Generally thought of as having up to 500 employees, small businesses constitute the vast majority of companies in the United States, making them a critical part of the economy. Their customers naturally expect personal and financial data to be kept secure, and a data breach is a painful and expensive ordeal. Like the larger enterprises, small businesses that accept payment cards have to follow Payment Card Industry rules. It can be daunting for a small business that may not even have an IT department to think about how to tackle network security.
But here are 10 top tips to get started:
1. Business managers need to gain the basic knowledge of where the most important data is held, whether it's on site in traditional desktops and servers, or in cloud services and mobile devices (including possibly those in "Bring Your Own Device' arrangements). Whether this knowledge is presented by the in-house IT manager or an outside technology provider, the data storage, access permissions and data processing should be documented, including whatever security controls are in place. There needs to be a conscious decision by business and technology managers, preferably with legal advice, that these security controls are adequate relative to risk. That lays the foundation for what is also needed: a back-up and disaster recovery plan.
2. Bad things happen to good businesses. Floods, fires, earthquakes, the outside thief and the insider threat, and of course malware are all factors that can impact the safety of stored data. Automate the back-up process. Since virtually every business now depends on some form of computer processing, ask the question how employees could proceed if your physical site is suddenly not available. Plan for disruptions that could last weeks if not months — and test it to make sure it's viable.
3. Train employees about the nature of today's cyber-attacks. SMBs tend to think that cyber-criminals are going after the really big guys, not them, but that's simply not true. Cyber-criminals in particular target SMBs to compromise the PCs they use for online banking and payments in order to commit fraud in a big way by emptying out business accounts. Unfortunately, there's actually less protection for recovery of stolen funds under the law for businesses than for consumers. Banks may even give the small business a hard time, questioning the security it has in place. How does cybercrime often begin? In many cases, the victim opens a "phishing" e-mail message with an attachment laden with malware that will let the attacker begin infiltrating the network. To tamp this down, spam filters should be in place to try and catch phishing e-mails and other junk. But some of it, especially highly targeted, will get through and employees should be trained not to open anything that seems even remotely unusual. Because web-based malware is also commonplace, applying Web-surfing controls on employees' Internet use is also a good idea. The big companies are starting to use advanced malware protection systems that can track targeted attacks in various ways, and small businesses should too — if it's affordable. There is also a strong argument to consider setting up a dedicated computing resource strictly for online funds transfer. There are many phone-based social-engineering scams out there now as well and employees need to be wary.
Sign up for CIO Asia eNewsletters.