When many businesses think about information security or cybersecurity, a couple of things come to mind: Our company is too small. There’s nothing we have that’s worth hacking us over. We don’t know where to start. It’s too hard. We don’t have to worry because we have an IT function to take care of that.
None of this could be further from the truth.
As a small or even midsize business, you are still a target. And you’re not alone. According to the U.S. Small Business Administration (SBA), there were 30.2 million businesses registered in 2018.
Malicious actors (we don’t call them hackers anymore) are opportunists and like to go after easy targets, much like how burglars target houses without security monitoring stickers in the windows. They realize that most of those 30.2 million businesses aren’t practicing basic security safeguards, thereby making them easy targets. Often times, without proper security measures in place, businesses won’t even realize they’ve been hacked.
By the same rules
Small businesses are also required to comply with the same laws and regulations as larger companies when it comes to personal data. This includes “consumer data,” which is all data supplied by a customer. This is the most easily understood sensitive information, such as credit card data and health information.
In other words, businesses can no longer claim ignorance. All businesses are required to apply safeguards around the sensitive data (including consumer data) and computing environment.
So what are you, as the owner of a small or midsize business, supposed to do? You may not have the resources available to invest in a large-scale security operation.
The good news is you don’t have to, you just need to invest the appropriate amount into a security initiative that protects the data and environment according to the size of your company, and amount of data you collect, process, and store.
So how do you do that? Apply security safeguards appropriate to the size of your business and scope of potential security risk. There are many resources available for businesses, ranging from self-help free models to a comprehensive security service models.
The SBA has a wealth of resources presented in an easy-to-understand way, including explanations of common threats, how to assess your business risk, cybersecurity best practices, and even training.
If your business opts to rely on a service provided, such as those offered as part of your IT services, ensure they are applying sound basic safeguards, such as those you’ve learned about from the SBA resources.
You may also consider engaging with a smaller-sized, local security consulting company to perform a high-level assessment of the safeguards in place, which will result in a report that details what you need to do to improve your protection. You would be surprised how reasonably priced their services are.
For those whose businesses already have an IT department, be sure to ask the same questions using the knowledge gained by the SBA resources. It will impress them that you care enough to ask.
One last piece of advice offered to all businesses is to stay educated on the topic of cyber and information security. With new laws, regulations, and attacks announced frequently, it is important to stay informed. Find a good business news source, and watch for cybersecurity and privacy news related stories.