An article over at The Guardian called Cybercrime and hacking are even bigger worries for small business owners gives good advice on how a small business can protect themselves from cyber-crime.
A lot of small businesses do not properly protect company and customer information
A report from McAfee found almost 90% of small- and medium-sized business in the US do not use data protection for company and customer information, and less than half secured company email to prevent phishing scams.
Steps to take to protect a small business
Monitor employee activity
First, make sure employees aren’t accessing the wrong kind of websites.
Cyrus Walker, CEO of Chicago-based Data Defenders says research shows approximately 80% of security-related incidents occur as a result of employee behavior.
Implement a SIEM
Log-aggregation software known as Security Event Information Management gives a clear picture of transactions occurring internally and externally from the company’s network.
Small-business owners should also scrutinize their vendors, explains John Fodera, a partner at EisnerAmper.
“You have to start by doing a cyber-risk assessment and analyze the data from your employees and customers, and how you’re protecting that information”, Fodera advises. “Some breaches, such as Target, came in through a third party. So analyze your vendors to make sure are they complying with your privacy and security policies.”
Get cyber insurance
Scott V Lockman, director of commercial insurance for insurance provider Clements Worldwide said: “Cyber-liability protection has been around for about a decade, but insurance companies have become better at identifying risks and are able to underwrite against those risks.”
In smaller firms, it is usually the chief financial officer who is responsible for the insurance.
Lockman said that person should ask the following questions: How much does the firm utilize the internet? How much information is being stored on it? How are they communicating with their clients? What does that risk mean to them in terms of potential loss? Companies can purchase insurance or train staff internally.
Some steps not mentioned in the article include the following:
Employees should receive training on protecting valuable information. Training should include being able to identify phishing emails and websites
Perform a security risk assessment
You can’t protect information if you don’t know where that information is stored or accessed. You can’t protect the information if you don’t understand the risk to the information. A security risk assessment is one of the best tools for identifying where information is and understanding the risk to information.
Not all breaches are preventable but taking a few basic steps can go a long way to reduce the likelihood of a data breach.