Each year that goes by, we hear of more and more cyber attacks. This problem is not going away and it has the potential to affect every size business. Many small businesses figure that they will not be targeted, but this is not true. The cost of a cyber attack can be significant and can lead to bankruptcy for a company.
Most people have heard about the “WannaCry” global ransomware attack. Ransomware attacks your business by getting into your system and encrypting all your data so that you cannot access it. The hacker then demands “ransom” to allow you to decrypt your data and gain access again. Businesses have been shut down for months because of ransomware, costing hundreds of thousands of dollars. All signs indicate that ransomware and other cyber attacks will increase, both in the companies targeted and the frequencies of the attacks.
You may feel that you do not want to spend the money to protect against potential cyber attacks. However, if you have not taken action to protect your business against cyber attacks, the cost to your business will far exceed the cost of prevention. You prepare for other catastrophes, and cyber attacks are no different.
Although unintended, many cyber incidents are the results of actions taken by employees of the business who are unaware of the potential threat. One example is an employee that receives an email from what appears to be someone they know, and the employee clicks on a link in the email. This simple action can expose the business to unauthorized exposure of the business’ confidential information, including information on customers and clients of the business. The problem is even more serious if the hacker can gain access to credit card or other financial information or health information of the customer or client.
Cyber incidents can also occur because of the prevalence of BYOD (Bring Your Own Device) policies of the business. Personal devices, such as mobile devices are often viewed as a way of increasing productivity in the workplace. However, employees that access and share company information on their personal devices unknowingly expose the business to a cyber threat.
All businesses should have a plan for dealing with cyber threats. They can be more complex for larger businesses, but at a minimum, you want a plan that addresses the actions the business will take to prevent an attack and also a plan for responding to an attack.
Prevention of cyber attacks involves both technical and training components, as well as organizational structuring.
Since a lot of cyber threats are a result of actions of employees, training is essential. It is also important that training is done on a regular basis. This is to be sure new employees are educated and also to reinforce best practices for employees who previously received training. Employees should be trained to be on the look-out for spear-phishing. Spear phishing is the situation where an employee gets an email from someone that makes the email appear to be from someone the employee knows. The email contains a link. The employee clicks on the link and the fun begins.
The employees should also be trained to use strong passwords and to change the passwords frequently. The same password should not be used on different sites. The more characters you have, the stronger your password is exponentially. The use of capital and lowercase letters, numbers and special characters should be drilled into your employees’ heads. Pick a week where every employee is required to change all their passwords. This can be done every 60 or 90 days.
Part of the employee training should deal with the use of BYOD. A company should limit the use of BYOD as much as possible.
The business should ensure that all necessary patches are installed on their computers and kept updated. Also, backup, backup, backup! Even if your information is in the Cloud, if you are not sure how well that information is protected, it is a good practice to have several internal backups. The frequency of backups will depend on the type of business, but the more often you perform a backup, the less disruption in business you will have if you are subject to a cyber incident.
It is very important that your computer systems have up-to-date virus protection, as well as malware and spyware protection. Have a plan to make sure that these programs are kept up to date to deal with the newest cyber monster crawling out there.
In addition to relying on employee training regarding suspicious emails, you can automatically block email attachments that are frequently associated with viruses and malware.
Create an inventory of where your data is, as well as an inventory of all computers and what their configurations are. This will enable you to identify at risk computer systems.
All new hard drives and USB drives should be required to be checked by your IT department, or whoever performs that function, before being plugged into the company’s computer system.
Every company should have a written plan that covers cyber threat prevention, as well as the response in the event of a cyber attack. At least once a year, there should be a practice drill for how the business will react in the event of a cyber attack. Consider how long it takes the business to get up and running, who performs each function, who is responsible for any reporting obligations under the law and how is this determined. Setting up and training a team of employees that are charged with dealing with both prevention and response to cyber attacks is well worth the effort.