Small and medium sized businesses often lack the budgets that larger companies have in protecting against cyberattack. Coupled with the fallacy that it’s primarily larger, higher profile organizations that get hacked, this has led to widespread vulnerability among smaller businesses. But there are steps these companies can—and should—take in reducing their vulnerability, all of whose benefits far outweigh their modest costs.

To address this need, my team (Jesse Dunagan and Dan Armstrong) and I fleshed out some answers to basic questions on how small and medium sized businesses can protect themselves.

Q: What general advice would you have for small and medium sized businesses to protect themselves against cyberattack?

A: At a minimum, small and medium-sized businesses must install complementing firewalls and anti-malware software that allows for continuous monitoring of the network. With the increase in cybersecurity attacks, it’s imperative that companies have a reliable DDoS mitigation platform and run vulnerability assessments, penetration tests and security audits on a regular basis.

It’s important to keep in mind the previous measures are reactive, not proactive. In order to adequately defend your website and the privacy of your customers, network security administrators must provide actionable threat and risk intelligence that affords them with insights as to how they can prioritize their limited resources. Having this intelligence allows small and medium sized businesses to identify vulnerabilities and make smart risk-based decisions on which mitigation strategies they should employ first.

Q: What specific steps can they take?

A: To minimize the risk of data loss and cost per data breach, companies should:

  1. Appoint a C-Level information professional who is responsible for the management of organization data protection.
  2. Implement a strong security posture by creating a Defense in Depth approach to information security management. 
  3. Develop, implement and practice a company Data Breach Incident Management Plan. This plan should include a process to notify victims within 30 days and deal with lost or stolen devices.
  4. Review, on a routine basis, all third party vendor, outsourcer, and business partner access agreements, practices, and information security management plans and process, to make sure they are aligned with their own.
  5. Invest in and use cyber threat intelligence analysis when creating the information security management plan. This analysis can assist with resource allocation and is critical in working through the data breach incident management plan.
  6. Use consultants to assist in developing and implementing information security strategies, employee awareness education, and breach remediation. Consultants provide an unbiased perspective regarding the enterprise security posture and can assist in planning, budgeting, policy and procedure reviews as well as performing third party assessments.

The aforementioned tips will create a holistic data security environment and culture that will minimize the risk of data breaches and protect the business brand.

Q: Which policies should they implement for their employees?

A: It’s imperative that companies mandate acceptable usage policies for all employees – especially for small and medium-sized businesses. The Internet is most likely a direct pipeline between the company and their consumers, so if an employee visits a malicious site or downloads a Trojan horse virus, the company could be in big trouble. All users must follow corporate principles and exercise good judgment when using the Internet.

An example of a prudent policy might include:

  • Communication between employees and non-employees for business purposes
  • IT technical support downloading software upgrades and patches
  • Review of possible vendor web sites for product information
  • Reference regulatory or technical information
  • Research

With social media being the mainstay that it is, companies should also employ a personal usage policy – and this might be one of the most important policies for a company. All Internet users should be aware that the company network creates an audit log that reflects the request for service, both in-bound and out bound, and that audit log is periodically reviewed.

Employees who chose to store or transmit personal information such as passwords or credit card information do so at their own risk. The company should have a policy that while they take steps to ensure cyber safety, they – the company – will not be responsible for loss of information or consequential loss of personal property.

As such, I recommend a prohibited usage policy that should include:

  • The conduct of a business enterprise, political activity, engaging in any form of intelligence collection from our facilities, engaging in fraudulent activities, or knowingly disseminating false or otherwise libelous materials
  • Accessing company information that is not within the scope of one’s work (this includes unauthorized reading of customer account information, unauthorized access of personnel file information, and accessing information that is not needed for the proper execution of job functions)
  • Misusing, disclosing without proper authorization, or altering customer or personnel information (this includes making unauthorized changes to a personnel file or sharing electronic customer or personnel data with unauthorized personnel)
  • Deliberate pointing or hyper-linking of company Web sites to external Web sites whose content may be inconsistent with or in violation of the aims or policies of the company
  • Any conduct that would constitute or encourage a criminal offense, lead to civil liability, or otherwise violate any regulations, local, state, national or international law including without limitations US export control laws and regulations
  • Use, transmission, duplication, or voluntary receipt of material that infringes on the copyrights, trademarks, trade secrets, or patent rights of any person or organization (assume that all materials on the Internet are copyright and/or patented unless specific notices state otherwise)
  • Transmission of any proprietary, confidential, or otherwise sensitive information without the proper controls
  • Creation, posting, transmission, or voluntary receipt of any unlawful, offensive, libelous, threatening, harassing material, including but not limited to comments based on race, national origin, sex, sexual orientation, age, disability, religion, or political beliefs
  • Any form of gambling
  • Unauthorized downloading of any shareware programs or files for use without authorization in advance from the IT Department and the user’s manager
  • Any ordering (shopping) of items or services on the Internet
  • Playing of any games
  • Forwarding of chain letters
  • Participation in any on-line contest or promotion
  • Acceptance of promotional gifts

Q: What hardware or software do these businesses need to protect themselves?

A: It depends. Hardware and software recommendations for medium and small business should always be scoped and scaled custom to client specific needs and configuration.  If a client has a website but it sits on a hosted server, their cyber-security needs are different from a company who has their own internal host/network. 

Also, these types of decisions should be made based on a risk management. Some businesses, based on the nature of their products/processes/information may not necessarily need a full-blown suite of security enhancements because their risk profile may be low.  As they grow or evolve however, their risk profile may change and then the company needs to determine the level of risk with which they are comfortable.   

Then there are the budgetary aspects of the equation. If a small business needs to continue to pump cash back into moving their product to market, advertising, etc. they may not have the resource capacity to pump cash into cyber-security. Or, they may need to take a more strict programmatic and pragmatic approach to their security posture. With cyber security, one size doesn’t fit all, but planning and prevention goes a long way.