"The growing number and sophistication of cyber threats poses a critical risk to US businesses, and the impact of a successful attack can be devastating to small businesses in particular."
Howard S. Marshall, Deputy Assistant Director, FBI Cyber Division
According to Small Biz Trends while more than half of small businesses are worried about cyber attacks, 51% aren't allocating any of their budget toward mitigating the risk of an attack, and 16% of businesses admitted that they only reviewed their cybersecurity plan after they experienced an attack. Considering that experts are estimating the cost of a data breach to grow to $150 million in 2020, this is a serious concern. Most small to medium sized businesses simply would not be able to handle recovery costs on that scale and stay in business. This is why having a cybersecurity plan, keeping it updated, and owning it, is such a vital part of your day-to-day and long term operations.
What is a Cybersecurity Plan?
A cybersecurity plan is a document outlining all aspects of cybersecurity, including hardware and software inventories, current security protocols, and any disaster recovery plans, for your organization. This plan helps leadership and employees understand:
- What risks the business may face
- What security policies and procedures are currently in place
- What potential impacts these risks could have on the business
- How to mitigate these risks and impacts
- How to respond and recover from the various risk scenarios
Your final cybersecurity plan should be developed with assistance from every department, and clearly communicated to each employee.
How to Own Your Plan
Train your Employees
Considering that a majority of security incidents are rooted in human error, it's important to be sure that your employees are trained not only on the overall cybersecurity plan, but also specific policies designed to help mitigate risks, that they can put into practice every day. This includes things like password policies and how to spot phishing attempts. These two things are especially important because in 2016 the Verizon Data Breach Report team found that 63% of data breaches occurred because of lost, weak, or stolen passwords, and that 64% of all organizations experienced a phishing attack in the last year. While it's not necessarily important for employees to understand the more intricate framework you have going on behind the scenes, it is important they know that they are an important line of defense and that you are counting on them to be vigilant. Keep them aware of this by routinely reviewing security policies, and providing them with continual cybersecurity training to ensure they are up to date on the latest threats and ways to keep your company data protected.
It's important to remember a few things in regards to your cybersecurity plan:
- It should be fully documented. All your organization's policies and procedures should be written down and made accessible to all employees. Everyone needs to be able to reference the plan itself and any supporting materials whenever they have a question.
- The plan is a living document. As your business grows and changes, your plan will need to as well. The addition of employees, upgraded hardware, new software, or any other major organizational changes should be reflected in the plan.
There's no point in having a plan if it's 10 years out of date, with a layer of dust on it. If you're operating without up-to-date policies and without making sure your employees are informed and prepared, you're putting your business at an increased risk of attack.
Take Every Precaution Available
As cybercriminals get smarter the number of precautions you need to take increases. This includes implementing things like:
- Mobile Device Management
- Multi-Factor Authentication
- 24/7 Monitoring and Routine Backups
- Regular Updates and Security Patching
Stay up to Date on Security Threats
Part of owning your cybersecurity landscape is understanding the outside threats your business faces. Take a look at any threats you've recently faced, or that others in your industry have faced, and communicate them to your organization to keep your employees aware and vigilant. Sign up for services like the CERT Coordination Center Vulnerability Notes, or the CISA Cyber Infrastructure, to receive information on what the overall threat landscape looks like. The more aware you are of new and emerging threats the better you can prepare and be on the lookout for them.
Start from the Top Down
In order to have a company of cyber aware employees who operate with the latest cybersecurity best practices in mind, you need to create a culture that values cybersecurity as a whole, and the only way to do this is from the top down.
As the CEO or as a member of the management team you should know and be able to explain things like:
- How various threats can affect the different business functions
- What type of information is being stored within the company that could theoretically be breached
- What the company can do to minimize risk and create long term resiliency
- How the company will respond in the event of a breach
If leadership understands and can communicate this information to employees, your business is well on its way to owning its cybersecurity plan.
Creating a culture of cybersecurity, making sure every member of your organization understands the possible cybersecurity risks your business faces, and how to mitigate and respond to those risks, is no easy task. But it's 100% necessary in a world where 60% of businesses that have been breached never fully recover, if they recover at all. It's never been more important for your business to not only develop a cybersecurity plan, but to live it, breathe it, and own it.
For more information on how you can "Own IT" check out the National Cybersecurity Alliance resources for National Cybersecurity Awareness Month. And if you're looking for help getting your overall cybersecurity processes in place, give us a call!