Small and medium-sized businesses (SMBs) lack the resources of a large business, in both finances and personnel, making it more difficult to extract client value from a robust cybersecurity program. In fact, many SMBs probably do not have a “robust” cybersecurity program. Implementing one can be costly, and the related costs are not just one-time capital expenses, but also include recurring expenses. So, why should an SMB even consider implementing a cybersecurity program when there are plenty of other high-priority business needs that demand resources?
The bottom line is the protection of data. If data is not protected, business owners should be afraid. It’s only a matter of time before a hacker comes calling and walks away with an organization’s data. They might not actually take it; they may just copy it for their use or for sale to the highest bidder and leave the business with its own copy, perhaps not even aware the data had been copied. What if that data was the corporate payroll database with employee bank routing numbers and account numbers? How about the HR files with employee social security numbers? We’ve all heard plenty of stories about major database breaches in which employee data was compromised (meaning the culprits, at a minimum, copied the data for their own use).
So, there are some very basic reasons to implement cybersecurity best practices. Think of it as an insurance policy. We might not like paying our insurance premiums each month, but we do it to protect ourselves from the unexpected events that could be very costly. And when something does happen where you need that insurance policy, you are glad you have it. The same goes for cybersecurity programs.
Six Ways to Get Started
SMBs can start by protecting their data and their client’s data by implementing a few low-cost initiatives:
Data Identification – What data is most important to you (and your clients)? What data needs the most protection? That data is where you need to start focusing your protection efforts.
Action: Make an inventory of all your data (including client data) and prioritize it based on its importance (or sensitivity).
Policies and Procedures – Policies establish the corporate expectations for every member of the staff. Procedures explain how employees are to meet those expectations.
Action: Update (or create) policies and procedures that place an emphasis on data protection, both for the company as well as its clients.
Awareness Training – Training supports policies and procedures by providing awareness of areas of importance as well as by helping employees better understand how corporate procedures can be implemented. Training should be a recurring event and updated to reflect current corporate priorities.
Action: Improve employee awareness with recurring cybersecurity training, especially as it relates to data protection.
Minimize the Data Footprint – If there are multiple copies of a sensitive data file (call it “file A”) in several locations (e.g., local laptops, shared network drives, email inboxes, and other document libraries), then WHEN (not IF) your company is hacked, the perpetrator would need less time to find one of the versions of file A. However, if there is only one version of file A in one place, that greatly increases the difficulty and time for a perpetrator to find the single file A. Ideally, there would also be tools in place to alert the support team of a possible breach. If it takes the perpetrator enough time to find a single copy of file A, then the alerting system may detect the activity in time to stop (or minimize) damage.
Action: Keep only one copy of files, when possible.
Data Retention – This goes hand-in-hand with the data footprint. You should keep a file only as long as needed for business and legal purposes. The longer a file is sitting on the corporate network, the greater the number of opportunities for a perpetrator to find the file. Once a file is no longer needed, delete it. Remember to consider data backups as well.
Action: Only keep files for as long as they are needed, then delete them.
Monitoring – The best policies and procedures will be of no use if they are not being followed. Training can help ensure awareness of corporate priorities, but monitoring and conducting periodic spot checks are necessary to ensure policies and procedures are being followed. This monitoring also provides insight into where awareness training may need to be improved.
Action: Monitor and conduct periodic spot checks to ensure policies and procedures are being followed.
The bottom line is, treat the company’s data, as well as your client data, as if it is your own. Think of it as a game of “keep-away” from potential perpetrators. Implement these low-cost initiatives to get you well on your way to keeping your data and your client’s data protected. Corporate executives and your clients will be so glad you did.
About the author: Ken Russman is a senior project manager with TalaTek, who holds PMP and CISSP certifications and has 20 years of experience in managing projects, strategic planning, and policies and procedures development.