On a recent Small Business Edge podcast, I interviewed Paul Paray, an attorney who provides privacy and data breach counsel for firms after data incidents. We discussed the real threats to cybersecurity today, and steps business owners can take to protect themselves today. Paul gave several cringe-worthy examples of businesses that were hacked as well as excellent advice on ways for business owners to protect themselves from such ordeals.
In addition to the podcast, Paul provides 11 more ways for business owners to protect themselves from external…and internal hackers.
- Business owners generally don’t have much time to spend thinking about possible cyberattacks. They are focused on revenue, satisfying clients, and on matters that give them the ability to survive and thrive. By nature, they are only looking at the issues in front of them. Given the risk of loss and potential marketing benefits, it is now important to place cybersecurity front and center for any business that maintains significant customer data or is completely reliant on its computer network to function. Given automated ransomware exploits, most any company – no matter how small, is a target.
- Hackers today have access to so much low-hanging fruit. As a result, even basic security may cause threat actors to look elsewhere. For example, deploy basic safeguards such as an adequate firewall so that open ports are not available to roaming bots looking for openings into a network, a patch management protocol for every program on your network, and policies that would help prevent default passwords from remaining on a network. Retaining a reputable managed service provider will typically assist in ensuring these basic safeguards are in place.
- To better prepare for internal threats, businesses should apply protocols to boost security credentials by requiring strong passwords and not letting office workers use the same network password for social media websites.
- Only collect customer data that is necessary for your business because you will need to protect all of it. That means searching for and organizing clusters of sensitive corporate (e.g., trade secret), financial, health or other personally identifiable information that is used, maintained or processed by your firm. Accordingly, limit the amount of sensitive information you maintain to what is required for a valid corporate reason and discard what is not required as per your Document Retention Policy.
- Secure legal counsel to review or create (1) Privacy, (2) Written Information Security, (3) Email Usage, (4) Social Media, and (5) Document Retention policies and plans and update them as necessary to comply with current laws.
- Provide training and support to ensure these policies and procedures are understood by employees and contractors.
- Secure sensitive data at rest (including data found on laptops and data drives) by using encryption enough to comply with safe harbor provisions found in most state and federal breach notification laws.
- Develop an Incident Response Plan or evaluate your current one with an eye towards complying with any applicable fraud prevention requirements.
- No matter how small the business, organize an Incident Response Team with members from various constituencies (either internal or external).
- Conduct a live tabletop assessment of the Incident Response Plan using the Incident Response Team to confirm all parties understand their respective roles.
- Using an insurance professional, evaluate the purchasing of cyber insurance that includes coverage for post-breach expenses, including costs to comply with notification laws, call center services, and credit monitoring. The insurance application process will be a great baseline for small businesses to use in evaluating their current safeguards, policies and procedures.
Make protecting your business a priority in 2020 by implementing the 11 tips provided by Paul Paray today!