Cybersecurity Basics for Small Business Owners
Cyberattacks are estimated to have cost the U.S. economy over $2.7 billion in damages in 2018. According to the U.S. Small Business Administration, smaller companies are especially vulnerable to cybercrimes since they tend to have fewer resources to secure their systems and to address risks. Over the last few years, every large enterprise has adopted security standards to avoid and be prepared for the inevitable security breaches. These enterprises expect their vendors and service providers, regardless of size, to also protect any data that they may share with them. Additionally, cybercrime can seriously damage a company’s bottom line by affecting their reputation in the market, increasing costs, and impacting revenue. All in all, protecting a company against a cyberattack is now essential.
In 2013, the National Institute of Standards and Technologies (NIST) began developing a Cybersecurity Framework, which resulted in publication of a white paper. This framework, last updated in April 2018, outlines five functions that should be, “…performed concurrently and continuously to form an operational culture that addresses the dynamic cybersecurity risk”: Identify, Protect, Detect, Respond, and Recover.
Identify
An organization should understand the scope of
the cybersecurity risk to the company, and where it
might be most vulnerable: what would a cybercrime
mean to your business, what information is most at
risk, who would be affected, and what would be needed
to continue operations. Tools are available to help
businesses identify and detect their vulnerabilities,
including a Cyber Hygiene Assessment offered by the
Department of Homeland Security.
Protect
Once risks have been identified, the next step is to
develop and implement appropriate safeguards. These
measures can be low-tech, such as training your
employees to recognize a phishing email (the most
common form of cybercrime agains small businesses),
avoiding questionable downloads, and creating strong
passwords. Most companies have basic protections in
place such as firewalls and antivirus software. However,
IT professionals, whether in-house or external,
should automatically update and regularly maintain
the software, keeping up with patches and newer
releases of all tools. All systems and data should
be regularly backed up and the backups should
be maintained separately from the main storage
sites. Sensitive data, including any personally
identity information, should be encrypted both
while resting and also during transmission.
Detect
The next function is to develop
and implement ways to identify the
occurrence of a cybersecurity event. This
involves systems and processes for identifying unusual
activity and events, monitoring systems and data
at identified intervals, and maintaining and testing the
detection systems regularly. A cyberattack or crime
should be detected in a timely manner so the response
can be swift and hopefully limit the damage.
Respond
Once an event has been detected, the organization
should already have a plan of action in place to
respond. This should include a strategy to inform
management, owners, customers, and if needed, law
enforcement. The company should have a system in
place to analyze the breach especially of sensitive data,
so that parties can be informed as quickly as possible.
The response plan should include ways to mitigate or
stop the damage and a way to document how the plan
can be improved if there is a repeat incident.
Recover
Finally, organizations should develop activities to
maintain plans for resilience and to restore any
capabilities or services that were impaired due to a
cybersecurity incident. These plans should include a
way to restore system and data that have been affected.
Continuing communications with the internal and
external parties affected by the cybersecurity event is
also part of the recovery function as a company needs
to restore its credibility.
A cybersecurity incident is almost inevitable in our technically connected world. All companies, even the smallest, should have a framework for identifying, protecting, detecting, responding, and recovery from these occurrences.
Business Insights is hosted by the Law Firm of KPPB LAW (www.kppblaw.com).
Sonjui L. Kumar is a founding partner of KPPB LAW, practicing in the area of corporate law and governance.
Disclaimer: This article is for general information purposes only, and does not constitute legal, tax, or other professional advice.
Enjoyed reading Khabar magazine? Subscribe to Khabar and get a full digital copy of this Indian-American community magazine.
