There’s a new and booming market for cyber protection and cyber insurance services for small businesses. The market started to grow in the wake of some high-profile hacks that involved or targeted small and medium-sized companies. The numbers of actual attacks appear to be small, as Elizabeth MacBride reported recently.
But still, a word to the wise is to consider how to invest in low-cost measures to protect your company. Most small businesses in the United States are sole proprietors, who may find it easiest to contract with an IT company to provide a relatively low-cost assessment – probably for a few hundred dollars or less — of your web site, software and hardware.
Regularly backing up your site and the contents of your drives is one easy step to take. If you use cloud-based storage and email services (Google and Microsoft are the big providers), you may already be paying for that service.
A framework from the National Institute of Standards and Technology offers some guidance so that you can consider your operations carefully and have an informed conversation with an IT company (they’re also called Managed Service Providers).
These are the steps underneath the first two parts of NIST’s framework. If your company is larger, you might want to look deeper into the framework. You’ll find it here.
IDENTIFY
• Identify critical enterprise processes and assets – What are your enterprise’s activities that absolutely must continue in order to be viable? For example, this could be maintaining a website to retrieve payments, protecting customer/patient information securely, or ensuring that the information your enterprise collects remains accessible and accurate.
• Document information flows – It’s important to not only understand what type of information your enterprise collects and uses, but also to understand where the data is located and flows, especially where contracts and external partners are engaged.
• Maintain hardware and software inventory – It’s important to have an understanding of the computers and software in your enterprise because these are frequently the entry points of malicious actors. This inventory could be as simple as a spreadsheet.
• Establish policies for cybersecurity that include roles and responsibilities – These policies and procedures should clearly describe your expectations for how cybersecurity activities will protect your information and systems, and how they support critical enterprise processes. Cybersecurity policies should be integrated with other enterprise risk considerations (e.g., financial, reputational).
• Identify threats, vulnerabilities, and risk to assets – Ensure risk management processes are established and managed to ensure internal and external threats are identified, assessed, and documented in risk registers. Ensure risk responses are identified and prioritized, executed, and results monitored.
PROTECT
• Manage access to assets and information – Create unique accounts for each employee and ensure that users only have access to information, computers, and applications that are needed for their jobs. Authenticate users (e.g., passwords, multi-factor techniques) before they are granted access to information, computers, and applications. Tightly manage and track physical access to devices.
• Protect sensitive data – If your enterprise stores or transmits sensitive data, make sure that this data is protected by encryption both while it’s stored on computers as well as when it’s transmitted to other parties. Consider utilizing integrity checking to ensure only approved changes to the data have been made. Securely delete and/or destroy data when it’s no longer needed or required for compliance purposes.
• Conduct regular backups – Many operating systems have built-in backup capabilities; software and cloud solutions are also available that can automate the backup process. A good practice is to keep one frequently backed up set of data offline to protect it against ransomware.
• Securely protect your devices – Consider installing host-based firewalls and other protections such as endpoint security products. Apply uniform configurations to devices and control changes to device configurations. Disable device services or features that are not necessary to support mission functions. Ensure that there is a policy and that devices are disposed of.
• Manage device vulnerabilities – Regularly update both the operating system and applications that are installed on your computers and other devices to protect them from attack. If possible, enable automatic updates. Consider using software tools to scan devices for additional vulnerabilities; remediate vulnerabilities with high likelihood and/or impact.
• Train users – Regularly train and retrain all users to be sure that they are aware of enterprise cybersecurity policies and procedures and their specific roles and responsibilities as a condition of employment.
