It seems like every few months we hear about a major hack or data breach affecting millions of people. This summer, it was Capital One and some 100 million Americans whose personal data was harvested. Increasingly, it’s small and midsize businesses that are the target of cyberattacks, and because these attacks are growing in number and sophistication, many businesses face an existential threat in light of the consequences.
Each October, the U.S. Department of Homeland Security marks National Cybersecurity Awareness Month. It’s a time for government and public-private partnerships to encourage business data security, and at home, cyberattack defenses that begin by recognizing you have digital assets.
Data breaches, denial-of-service attacks, ransomware, phishing, and other digital dangers may not feel urgent to anyone who is as yet unhurt, but cyberattacks are almost exponentially more numerous in the United States than in any other country. And, almost two-thirds of the victims aren’t the Wall Street credit card companies we hear about, but the Main Street businesses we drive past.
When counseling business on data security, the discussion often begins with misconceptions around vulnerability, the nature of cybercrime agents, and the liability businesses may face in the event of a cyberattack.
Misconception #1: My data (or the data I can access) isn’t that valuable.
Begin with the premise that all data is valuable. Do an assessment of the data on hand — routinely collected, filed, accessed, and transmitted — and inventory it, giving weight to its sensitivity. Most companies have client and customer business data assets that, if compromised, would impact trust and future business.
Misconception #2: Cyberattacks arrive without anyone’s permission or knowledge.
A cyberattack can occur over any internet connection, but increasingly, it begins with a correspondence. Phishing — as well as “vishing” and “smishing” — are requests for access that require an initial response. (Smishing is phishing over SMS, vishing is the illegal access of data over VoIP.) Spear phishing, in which a communication arrives ostensibly from a customer, friend or contact, is particularly insidious. A first-line cyberattack defense is a manager’s choice to train around these introductions.
Misconception #3: Cybersecurity is an advanced technology game.
True, the average IT specialist can’t write effective antivirus software exclusive to the small to midsize business any more than the average motorist can build her own car. What is also true is that security is best approached as a mix of business solutions and employee training, along with clear policies and protocols guiding company culture.
Training should emphasize small security thresholds employees can meet at any time:
- Use strong passphrases and multi-step authentication to protect access.
- Limit access to data or systems to staff who need it to perform core duties.
- Keep a clean machine — clearly promulgate acceptable (if any) internet downloads.
- Communicate with supervisors, with colleagues, with professional associates. Not talking about security is a security risk.
Employees should be shown what phishing scams and other opening gambits look like. Be suspicious of unexpected requests, especially when they include attachments. When in doubt, throw it out or delete it!
Misconception #4: Digital and physical security are altogether separate matters.
Develop policies and talk about unauthorized physical access to hardware or sensitive assets. Is a staff member where he shouldn’t be, acting suspiciously? Discuss that openly. Just as crimes often happen within friend groups and family members, business data security may be breached internally just as it would externally. Cybersecurity for small businesses on a budget begins with employees having a stake in it.
Misconception #5: Outsourcing to a vendor washes a company’s hands of liability.
While it’s true a vendor may be liable, any business or corporation itself has a legal, not to mention an ethical, responsibility to demonstrate cybersecurity awareness and protect clients’ and customers’ data. Put data-sharing agreements in place with vendors and have a trusted lawyer review it.
Additionally, many standard commercial liability policies do not cover cyberattacks and data breaches. Speak with an insurance expert to adequately cover your investment in the event of an attack.
Finally, don’t rest on compliance with “industry standards” when it comes to business data security. This Cybersecurity Awareness Month, aim for a dedicated cybersecurity planning and recovery. The National Institute of Standards and Technology’s Cybersecurity Framework is robust.
Misconception #6: Cybersecurity is a big investment.
Along with employee empowerment, one of the pennywise ways offices small and big can build their cyberattack defenses is to keep all systems and apps current and automate updates. Having the latest software, web browser, and operating system is free, effortless, and the best defense against viruses, malware, and other online threats.
Tony Spurlin is a vice president at Windstream and chief information security officer.