By Harry J. Lew
The end of the year and the beginning of the next are busy times for small business owners. But don’t let this distract you from your cybersecurity best practices.
The end of one year and the beginning of the next can be a wonderful time for owners of small-to-medium (SMB) sized business. It’s a time to savor what you accomplished over the past 12 months, but to also get ready for the year ahead.
The “between the years” period is a busy one for most small business owners. There are projects to wrap up, new business programs or products to launch, new employees to hire, business gifts to buy (or return), equipment to purchase, and accounting statements to close for the year.
Because there’s so much going on, you might feel overwhelmed and stressed out. Your concentration might suffer, leading to difficulty focusing on important tasks. Not surprisingly, at this time of the year, you might be tempted to give short shrift to cybersecurity best practices. You might click on malicious email links, fail to install software patches, or put off backing up your data. Mistakes like these can open your firm to data breaches and hacks, potentially leading to large financial losses. It also might be forced to shut its doors.
Further complicating matters is the fact that stressed business owners must also deal with year-end/year-beginning issues at home. Put the two sets of challenges together and SMB owners become a perfect target for cybercriminals, who have an uncanny ability to exploit a firm’s computing vulnerabilities for personal gain.
And don’t forget that owner or employee errors are frequent causes of cyber incidents. According to Verizon’s 2019 Data Breach Incident Report (DBIR), of the 41,686 security events and 2,013 data breaches the company studied in 2019, 34 percent involved internal actors. These errors accounted for 21 percent of all data breaches in the study, Verizon said. Similarly, IBM’s 2018 X-Force Threat Intelligence Index, found that so-called “inadvertent insiders” were responsible for more than 66 percent of breached data records.
Stay focused on cybersecurity
As you transition out of the old year and into a new one, how should you keep your business safe from breaches, hacks, and other attempts to exploit your firm’s technology weaknesses? Here are seven preventive measures to consider adopting.
- Avoid email misdeliveries. When you’re juggling too many balls and experience too much year-end/year-beginning stress, it’s easy to rush through the process of writing and addressing your emails. Professional writing is always crucial; you don’t want your messages to be poorly written or full of grammatical errors. Put out a shoddily prepared email and your reputation might suffer. But if you put the wrong address on an email, you may unwittingly give a bad actor access to your confidential business information, not to mention access to your own email address, which the person can use to perpetrate identity theft or other crimes. At this time of year, always address your emails carefully and give them a once over before hitting “send.”
- Don’t fall for phishing attempts. Phishing, which Verizon says occurs in 96 percent of all cybercrime cases, involves hackers or scammers enticing you to click on a URL within an email that appears to be from a trusted entity or to download an attached document. The former ploy will take you to what appears to be a legitimate web form into which you input your credentials to get access to the site. If you fall for the scam, the criminals will then use your user name and password to enter the real site in order to download funds, steal your identity, or perpetrate other scams. The malicious attachment ploy will result in the opened file downloading malware onto your computer, where it can wreak havoc with your system and/or lock you out of your apps and data until you pay a ransom. As with avoiding email misdeliveries, taking your time and paying attention before clicking or downloading will help you to avoid devastating phishing attacks. Even though cybercriminals have raised their game in recent years, producing phishing emails that look similar to the real thing, they still often have grammatical and formatting errors that betray their underhanded aims. Watch for them.
- Don’t let family and friends access your business devices. During busy times, it’s not unusual for people to forget their devices, yet still need to accomplish some online task. Under this scenario, a family member or friend might ask to borrow your smart phone or other business device to access a website or complete a task online. According to proofpoint, 37 percent of business owners and professionals allow people they know to use their work device to check or respond to email. Similarly, 26 percent allow them to view or post to social media, 23 percent permit streaming of media, and 20 percent allow online shopping, even if company policy forbids it. When this happens, your friend or relative might get access to your confidential work files. Worse, the person might inadvertently fall for a phishing scam and put malware onto your device. Solution? Don’t let other people use your business device under any circumstances. What’s more, it makes sense to avoid using your business device for your own personal tasks, as well.
- Don’t carelessly handle company data and documents. When you’re busy, the temptation to work quickly or to take short cuts can backfire. According to Ekran System, a provider of insider threat protection software, potential mistakes include:
- Accidentally deleting business files that contain essential or sensitive data.
- Revising documents that should not have been changed.
- Sending sensitive data to colleagues over an unsecure messaging system.
- Using unsecured attachments when emailing sensitive data.
- Not backing up crucial business information and/or documents.
To avoid careless mistakes, simply slow down and think twice before doing anything consequential (or irrecoverable) with a business document. Spending an extra minute or two to consider the wisdom of your action and to double check your work will pay big dividends in assuring cybersecurity during transitional periods.
- Don’t ignore cybersecurity best practices.You may consider yourself knowledgeable about cybersecurity. But in the heat of the moment you might break protocol in order to speed workflow or make a task more convenient. Here are things well-intentioned business owners and professionals do that can result in data breaches or hacks.
- Not installing software patches immediately after vendors release them.
- Disabling application security features to make work go faster.
- Downloading unauthorized applications.
- Using personal devices for work purposes without security precautions.
- Leaving a work device in a public space without keeping it safe and secure.
- Doing work business over a public Wi-Fi system, leaving oneself vulnerable to identity theft, malware intrusions, or worse.
- Plugging an unauthorized and unsafe USB storage disk into a work computer.
- Not activating multi-factor authentication.
- Sharing your work email password with colleagues or friends and family.
Complacency can be fatal to your business
- Don’t get complacent about your cybersecurity risks. The busier you get, the more likely you will begin focusing on completing your work rather than avoiding cyber threats. What’s more, you may start to minimize your risk because of your firm’s small size, thinking that cyber criminals won’t bother with micro or SMBs. Just the opposite is true. They know that the smaller the firm, the weaker the cyber defenses they’ll encounter. In either case, complacency can be devastating to your business because it makes your company more vulnerable to cyber incidents. Also, if you minimize your threats, you may stop encouraging your employees to maintain cyber hygiene. Bottom line: the between-years period can distract you from the essential task of protecting your firm against cyber breaches, but only if you let it. By maintaining your vigilance, you’ll make sure your security effectiveness doesn’t lapse when you have a lot of work to do at this time of year.
- Finally, as you begin gearing up for the year ahead, remind yourself to revisit your cybersecurity plans and tactics to make sure they’re current. Cox Communications, a major telecommunications firm, suggests the following eight practices:
- Adopt a firewall: the Federal Communications Commissions (FCC) advises all SMB owners to install external firewalls to protect company data from cyber criminals. Many companies are also adopting internal firewalls for extra protection, and those with remote employees are also providing protective firewalls for home networks.
- Document cybersecurity policies: It’s important for SMB businesses to develop robust security frameworks, plans, and practices. Fortunately, many resources are currently available for SMB owners, including the Small Business Administration’s (SBA) Cybersecurity Portal and the Federal Communication Commission’s (FCC) Cyberplanner 2.0. Cox also recommends participation in the C3 Voluntary Program for SMB businesses, which provides a detail toolkit for implementing a cybersecurity plan and best practices.
- Consider mobile devices: With most companies now allowing employees to bring their own devices (BYOD) to work, it’s important to develop policies around safe computing, including requiring employees to follow the company’s password policies when using a personal device to access the company network. Cybersecurity policies must also apply to wearables such as smart watches and fitness trackers, which are becoming increasingly popular.
- Enforce tried-and-true security practices:Even when pressed for time, SMB owners must continue to enforce cybersecurity practices that have demonstrated their effectiveness over time. These include:
- Requiring employees (and themselves) to devise robust passwords (having upper- and lowercase letters, numbers, symbols, etc.) that change every 60 to 90 days. Using a password-management application can also be helpful.
- Regularly backing up data, both those stored locally as well as in the cloud.
- Installing anti-malware software and updating it frequently.
- Using multifactor identification.
At the end of the day, the high-stress period between the years may provide a blessing in disguise for your business: providing an opportunity to revisit and strengthen your firm’s cybersecurity plan and best practices. Because at the end of the day, all it takes is one cyber incident to transform your excitement about the year ahead into disappointment and worry over the financial losses to come. It’s important to avoid this if you can.
For more information about cyber liability and data breach insurance, go here