As small business owners and entrepreneurs seek to grow their businesses, the list of challenges is often insurmountable. Accounting, inventory, taxes, and hiring employees are often the highest priorities to address, yet cybersecurity is just as important.
In reality, many small businesses don’t think of themselves as a target for cybercrime. Criminals and bad actors normally target large corporations and government agencies; however, small businesses are an easier mark for crimes such as ransomware and network takeovers. Many smaller companies suffer from an infrastructure that does not allow them to practice essential cybersecurity techniques or develop a security plan to ensure their equipment and networks are protected In fact, according to the U.S. Government’s Ransomware Task Force, in 2021, businesses with less than 500 employees were hit by 70 percent of the attacks in that year. https://wamu.org/story/22/08/12/what-experts-think-companies-should-do-when-ransomware-strikes/
The Cybersecurity and Infrastructure Agency (CISA) recently released some guidelines for small businesses with specific tasks for company owners, IT leads, and security program managers. We will explore these recommendations and their relevance to today’s small business owners.
The CEO’s Role in Cybersecurity
Cyber security starts at the top with the company’s owner or CEO. It’s up to each leader to offer clear directives to employees, IT, and the security team to mitigate cybersecurity risk.
Establishing a Culture of Security: Just as creating a company culture benefits and enhances everyone. The same is for cyber security plans. It’s important to establish that everyone on staff, not just the IT team, must take responsibility. CEOs should always communicate critical security updates when necessary and encourage open conversations on potential risks. Also, CEOs should set quarterly security goals with the leadership team and their respective departments. Finally, CEOs should keep on top of recent trends and potential threats and prepare to enlist a seasoned IT consultant to assist.
Create a Security Program Manager Role: Designate someone on the team as a “Security Program Manager” to oversee the implementation and execution of cyber security initiatives and protocols. This individual does not necessarily need to be an IT professional but someone competent to manage the process and give the CEO timely updates.
Support the IT Team: If a company is large enough to have an IT manager or even an IT team, the CEO needs to empower them by example. CEOs should not rely on IT to ensure all staff employs best practices. For example, suppose all employees must follow Multi-Factor Authorization (MFA) to secure their accounts. In that case, the CEO should drive the communication on that to ensure that all employees are aware. This will ensure that the CEO is the one driving the culture of security in the organization.
IT Lead and Security Program Manager Role in Cybersecurity
Depending on the size of the company, a small business might have a dedicated IT lead, Security Program Manager, or someone on staff who oversees or shares the duties of these roles with others. Below are some critical tasks and responsibilities that they should be aware.
Write and Manage the Incident Report Plan (IRP): The IRP documents list all the necessary actions an organization needs to take before, during, and after any potential cyber incident. It outlines key roles and responsibilities and gives a detailed course of action should the company’s network or data be affected. CISA recently posted this guide on how to create a company IRP. https://www.cisa.gov/sites/default/files/publications/Incident-Response-Plan-Basics_508c.pdf
Host Tabletop Exercises: These drills or scenarios are a great way to test a company’s cybersecurity response. A leader presents a scenario to the team, for example, someone’s laptop gets locked by ransomware, and asks how staff would respond. Lessons learned from the exercise should be implemented to update the Incident Report Plan.
Ensure Software Updates and Equipment Encryptions: Double check that all equipment runs the latest software with security patches as needed. Also, remove user administrator access on software for those employees that don’t need them. Many software hacks occur when a bad actor can get someone to download malicious software without approval from the IT lead or Security Program Manager.
Staff and Employees’ Role in Cybersecurity
Finally, a company’s first line of cyber defense is often its staff engaged in daily activity for the company. While security software might be running in the background, employees staying vigilant and using common sense can be the best defense.
Secure Endpoints: With so many employees working from home, or another location, while using company equipment, the “attack surface” increases. An “attack surface” is all the possible vulnerable points of entry for a malicious actor to access. Any unsecured desktop computer, laptop, phone, or USB device is a potential target. All staff must be able to secure their devices based on the company’s security protocols. https://www.techtarget.com/whatis/definition/attack-surface
Empower Employees to Speak Up: In creating a culture of security, it’s also essential to let employees know they are welcome to share their thoughts or even experiences of phishing or other cyber attacks. Employees, as long as they are not acting with malicious intent themselves, should not be made to feel guilty if they are the recipient of a cyber attack that impacts the company. They should also be encouraged to be vigilant and report even the slightest hint of a bad actor to the appropriate team member.
Train Employees on Cyber Security: Keeping staff updated on the latest cyber security practices and trends is often an excellent first line of defense. Consider bringing in an experienced IT consultant that can provide training and expertise in this area.
Cybersecurity can no longer be viewed as problem faced by only large companies or organizations. No matter a company’s size, everyone must be vigilant and proactive by staying up to date on best practices and practicing proper cyber hygiene to keep everyone’s equipment and networks safe and secure.
Does your small business need guidance or additional support for cybersecurity? Reach out to J5 Consulting and connect with our team of IT experts.