Are you running a business? Small or large, we all have two things in common:
- Technology: It’s more accommodating than ever, and technology empowers us to get business done anytime, anywhere. Even “low-tech” businesses today have some interaction with technology.
- People. You and your team want access to information — right here, right now. It has to be fast, and it has to be easy.
Well, I’m going to shoot it straight: Easy for your team to access means easy for a hacker to breach.
And the ostrich approach to tech security doesn’t cut it, even for small businesses. Just because it hasn’t happened yet, doesn’t mean it won’t. As of May 2015, 62 percent of the reported breaches were at small businesses—but that doesn’t mean a small impact. The average cost of a breach for a small to midsize business was $690,000.
Trust me, I know what you’re thinking:
- My company is not a regulated business like healthcare or finance.
- I’m a nonprofit, so who’d want my info?
- My business is too small to be a target.
- My tech person should have this under control, so I don’t have to deal with security.
Hackers got access to Target’s data through Target’s HVAC vendor. Just because you are not Target does not mean you will not be targeted. Ignoring you’re not a target is worse than no protection at all.
Consider these reasons that a hacker may be interested in your business:
- You have sensitive employee data with your payroll and benefit information, such as Social Security numbers, driver’s license numbers, bank account numbers for direct deposit, addresses and other personally identifiable information (PII) for your employees.
- You have credit card information for customers.
- You have health and insurance related information (protected health information, or PHI).
- Many businesses also have their own intellectual property at risk. If you’ve spent a significant amount of time on research and development, or have created software or designs for a product, or have other intellectual property that would be disastrous for a competitor to see, then you’re at risk.
I bet that you checked off at least one, and if so, you need better security. Just making it harder for hackers to be able to access your network will move you down their list as a target.
You don’t need a degree in IT or a lot of money to get this done. You just need to thwart the hackers. Use this checklist to get as a guide.
- Have a qualified technology vendor assess your network’s potential vulnerability and make recommendations.
- Make sure you have a robust, up to date firewall.
- Segment your sensitive data into a different part of the network and restrict access to this data.
- Enforce regular network, cloud and email password changes. Best practice for passwords now is 13 characters using a variety of characters and case.
- Are you actively applying security patches to your network and applications?
- If you use VPN or cloud technology, make sure multi-factor authentication is implemented.
- If you use Office365, turn logging on to prevent hackers from taking over administrative access of your email and Sharepoint accounts.
- Develop a response plan for a breach or a ransomware attack.
- Implement an HR policy that all personal activity is prohibited on work computers or devices. (If you have a bring-your-own-device policy, make sure that is included)
- Get a cybersecurity insurance policy to protect yourself for breaches of your employee and clients. If you have business insurance at all, you need to add a cyber insurance policy.
- Have an attorney review any Business Associate Agreements or come up with one of your own to provide to your clients.
- Figure out which public relations firm you will call for crisis communication.
- Review the tips I shared recently on other computer security issues.
So, ask yourself “Do I want to learn the hard and expensive way, or do I want to stay reduce risk and stay out of trouble?” The ostrich approach may be convenient now, but don’t say I didn’t advise you to get your head out of the sand and do something, now.