The cyberattacks and data breaches that make the news are usually the ones that happen at big corporations like TJX or Home Depot. But every organization, large or small, needs to be concerned about cybersecurity.
According to Security Magazine, the average cost of a data breach for a small business is between $36,000 and $50,000. And while the proportion of small businesses becoming data breach victims has shrunk from 43 percent in 2019 to 28 percent in 2020, it's still concerning that nearly one-third of all attacks are directed at these businesses that tend to lack cybersecurity defense plans. Yes, that's right: more than two in five small businesses surveyed admit to not having defensive plans in place.
While they're still focusing on bigger players with more money and data to lose, hackers might be starting to understand that even though small and mid-sized businesses may not have as much valuable information available to steal, they are also less likely than their large counterparts to have strong security measures in place.
An attack is usually devastating to a small company. Costs can include fines, footing the bill for an investigation and patches, and payments to impacted customers. If you don’t want your organization to suffer financially, or even be put out of business by a hacker, it’s time to improve your security posture.
The first thing to do is develop something that most of the big companies already have: a cybersecurity policy. Here’s how:
Step One: Secure Senior Management Buy-in
If you’re in IT, you could probably tell most of your fellow employees a thing or two about security best practices. But in order to have the resources to design the policy and the authority to enforce it, you need management on your side.
It may help to point out that if you don’t have a cybersecurity policy, it could open you up to legal liability. For example, if you don’t want your employees connecting to your network with their own devices but you haven’t told them not to, what happens when an employee’s device with corporate data stored on it is lost? Your first reaction may be to remotely wipe the device—but can you legally do that without a written and user-acknowledged policy?
Related Reading: How to Revamp Your Organization’s Cybersecurity Policy
Step Two: Determine Your Security Guidelines
A key reason you need a policy in the first place is that modern cybersecurity has gotten very complex. There are a lot of details to keep track of, even for a small organization, and the landscape is constantly changing as both cybersecurity technology and cyber criminals become more advanced. Only you know your organization’s unique needs, but some things you might want to keep in mind include:
- Which industry regulations do you need to comply with?
- What data do you need to protect and how should it be stored and transferred?
- What business software needs to be maintained and updated to stay secure?
- What do you expect of all employees in terms of choosing passwords, appropriate internet use, remote network access, email guidelines, etc.?
- Who will manage and maintain the cybersecurity policy?
- How will you enforce the guidelines (what is the penalty for willful non-compliance)?
Once you have these questions answered, you should be able to draft your company’s policy. Depending on your current situation, understanding your security needs could be easy or could require extensive auditing of your current assets and tools.
We’ve compiled a few resources that provide templates and examples of cybersecurity policies below.
- Computer & Internet, Physical Security, Privacy, Planning & Procedure Templates (CSO)
- Data Breach Response Guide (Experian)
- Data Breach Response: A Guide for Business (Federal Trade Commission (FTC))
- Defending Against Data Breach: Developing the Right Strategy for Data Encryption (GoAnywhere by Fortra)
- 30 Downloadable Security Policies (PurpleSec)
- General, Network, Server and Application Security Policy Templates (SANS.org)
- Global Security Alliance and MasterCard Small Business Cybersecurity Toolkit
- Guide for Cybersecurity Event Recovery (NIST)
- Responding to a Data Breach: A How-To Guide for Incident Management (PCI Security Standards)
Step Three: Educate Your Employees
Did you know that internal actors are responsible for 43 percent of data loss? Half of this is intentional—disgruntled or opportunistic employees, contractors, or suppliers performing deliberate acts of data theft. But half of it is simply negligence. Employees don’t want to change their password every month if they can stick with “password123” forever. Some of them probably don’t see the problem downloading the attachment from that suspicious “urgent” email.
Communicate your new cybersecurity policy to employees, and make sure they understand the relevant details: what they are expected to do, how to do it, and what could happen if they don’t. Remember that things that seem obvious to you—like how to change that password—might not be known to everyone in the company.
Related Reading: 6 Users to Put on Your Security Watch List
Some organizations regularly test their employees on their cybersecurity knowledge. Make it fun and rewarding—there should be some kind of incentive for mastering security best practices.
Step Four: Monitor and Update Your Policy
Now your cybersecurity policy is up and running! But that doesn’t mean the work is over. A cybersecurity policy is a living document that needs to be updated regularly to include changes in your business, in technology, and in compliance regulations. Set a timeline for when you will re-evaluate the policy.
You’ll also need to determine how you will self-audit along the way. How will you know if the latest updates to your security software have been installed or that no one changed the server settings a month ago? Ideally, maintaining compliance with your policy will not be a fully manual process.
Bonus Step: Choose Solutions that Complement Your Cybersecurity Policy
Maintaining security and compliance across your entire business and all your employees can be daunting. Fortunately, dealing with all those moving parts doesn’t have to be so complicated. Implementing the right software solutions can mean that your security policy practically enforces itself.
For example, you may be checking systems manually that could be monitored automatically. And if you expect employees to update their passwords regularly, what’s easier—checking if they have done it on their own or using software that requires it? Software with role-based security and audit logging will ensure that you always know who accessed or changed what, and when they did it.
Ideally, any solution you choose to implement should come from a vendor that you trust to keep the software updated to match current security threats. Needing to replace your security tools or update custom scripts makes it much more difficult to keep compliant with your own policy.
Related Reading: Why MFT Should Be Part of Your Cybersecurity Strategy
Sometimes despite your best efforts, your data is breached. Check out these resources to help you create a data breach response plan.