4 tips for managing cybersecurity for small business

by | 18 Jul 2017

Data breaches can seriously damage a SMB, both in IT cost and loss of business. Prevent disaster by creating, updating, and refining cybersecurity policies.

The impact of a data breach on a small business can be catastrophic.

Top cybersecurity threats to small businesses (SMBs) are very similar to the risks all enterprises face. The stakes are much higher for SMBs because they often lack the resources to fight back and prevent data loss. Large firms have teams of security experts and can afford extensive audits. SMBs can be more vulnerable to security risks and struggle to quickly react to vulnerabilities.

So how can SMBs fight cybersecurity risks? Prevent IT vulnerabilities and educate employees about data security best practices.

your business is small, but risks are enterprise-size

The 2016 Ponemon Cost of Data Breach Study notes the average total cost of a data breach increased from $3.79 to $4 million since last year. Data breaches are more than stolen records, considering the cost of lost business, increased customer acquisition activities, reputation loss, and diminished goodwill. Ponemon also found that average organizational cost of data breach in the US is more than $7.01 million.

The best way for small businesses (SMBs) to deal with cybersecurity risks and data breaches is to prevent them. Of course it’s easier said than done. With limited resources, SMBs need to get creative to spot vulnerable to cybersecurity risks than large companies and struggle to quickly react to vulnerabilities. The first step is to evaluate current security policies: everything from the office wifi network password to how customer payment information is stored.

See the InformationIsBeautiful interactive to see the root causes of the most recent data breaches and their impact:

Tip 1: keep pace with both risks and compliance by self-evaluating

Frequently self-evaluating the company’s cybersecurity practices is the best way to detect and prevent cybersecurity threats. SMBs can use the NIST Cybersecurity Framework (it’s free!) as a blueprint to evaluate current security policies and remodel data protection polices to focus on preventing vulnerabilities and to set goals to improve and maintain security.

SMBs should self-evaluate cybersecurity at least once a year, with participation from all business unit leaders and all of the IT team.

Traditional standards and protections – like the Payment Card Industry (PCI) DSS , Health Insurance Portability and Accountability Act ( HIPAA ), and others – all attempt to do the same things: protect sensitive data. The NIST Cybersecurity Framework is unique because the Framework combines the best practices of other security standards to focus on outcomes, rather than avoiding liability. The Framework has huge potential value for any organization looking to establish cybersecurity standards.

Tip 2: don’t become a victim of your own success

As SMBs grow and add employees and partners, your IT systems and data security policies must also evolve. Your IT team must share access to vital business data and systems without leaving any vulnerabilities. For example, a small company can rely on a single IT person to manage access to data, a server, and the company network. As the organization grows and adds employees and technologies that “single point of failure” becomes a risk for the company.

The best way to manage data security is to build it in from the beginning. Security for data and networks should grow with the business, with precautions built into business goals. Your business should use the regular self-evaluations in Tip 1 to check up on the reality of your security policies as the business grows.

In the last two years we have seen a shift from passing compliance audits toward actionable cybersecurity policies to prevent costly data loss. SMBs can prevent costly data loss by acting now to evaluate and boost security policies, then regularly check in on policies as the company grows.

Tip 3: Involve everyone in security and prevention

SMBs should involve everyone – including IT, HR, sales, and legal teams – in the cybersecurity self-evaluation process. First, company-wide involvement encourages bigger-picture thinking. Input about how data protection can be both practical and effective. For example if a policy requires employees to change their passwords every month and use 12 non-repeating characters, employees will likely cope by writing down passwords and reusing old logins which will defeat the purpose. Likewise, the IT team should be involved if the procurement team requires new vendors to pass certain security standards.

Another perk of company-wide involvement in regular security evaluations is the opportunity to update employees about data privacy. SMBs can educate employees on how to keep both personal and corporate data private to prevent data breaches. Cybersecurity training, at least once a year, can help both the business and individuals prevent cybersecurity breaches.

Tip 4: Add security in layers – defense in depth

Traditional security policies and vendors focus too much on the exterior defenses. Policies for employee screening, physical security, and website cookie blockers are all important, but don’t overlook internal network security. In the famous Target and Sony data breaches the hackers broke in and then exploited weak internal network security to plunder the critical data that was freely connected inside the corporate network.

Add encryption and monitoring within your network to strengthen existing security.

“Defense in depth” is a term borrowed from the military where several varied layers of security offer better protection than a single, reinforced perimeter. Your data security policies shouldn’t stop with preventing bad actors from entering, but also extend inside your network to monitor and limit access between IT systems.

How can Cohesive Networks help?

At Cohesive, we’ve combined our connectivity technology with dataflow and compliance tools to create secure, redundant networks for each set of critical data. VNS3:turret is our application segmentation product designed to surround and encrypt your data wherever it goes.

Those additional layers of security builds ‘defense in depth’ into each application, or group of business data. VNS3:turret lets you encrypt and manage network traffic. Protect against both external exploits and unauthorized interior network access. VNS3:turret guards your network by routing traffic through encrypted switches.

VNS3:turret allows you to:

  • Create a cryptographically unique micro-perimeter around each application.
  • Segregate applications to eliminate east-west vulnerability and monitor interior traffic.
  • Isolate and monitor all traffic to flow through the secure edge.
  • Automate compliance reporting with dataflow and monitoring tool integration.
  • Provide the most comprehensive application security model available today.

Availability:

VNS3:turret is available for private cloud customers, as well as public cloud users. Contact Cohesive Networks to get started today: sales@cohesive.net