Think data breaches only happen to national banks, mega corporations, and large retailers? Several lighting manufacturers in the commercial sector (Acuity Brands, Cooledge Lighting) as well as the residential side (Quorum and Eglo) were hit last year with either data breaches or ransomware attacks.
In the cases of ransomware, the lighting companies I spoke with refused to pay the ransom and instead invested the time and money in rebuilding their operational systems from scratch — no small undertaking.
A white paper by New York City-based IT security company SecurityScorecard, Addressing the Trust Deficit in Critical Infrastructure, outlines the real dangers facing companies.
As the world transitions from paper transactions to digital, the risk of being hacked has gone up exponentially. According to SecurityScorecard’s research, 54% of confirmed breaches occur as a result of another organization’s cybersecurity gaps.
Beyond the obvious expense of solving ransomware or data breaches, there are other indirect costs, such as the disruption in business operations, possible remediation, damage to the company brand, plus exposure to regulatory and liability risks.
With so many functions of customer interactions becoming computerized, companies of all sizes can benefit from having their cybersecurity risks analyzed. Some businesses opt to do this internally; others hire security ratings companies that use a combination of data points (collected externally or purchased from public and private sources) and apply algorithms to determine a company’s security effectiveness as a quantifiable score. Security ratings are a means of monitoring the cybersecurity of organizations, gauging whether their security posture is improving or deteriorating over time, and creating a viable means to improve breach defenses.
For more about security ratings, click here
The U.S. Small Business Administration (SBA) offers best practices for companies to adapt to limit the likelihood of cyberattacks.
Employees and their work-related communications are a leading cause of data breaches for small businesses because they are direct pathways into your systems. Training employees about basic internet usage best practices can go a long way in preventing cyberattacks.
Other training topics to cover include:
- Spotting phishing emails
- Using good internet browsing practices
- Avoiding suspicious downloads
- Enabling authentication tools (e.g., strong passwords, multi-factor authentication, etc.)
- Protecting sensitive vendor and customer information
Secure the Network
Safeguard your internet connection by encrypting information and using a firewall. Make sure your wifi network is secure and hidden. To hide your wifi network, set up your wireless access point or router so it does not broadcast the network name, known as the Service Set Identifier (SSID). Password-protect access to the router. And if you have employees working remotely, use a Virtual Private Network (VPN) to allow them to connect to your network securely from outside of the office.
Use Antivirus Software
Make sure all of your business computers are equipped with antivirus software and are updated regularly. It is recommended to configure all software to install updates automatically. In addition to updating antivirus software, also update software associated with operating systems, web browsers, and other applications to help secure your entire infrastructure.
Enable Multi-Factor Authentication
Multi-Factor Authentication (MFA) is a method of verifying an individual’s identity by requiring more than just a username and password. MFA commonly requires users to provide two or more of the following: something the user knows (password, phrase, PIN), something the user has (physical token, phone), and/or something that physically represents the user (fingerprint, facial recognition). Check with your vendors to see if they offer MFA for your various types of accounts (e.g., financial, accounting, payroll).
Monitor & Manage Cloud Service Provider (CSP) Accounts
Consider using a CSP to host your company’s information, applications, and collaboration services, especially if you have a hybrid work structure. Software-as-a-Service (SaaS) providers for email and workplace productivity can help secure data being processed.
Secure, Protect, and Back Up Sensitive Data
Secure your payment processing: Work with your banks or card processors to ensure you are using the most trusted and validated tools and anti-fraud services. You may also have additional security obligations related to agreements with your bank or payment processor. Isolate payment systems from less-secure programs and do not use the same computer to process payments and casually browse the internet.
Control physical access: Prevent access or the use of business computers by unauthorized individuals. Laptops and mobile devices can be particularly easy targets for theft and can be lost, so lock them up when unattended. Make sure a separate user account is created for each employee — and require strong passwords. Administrative privileges should only be given to trusted IT staff and key personnel. Conduct access audits on a regular basis to ensure that former employees have been removed from your systems and have returned all company-issued devices.
Back up your data: Regularly back up data on all of your computers. Forms of critical data include word processing documents, electronic spreadsheets, databases, financial files, HR information, and accounting files. If possible, institute data backups to cloud storage on a weekly basis.
Control data access: Frequently audit the data and information you are housing in cloud storage repositories such as Dropbox, Google Drive, Box, and Microsoft Services. Appoint administrators for cloud storage drive and collaboration tools and instruct them to monitor user permissions, giving employees access to only the information they need.
Planning & Assessment Tools
There’s no substitute for dedicated IT support, whether it’s an employee or external consultant, but those resources can be expensive. Here are some measures that all businesses can take to improve their cybersecurity.
Create a cybersecurity plan: The Federal Communications Commission (FCC) offers a cybersecurity planning tool (The Small Biz Cyber Planner 2.0) to help you build a custom strategy and cybersecurity plan based on your unique business needs.
Conduct a Cyber Resilience Review: The Department of Homeland Security (DHS) has partnered with the Computer Emergency Response Team (CERT) Division of Carnegie Mellon University’s Software Engineering Institute to create the Cyber Resilience Review (CRR). This is a non-technical assessment to evaluate operational resilience and cybersecurity practices. You can either complete the assessment yourself, or request a facilitated assessment by DHS cybersecurity professionals.
Conduct vulnerability scans: DHS, through its sub-agency Cybersecurity & Infrastructure Security Agency (CISA) also offers free cyber hygiene vulnerability scanning for small businesses. They offer several scanning and testing services to help organizations assess exposure to threats to ultimately help secure systems by addressing known vulnerabilities and adjusting configurations.
Manage information communication technology (ICT) supply chain risk: Use the ICT Supply Chain Risk Management Toolkit to help shield your business information and communications technology from sophisticated supply chain attacks. Developed by CISA, this toolkit includes strategic messaging, social media, videos, and resources, and is designed to help you raise awareness and reduce the impact of supply chain risks.
Take advantage of free cybersecurity services and tools: CISA has also compiled a list of free cybersecurity resources including services provided by CISA, widely used open-source tools, and free services offered by private and public sector organizations across the cybersecurity community. Use this living repository of resources to further advance your security capabilities. CISA also provides guidance for small businesses.