Security can be overwhelming for all business owners but if you’re not selling cyber, you still must maintain best practices for your own firm.
Research shows small businesses are the top target for cyber attacks. But doing something about it can be challenging if you don’t know where to start. The basic elements of a strategy that will create a security-first culture include defining risk, finding vulnerabilities and implementing policies to govern your security environment.
Define Risks for your Company
The main risk to a small business is loss of information. If you are unable to protect the information you manage, then you can suffer from financial as well as reputational loss.
Establishing yourself as a business protecting its client’s information can be a driver for growth. However, the risks are specific to scenarios in your business. Some examples are:
- Are all computers used for business protected by strong passwords? Is this enforced by all employees and contractors?
- Are you managing access to any applications that involve sharing data?
- Do you have any confidential or sensitive data stored? Anything that cannot become public needs to be protected.
- Do all your employees and contractors get security awareness and anti-phishing training?
- Do you have antivirus and anti-malware in the machines that your business is conducted on?
Identifying Vulnerabilities and Controls
Once you have determined where your risk lies, start defining some controls to protect yourself against the risks. Here are some steps you can take:
- Set your passwords to be strong, with a number and a character, and change them every 90 days at minimum — particularly on business-critical tools, like your CRM, etc.
- Define a process to grant and review access to all the applications that your employees and subcontractors use. Document all the reviews and approvals, and make sure you remove the access when employees or contractors terminate their arrangements with your business. Do these reviews at least once per quarter. Decide who internally is responsible for these reviews.
- Ensure that all employees and contractors have antivirus and anti-malware that is regularly updated. You can even request contractors divulge their security practices or carry cyber insurance themselves.
Once you have defined the controls, document them as part of the employment packet — and make it mandatory for all employees and contractors to follow this policy.
- Create an information security policy.
- Every employee and contractor should adhere to the policy at joining as well as annually.
- Revise the policy as you implement new controls and manage change.
Understanding what risks apply to your company and creating a mitigation strategy for them requires a security expert.
It’s often difficult for small businesses to have a budget to hire a chief information security officer (CISO), so seeking part-time help from experts and undergoing training to keep your security culture alive is the best approach for long-term success. Security experts can identify the areas of risk and create a mitigation strategy for controls to implement, and then provide training on how to implement them.
Very often, small businesses ignore their security needs until they are breached. After that, it becomes a reactive strategy. However, if you build a proactive strategy, you get ahead of the risks. And you can use it as a differentiator in the market against your competition.
Even though security isn’t something that your MSP sells, it can become a powerful tool to increase client confidence and grow your business.
Praj Prayag-Deb is owner and founder of Cyberpink Advisors. Her experience includes top-tier financial firms, Big 4, Fortune 50 companies and privately held companies. Learn more about her accomplishments on channelWise.
Have a question? Email our experts now!