Adobe. Target. EBay. P.F. Chang’s. Not only do they represent some of the most popular brands in their respective industries, they have also been the targets of some of the most crippling data breaches in the past five years. More recently, UPS became the latest victim of a breach, losing data at stores in 24 states across the country, reported The Washington Post.
So what can small businesses learn from the mistakes of these large companies?
Plenty.
For starters, they reveal that millions of dollars invested in security cannot protect against every threat, as the dangers are both complex and ever-changing. Question is, if these massive organizations can’t stop a cyberattack, how can the average small business, with limited resources and little expertise, effectively protect its data?
While there’s no silver bullet, there are some steps you can take to shore up your lines of defense, and better yet, they don’t require a big financial investment by your company.
1.Take action
Cyber risk is the new normal. Small-business owners do themselves no favors by ignoring this fact, and when it comes to cyberattacks, size doesn’t matter. Symantec’s 2014 Internet Threat Report revealed that 30 percent of cyberattacks last year targeted small companies.
Small employers need to act now to establish proactive cybersecurity strategies that cover the entire organization in order to defend against this pervasive threat, or at the very least reduce the impact of a breach.
2.Create a data classification policy
To know what to protect, you need to know what is most important. A strong data classification policy begins with the simple act of defining and categorizing data based on its degree of sensitivity, and understanding the value it represents to current and future earnings.
This is an important first step in creating an effective cybersecurity strategy, yet it is inexpensive to implement. In fact, this can be accomplished with nothing more than a whiteboard and a couple of hours from key stakeholders during which a consensus should be reached on what represents the company’s most critical data.
3.Assess risk
Once you’ve identified the crown jewels, the process of building a layered security plan from the inside out can begin to take shape. By performing a simple risk assessment, you should be able to identify the most serious threats to your data, as well as the limitations of any existing policies and controls you may have.
For example, if your company requires constant overseas travel, particularly to destinations known for seeking U.S. innovation, a good place to start is to develop a robust travel security policy that incorporates both technical and behavioral protocols in defense of your data. An exercise like this can help small companies with limited resources align their budgets with the critical aspects of their operation where corporate secrets are most vulnerable.
4.Think bigger than regular cyber defence
Many business owners make the mistake of limiting security investments to those areas focusing strictly on traditional cyber defense, such firewalls, anti-virus software and intrusion detection. While necessary, such bulwarks do not guard against an often-overlooked reality in today’s world: Upwards of 70 percent of all organizational data theft is the result of deliberate or unintentional behavior of privileged insiders.
It is therefore critical that small businesses think beyond popular data security sensors and address other vulnerabilities that might directly impact your company, such as the sub-standard hiring practices of an essential supplier or vendor, or employees who seek access to proprietary matters outside of their job functions.
In both cases, education through customized training and awareness programs can provide an effective, low-cost solution in the defense of your business that is just as important as the traditional (and more expensive) cyber-centric control.
5.Create a tailored security culture
Cybersecurity is not solely a technology or IT issue, and it shouldn’t be left to a select few to manage. Every employee should bear some responsibility for the security of the organization. This requires frequent training on policy and procedure and instilling an atmosphere of accountability that balances security without disrupting corporate culture.
Because the vast majority of insider threats aren’t always malicious, but rather the result of inadvertent actions, encouraging a sense of awareness and vigilance throughout the company can help reduce high-threat behaviors and serve as a compliment to existing technical solutions already in place.
