In a 2019 poll that I conducted, 94% of all business leaders were “ extremely c oncerned” about security breaches causing data loss for their company. If recent reports a re any indication, then clearly these leaders are right to be concerned. Interestingly, though, this same group of leaders responded very differently when asked what their plans were to keep company data secure — 76% of leaders said their plan was to “hope it doesn’t happen to us .”
In the words of author Steve William Laible, “Hope is not a strategy.”
Businesses of all sizes are targets, but small businesses (500 employees or less) are an especially rich target. Obviously, smaller businesses typically can’t employ the same security measures as larger enterprises, and hackers know that smaller businesses often have customers that are larger businesses. Cybercriminals will always take the path of least resistance, and small businesses often become the open gate to enterprise data. Remember the Target breach that exposed the credit card information of 70 million customers? The bad guys got in through one of their suppliers — a small HVAC service company.
Here’s the good news: Businesses of all sizes don’t have to pay tons of money for security measures or dedicated cybersecurity staff. Given how most businesses are not proactive when it comes to data security, if you have basic security measures in place, most hackers will move on to bigger and better targets. The downside — if someone wants to breach a network bad enough, they’re most likely going to find a way in.
How can business owners improve their data security protection without breaking the bank? Follow these seven simple steps:
1. Realize there’s no going back from a security emergency. Too often, companies try to fix a vulnerability only after a breach occurs. I’ve seen tight corporate budgets literally fly open after a security incident takes place where customer data is exposed. In most cases, had 10-20% of that budget been spent prior to the attack, an incident may have been avoided.
2. Get team members engaged and keep them engaged. This has been said countless times by business consultants — so most people “get” this mindset. Some companies even have basic annual security training. Unfortunately, that’s where the awareness stops. Leaders must make security a part of their daily, weekly and monthly rhythms with their teams. I recommend training, testing and reinforcing security training at least once a month. There are some great tools available on the open market from ESET and other organizations that make this an easy task.
3. Check the dark web for exposed passwords. There are tons of services that can report what personal credentials are available for sale on the internet. The most popular is haveibeenpwned.com. Have administrative staff members run company email accounts through this tool. The results are often surprising — and not in a good way.
4. Keep your IT systems up to date and fully patched. This goes without saying, but any business still running outdated operating systems is asking for trouble.
5. Use multifactor authentication (MFA) for cloud-based accounts (like G Suite, Dropbox, etc.). MFA provides an extra layer of protection and helps keep the bad guys from guessing passwords.
6. Consider hiring a third party to monitor systems for strange behavior. This sounds expensive (and in some cases, it can be), but for smaller businesses with basic systems, it can be a very cost-effective solution. If filenames are changing at a rapid pace, that may be a warning of an imminent ransomware infection. A monitoring company would recognize that behavior and take action to mitigate the risk. Alternatively, many cloud-based companies now use artificial intelligence to perform constant monitoring. For example, artificial intelligence (AI) can catch a user logging on to company systems at 3 a.m. from Eastern Europe, which may trigger a flag as an abnormal event for that user, locking the account for safety.
7. Ask vendors for security guidance. Most vendors appreciate knowing that the companies they deal with have secure systems. Ask your credit card processor if they have any guidance when it comes to data security.
Putting just a few of these measures in place could place a company head and shoulders above most in the marketplace. Once these initial steps are acted on, a company shouldn’t just sit back and rest. Bad guys are constantly shifting tactics, which means business owners always need to stay up-to-date on the latest protection mechanisms. I can’t stress enough how important it is to empower your staff members to take an active role in protecting the data of the company that employs them. Almost every high profile and costly security breach started with a user who opened a malicious email or clicked a link that contained malware.
The time to make security a priority before a breach occurs.