“Danny, where do I start to identify and address the cybersecurity risks to my small or mid-sized business?”
Unscrupulous individuals are always looking for the easy way to slip through your defences. Here’s where to start to defend yourself.
Step One
Consider what are the crown jewels of your business from a digital perspective that need to be protected.
For an insurance brokerage or other service provider, it may be a client list and the personal information of those clients. For a tech startup, it’s usually intellectual property. For an e-commerce retailer, it may be a reliable and secure Internet application and connection.
Step Two
Consider how mature your organization is in terms of being able to assess and mitigate the specific risks that threaten your crown jewels.
Do you have the right controls?
Start with the basics – firewalls, email safeguards, and policies and procedures that govern how this digital resource is used and by whom.
Do you have the access controls to prevent an employee with malicious intent from simply walking out the door with a flash drive in their pocket?
Can you prevent a hacker from gaining access?
And then there is the public Wi-Fi found in the local coffee shop. In this scenario, phishers will trick users into logging onto a clone Wi-Fi network. This allows them to intercept any information sent over their connection or log keystrokes to capture passwords.
Step Three
Consider more than just the cyber threats to your digital assets. Anyone outside your team with physical access to your premises can pose a risk. From cleaners, to repair people and even customers. Don’t leave things like passwords written down and lying around.
Step Four
Do you have a disaster and recovery plan?
Treat this like a fire drill exercise and practice it. Triage what steps must be taken and in what order. How will you respond in a given scenario? Who is responsible for what?
This extends beyond just the recovery and restoration of data and regular business operations. You may also have to create a crisis communications strategy. This will govern how and when you will communicate with impacted stakeholders such as investors and customers, or even the broader public.
Don’t try to do all this alone
It sounds like a lot, but if you start by first understanding what is the most critical digital asset you need to protect, the task becomes much more manageable. And it may save you time and frustration to engage the counsel of qualified cybersecurity professionals.