for what to do if and when a cybersecurity breach occurs. “The time to think about how you’re going to respond to these threats is when you are level-headed and you have time to mull it over, look for the appropriate vendors or contractors and think about your communications plan and who you have to disclose it to and when,” Kilmer says. Without an incident response plan, it’s possible to get hit with ransomware and lose all of your data. If you don’t have good backups or a plan to recover from something like that, it can be hard to rebuild and continue to pay your employees, often resulting in a quick downward spiral.
4) Engage a professional
The middle of a crisis is the worst time to try to find a good IT contractor. Instead, Kilmer suggests having an IT-support firm on call, specifically one with cybersecurity experience. It’s worth the investment to pay somebody $500 or $1,000 a month “to know your network, do some preventative maintenance and be on call for when bad things occur.” And if they never occur? “It doesn’t mean you cancel them — just look at it like an insurance policy, that you have a professional on tap ready to help you should this ever happen.”
5) Don’t collect information you don’t need
When the internet first came along, the ability to collect and store information about your customers just in case you happened to need it was seen as an asset. “That is now being looked at, from a cybersecurity perspective, not as an asset but as a liability,” Kilmer says. He suggests taking an inventory of what data you’re collecting and why, and if you have a backlog of information about your customers, like bank account and credit card numbers that you’re not using anymore, you should get rid of them. If it is not directly adding value to your organization, then it is simply a liability waiting to happen if someone ever breaches your network and gets access to that information. “The days of just siphoning in all of this data and hoping for the best are well behind us.”
If you’re not sure whether to make this a priority right now, “think about doing this because you’re protecting your employees,” Kilmer advises. “Think about doing this because you are taking steps to ensure that you’re going to be the survivor if something like this occurs.”