Fortify Your Business Against Cybersecurity Threats
A cyberattack doesn’t have to make national headlines to bring a company to its knees. Cybercrime can hurt your business badly whether it takes the form of a sophisticated data breach that compromises all of your clients’ sensitive information or a simple phishing scam that catches one employee off guard. You can be the target of financial or intellectual property theft, data breaches, ransomware attacks and more, which can put not only your assets, but also your reputation, at risk. (Read more about the latest cyber scams.)
Cybercriminals don’t discriminate on the basis of size, either. According to Dr. Trebor Evans, Chief Information Security Officer and Senior Vice President at Dollar Bank, believing your business is too small to be a target can be a recipe for disaster. “Cybercriminals count on you to think this way,” he says. “They look for small and medium-sized businesses to be more vulnerable to their attacks, because smaller companies typically don’t have the kind of large cybersecurity budgets and sweeping protections larger corporations may have.”
Smaller businesses can also get caught up in a scam when they are not a direct target. Dr. Evans describes this type of scenario: “Sometimes scammers cast a wide net — sending a phishing email out to hundreds of thousands of email addresses, for example. Your business may not necessarily be the target, but if you or one of your employees clicks on an illegitimate link in the email and supplies credentials, you become a target.”
Similarly, bad actors may use bots, software applications programmed to perform repetitive tasks, to crawl the web looking for computers that may not be patched against a known vulnerability. (Patches are software and operating system updates that address security vulnerabilities and fix performance bugs.) These cybercriminals can then exploit that vulnerability to access email accounts, files or systems.
How to protect your business from cyberattacks
Keeping up with the latest cyber threats requires intentionality, action and ongoing vigilance. Scams are constantly evolving, so just as you get ahead of one of them, another could become a risk. That’s why large corporations tend to have not just an individual but an entire team dedicated to keeping their networks, systems and equipment safe from intruders. If you run a smaller business, though — one with fewer employees, fewer devices and a more limited budget — you can manage these risks by putting some basic protections into place. Dr. Evans recommends the following:
1. Establish and enforce protocols for updates and backups.
Updates patch vulnerabilities so that cybercriminals, who are always finding new and interesting flaws to exploit, can’t get access. You may get notifications from Microsoft, for example, that it’s time to update your operating system (OS). Microsoft issues monthly updates, as well as emergency patches when needed, to help users keep their systems safe. You can ensure your team never misses a critical security patch by setting all of your computers (Windows and Mac) to auto-update.
Equally critical to cybersecurity is backing up all of your important data to an external hard drive so that if a computer or system gets hacked, you will have a copy of any data that is stolen or otherwise compromised. You can use external hard drives that automatically back up your files, or put a protocol into place for each member of your team to periodically plug in and manually back up their files. If you opt to store your backups in the cloud, make sure you have security in place there as well: Use a separate login and multi-factor authentication (MFA). If you are unfortunate enough to get hit with ransomware, you don't want your backups to be unusable, too.
2. Conduct regular employee training.
In addition to having open lines of communication in your business — having employees share phishing emails with the team so everyone can be on the lookout for similar scams, for example — ongoing employee awareness training is vital. Every member of your team should be aware and alert, so they don’t fall prey to social engineering ploys. You don’t want them responding to a request for information or payment because it looks like that text or email request came from a high-level executive in the company. They should be able to recognize the false sense of urgency in, or uncommon nature of, the request and reach out to the purported sender using a known contact number, rather than any numbers in the potential phishing email, to verify its authenticity.
Ongoing periodic training can help employees identify potential cyberattacks and know how to respond to them. It can also provide critical information regarding secure password practices, multi-factor authentication (MFA), update and backup policies, and more. As essential players in your network security plan, employees must have access to regular training that is as dynamic as the cyber threat environment we live in. The National Institute of Standards and Technology (NIST) offers free or low-cost employee awareness training tools that may help you develop a comprehensive cybersecurity training program.
3. Contract a cybersecurity consultant and/or appoint a cybersecurity champion.
If you have the resources, you might consider adding a cybersecurity consultant to your network of advisors. They can do an assessment to identify vulnerabilities and recommend actions you can take to strengthen the security of your processes, systems and equipment. Choose a reputable consultant who specializes in companies similar to yours, in both size and industry, so they understand your concerns, financial parameters and priorities.
Alternatively, or in addition, you can appoint a member of your team to champion your cybersecurity efforts. This individual would need to dedicate time from their normal schedule to stay on top of the latest cyber scams and put measures into place to avoid them. They should also hold responsibility for informing the entire team of what to watch for in terms of phishing (email), smishing (text) and other scams they may encounter in their day-to-day work, and for ensuring patches are up to date across the company.
Setting your cybersecurity champion up for success entails providing them with education and training opportunities that go beyond basic employee awareness training. The Federal Virtual Training Environment (FedVTE) of the Cybersecurity & Infrastructure Security Agency (CISA) may be a good place to start. This free online, on-demand cybersecurity training system offers courses from beginner to advanced levels, allowing your champion or others in your organization to build their cyber skills at their own pace, as their schedules allow.
Strengthening your company’s resistance to cyber threats doesn’t have to be costly or overwhelming, but it does take a commitment to continuing education and strategic action. A well-informed, vigilant team is your best defense against attacks on your assets and reputation.
This article is for general information purposes only and is not intended to provide legal, tax, accounting or financial advice. Any reliance on the information herein is solely and exclusively at your own risk and you are urged to do your own independent research. To the extent information herein references an outside resource or Internet site, Dollar Bank is not responsible for information, products or services obtained from outside sources and Dollar Bank will not be liable for any damages that may result from your access to outside resources. As always, please consult your own counsel, accountant, or other advisor regarding your specific situation.
Posted: October 18, 2023