How can small- and medium-sized businesses (SMBs) protect themselves against cyberthreats? A recent report from security firm Lookout, written for Californians, is useful for SMBs in any state.
The report, "Cybersecurity in the Golden State," was published by the California Attorney General's office. It points out that "relatively small investments in cybersecurity preparedness can yield significant risk reductions."
Simple and Effective?
Marc Rogers, principal security researcher for Lookout, told CMSWire much of the report "seems to be obvious stuff. But a lot of companies are moving into technologies they haven't dealt with before, and simple things, like understanding how data moves in your organization, can have a massive impact." New realms for companies include big data, the bring your own device (BYOD) trend and the growing Internet of Things.
He noted that firms should also gauge the value of its various kinds of data, so it can appropriately designate the most resources to protecting the most valuable. If a company follows simple procedures, Rogers added, it can at least eliminate the "low-hanging fruits" that are easiest for attackers to penetrate.
Here are the report's ten key recommendations:
1. Assume You're a Target
Any company, of any size, is vulnerable. In 2012, half of all targeted attacks were directed at companies with less than 2,500 employees and about a third were aimed at firms with less than 250, the report notes.
2. Lead by Example
Company owners should take the lead in ensuring that best practices are followed and in understanding how data flows and is stored in the company.
3. Map Your Data
Understand the company's types and location of that data.
4. Encrypt Your Data
In addition to making sure that encryption is commonly used on your data, check that particularly sensitive data like payroll is separated from networks used for common communications like email.
5. Bank Securely
Online banking should only be conducted by a secure browser connection (https:// in the address bar and a lock icon showing in the browser window) and in private mode, plus the cache and any other browser history should be erased immediately after an online transaction.
Other tips: use two factor authentication if available and set limits on wire transfers so hackers can't wipe out an account quickly.
6. Defend Yourself
Use multiple layers of defense, including firewalls, antivirus protection, and the ability to remotely wipe company data from lost or stolen mobile devices.
7. Educate Employees
Make sure your workers know about how valuable your data is, what the risks are, and what steps are being taken.
8. Be Password Wise
Change any default passwords and set up strong passwords.
9. Operate Securely
Keep software up to date, uninstall any software not being used, and, of course, don't install software from unknown or untrusted sources.
10. Plan for the Worst
Even a small business needs a disaster recovery plan. This includes an incident response team with a leader from executive management and an established procedure for different kinds of incidences.
If there is a breach, the report also outlines best practices for responses. These include some obvious steps like contacting law enforcement if warranted and documenting how big the breach is, as well as less obvious ones like keeping your computer turned on if you can, in order to retain valuable evidence.
Additionally, even small businesses need to determine what the notification requirements are. In many cases, the cost of a breach is amplified by loss of trust from customers and partners because of a delay in notification.
The California Attorney General's office has performed a notable public service by commissioning and publishing this report, which is full of practical tips for any sized business. Do you think other states will republish this guide or issue their own version?
Title image from the report "Cybersecurity in the Golden State."