The 3 Most Critical Elements of a Small Business Cybersecurity Plan
Originally posted on FederalSmallBizsSavvy.com:
In a previous post, we looked at the disturbing prevalence of cyber-attacks, and how small businesses are especially at risk.
As of December 31, 2017, any company wishing to work with the government is required to have a documented cybersecurity plan. This is an excellent opportunity to make sure your business is prepared for this inevitable threat.
The three critical elements of a cybersecurity plan
• Requires executive leadership commitment to security
• Train and educate employees about cyber threats and hold them accountable
• Require employees to use strong passwords and to change them often
The bottom line is that employees should participate in identifying and protecting your business from security incidents. Ultimately, your goal is to build a culture of cybersecurity that includes employees knowing how to protect themselves and the business.
• Create a cybersecurity policy for your business
• Develop procedures for safeguarding employee, vendor, and customer information
• Establish security practices and policies to protect sensitive information
• Include protocols/processes that employees must follow in case of a breach
Although all three are critical, the technology is the most critical element of a cybersecurity plan.
• Update computers and software
• Regularly update your computers, including desktops, laptops, and mobile devices
• Ensure operating systems, software applications, and web browsers are up to date
• Encrypt data and create backups
• Regularly backup the information so if information is stolen, you will have another copy somewhere else
• Limit and control access
• Unauthorized personnel should not have access to company computers and accounts
• Secure your infrastructure (physical location, network, etc.)
• A business’s Wi-Fi can be an easy way to access data; secure your Wi-Fi so only authorized personnel can access it.
If you become a victim of a breach take the following steps:
• Contact your IT team, legal counsel and cyber liability insurance agent
Contain the breach
• Take affected systems offline, but don’t turn them off – that way your IT team can examine the source of the breach
Document every step
• Authorities will need to know these details
• Ensure affected groups are made aware of the issue and the steps being taken
A great cybersecurity resource is the United States Computer Emergency Readiness Team (US-CERT), who distributes bulletins and alerts. It provides information for both technical and non-technical users, shares cybersecurity tips, and responds to incident, phishing, and vulnerabilities reports.
It is imperative that businesses exercise breach preparedness and readiness in order to remain competitive in today’s marketplace. Cybersecurity strategies are not optional; they need to be regarded as a core activity in your business.