Small Business Security Starts with The Business Owner

The number of cyber attacks against small businesses rapidly grew in 2015. This matters because research would suggest that sixty percent of small businesses struck by a cyber attack close within six months. As the World Economic Forum identified cyber crime as a global economic risk, we're expecting even worse numbers in 2016.

Hackers like small businesses because their digital assets are more lucrative than that of a normal consumer, and, the small business likely has less IT staff or IT safeguards than larger corporations. As this infographic would suggest, small business managers often under-estimate the value of their digital assets (believing that they don't have anything worth stealing), and they don't understand the risk of exposure due to their loss.

There are a number of Technical Controls that we can implement to help address the problem:

  • Access Controls
  • Vulnerability assessments
  • System patching
  • Encryption
  • Data backups
  • Mobile Device Management
  • 2-Factor Authentication

Still, all of those Technical Controls are meaningless unless their actually used and deployed by a business. Small business owners have a couple of avenues of recourse:

  1. Owner/managers must take an interest in managing the problem. That means learning more about the risks and the challenges facing the business, rather than ignoring the risk and hoping something bad doesn't happen to them.
     
  2. Create formal policies and procedures regarding computer activities. Administrative Controls like policies, procedures, and work instructions clearly communicates management's intention to staff and stakeholders.
     
  3. Train employees and staff on those policies and procedures. Educate everyone - every stakeholder - about your commitment to managing information in the best practice means available.
     
  4. Update your software and hardware regularly. Observe when devices, personal computers, or software leaves mainstream OEM support and will no longer receive security updates. Replace obsolete equipment that places your firm at risk.
     
  5. Prepare an incident response plan. Unless you have one - actually written down, something you communicate and practice against - you don't have one.

But you notice that it starts with the business owner. It starts with them because - without their commitment - none of these steps could possibly be approached.

If you run a small business, don't become a target by neglecting your responsibility to protect your digital assets. Don't expose yourself by taking no action; don't put yourself at risk because you're the lowest-hanging fruit in an orchard of choices for digital pharmers. 

Take ownership and responsibility for the problem.

R