The headlines feel almost commonplace at this point: “Data Security Breach at Company X.”
We see it happen all the time, but what's really at stake?
Valuable data, both personal and corporate. Value associated with the integrity and trustworthiness of a brand. Disrupted operations. Legal woes. And money, lots of money.
As a smaller business, you may think your company isn’t as much of a target. But cybercriminals are increasingly breaking into small and medium-size enterprises (SMEs). For one thing, their defenses are seen to be weaker. For another, cyber criminals often exploit smaller companies to gain access to their bigger business partners.
The upshot is that half of SMEs experienced a significant cyber incident in the past 12 months, according to a 2023 survey of 500 U.S. SME leaders by the Cowbell cyber insurance company. The vast majority of those attacked saw a fall in revenue (81%), a widespread drop in customer trust (81%), and a significant degradation of their business operations (91%). And it took nearly a month for most of them to fully recover.
Let's examine several sound data security strategies to ensure that your company is as safe as you can make it.
Use and Maintain Good Antivirus Software and Spyware Protection
This strategy’s as simple as can be, though there are companies that still drop the ball. It goes like this: Buy the product. Install it. Keep it updated.
There are many good options on the market for antivirus software and spyware protection. What’s more, the cloud-based office suites commonly in use today incorporate some antivirus and spyware protection. SMEs still need to stay on top of the security settings in these bundles of email, collaboration, and other applications, though. And many companies incorporate additional protection across these and other parts of their IT systems.
Make Data Security Part of Your Company’s Culture
Regardless of applications, devices, or security tools, real business security depends more on intangible factors, starting with leadership. Top management needs to make security a priority and get buy-in from the entire staff.
It’s one thing to establish security policies and procedures, such as routine software updates, strong passwords, or even using biometrics. But unless management sells the importance of data security to its staff, they’re just going through the motions. Try to connect the dots between data security and the health and security of your business. Try to make it clear why data security is vital for every member of the organization.
Instilling a culture of cybersecurity can also require cyber awareness training for all executives and employees. Try to remember that hackers rely on so-called “human error” – expecting, for example, that they can get away with emailing an invoice for goods or services that you never ordered. The entire company needs to be trained to look out for these and other scams – and know where to report them immediately.
SMEs have become a more attractive target for cyber criminals. Don’t be lulled into a false sense of security, thinking hackers only go after bigger companies.
Back Up Your Information
If your company’s computers or mobile devices are hacked, it’s not just the financial and personal data that's at risk. You also risk losing all your files and history.
Just take a moment to imagine everything you’d have to reconstruct if you walked in tomorrow to find files wiped clean. Try to think of the labor. Instead of kicking yourself for not backing up your information ... Back. It. Up.
A simple example could involve setting files to automatically back up to the cloud, fortified by regular, system-wide physical backups. In the best-case scenario, you would never need that backup. If you do, though, you’ll be glad you took business security seriously.
Establish Role-Based Access
Even if your company is small, you should think about which employees need and should have access to what information. (Your personnel files, for example, shouldn't be accessible to everyone, and access to bank accounts must be limited.)
Consider asking yourself: who can log into IT systems? Who can access what client information? Cyber criminals are always looking to steal passwords and other credentials that they can then use to break into companies’ databases. One way is by conning unsuspecting email recipients to click on a link and fill out a bogus form online with their name, address – and, you guessed it, a password. Employees’ habit of using the same password for everything from shopping online to accessing business systems only helps the bad guys succeed.
So try to make sure information and access is available only to the roles that require it. And one more thing related to access: try to make sure to change passwords and revoke access for employees who leave the company.
Focus on Physical Devices and Remote Access
So you’ve got amazing antivirus software. You’ve emphasized just how important data security is, and you’ve got your employees on board. Try not to forget to manage security on the devices employees use to access information when working from home or on the go. With the prevalence of remote work today, this step has become a high priority.
Laptops, tablets, mobile phones - even if they're not company property, if they can get into your system, you need them to be secured. Consider taking the extra step of purchasing antivirus software for your staff to help ensure that your data security is intact.
Perform a Data Risk Assessment
Maybe you think you've got it all locked down, but you want to be sure. Or maybe you're looking to get buy-in from investors or partners to spend money on data security. A data risk assessment can identify vulnerabilities that need to be managed and mitigated, making it a valuable tool.
One of the biggest reasons it can be harder for some SMEs to protect their data is insufficient funds to hire in-house security professionals, who can often get better pay from bigger companies with deeper pockets. There may be a cost-effective alternative. Consider conducting a cost/benefit analysis of whether to hire in-house or to outsource part of your cybersecurity needs to the growing number of managed security service providers (MSSPs). MSSPs monitor and manage security devices and systems 24/7, reducing the need to hire, train, and retain in-house security personnel.
Establish a Cyber Risk Management Strategy
Consider rolling everything mentioned in this article up into a cyber risk management strategy that is communicated across the company and routinely updated to keep pace with fast-changing technologies and the latest types of hacks.
Try to make sure the strategy also keeps up with ever-changing privacy regulations, including the Payment Card Industry Data Security Standard (PCI DSS) standard for credit card information. Try to keep in mind that reports of stolen personal data reached a new high in the first half of 2023, according to the Identity Theft Resource Center.
Visit the cybersecurity section of the Small Business Association’s website to find additional best practices, as well as perusing the free cybersecurity services and tools on the U.S. Cybersecurity and Infrastructure Security Agency’s site.
Finally, try to be sure that your strategy includes plans for responding to successful attacks. Despite diligent preparation, all it takes is one human error or software vulnerability to give hackers a way into your business. In other words, there is no guaranteed protection against cybercrime, but you can help minimize attacks, mitigate the damage – and respond effectively. In the Cowbell survey, SMEs with a data security strategy said they felt far more confident that they can respond to a cyberattack.
The Bottom Line
SMEs have become a more attractive target for cyber criminals. Try not to be lulled into a false sense of security, thinking hackers only go after bigger companies. Consider protecting your data, brand, and bottom line by following a sensible data protection strategy that relies on good antivirus protection, secure role-based access, data backups, and proactive measures to spot and detect issues. Above all, making these defense mechanisms – and data security in general – a part of your company culture can help ensure every employee action contributes to a safer business environment, making all the difference.
A version of this article was originally published on March 22, 2019.
Photo: Getty Images
