In recent blog posts, we’ve discussed specific cyber threats that can cripple a business if not guarded against, such as:
• Ransomware and Viruses
• Data Breaches
• Browser Hijacking
What can you do to protect your business from cybercriminals and their devious ways? That is the topic of this month’s discussion in which we consider three cybersecurity best practices to prevent losses and ensure business continuity.
Cybersecurity Risk Assessment
Have you ever listened to a child who is so excited to tell you about their [field trip, new 4-H group, etc.] that they randomly blurt out bits and pieces of the story? If so, you might have said to them, “Whoa now! Start at the beginning and proceed to the end.” That’s good advice, and not just for relating stories.
It is also applicable to securing a business’ cyber environment. The “beginning” in this scenario is identifying the risks of cyberattacks associated with your digital assets. From there you can craft a customized strategy for safeguarding against those risks. This is where a cybersecurity risk assessment becomes an essential part of your business continuity strategy.
Small Businesses Beware!
Cybersecurity risk assessment and mitigation planning are just as important for small businesses as it is for large companies. In fact, cyberattacks on small businesses are increasing because cyber criminals know that many small firms do not have an effective (or sometimes any) security strategy. They are just as happy to steal data and money from a small business as they are from a large business!
The basic steps in a cybersecurity risk assessment are:
• Identify and document all digital assets and systems.
• Identify vulnerabilities and threats associated with them.
• Consider the likelihood of each threat becoming an attack.
• Assess the impact and consequences of each type of attack on your business.
• Prioritize mitigation targets based on threat likelihood and impact.
• Develop a risk mitigation strategy that addresses the risks as prioritized.
Of course, what good is a risk assessment and mitigation strategy if it is not implemented? Not much!
That’s why the mitigation strategy needs to include a schedule for implementation and identifies the persons responsible for specific parts of the strategy. It should also include plans and schedules for (a) monitoring and updating the strategy and (b) keeping employees informed and security-conscious.
Employee Training
Each of your employees plays a crucial role in guarding the digital security of your business. Consider this: according to Verizon’s 2022 Data Breach Investigations Report, 82% of data breaches are caused by employee errors. The more your employees know about the types of cyber risks and how to spot them, the more empowered they will be to conduct their work safely.
Let’s look at some key training topics, training format options, and recommended training schedules.
Training Topics
Key training topics your employees need to understand are:
• The most common types of cyber threats,
e.g., ransomware, viruses, phishing emails, and so forth
• Creating strong passwords
• Using multi-factor authentication (MFA)
• Best practices for internet use
• Avoiding suspicious downloads
• Protecting sensitive vendor and customer information
Your industry may have other specific topics that should be included in your employee training.
Training Formats
There are several format options when it comes to employee cybersecurity training.
Training can be handled by your in-house cybersecurity specialist or you can retain a reputable vendor to conduct the training. If you choose the latter, associations within your industry may have vetted options you can explore, and your area’s chamber of commerce may be able to recommend vendors.
Training can be conducted at your business either in-person, virtually, or using a video-based program. Whichever option you choose, hands-on activities and comprehension checks are invaluable for optimizing employee understanding and retention.
Training Schedules
Staying on top of evolving cyber threats requires annual training, at a minimum. Throughout the year, periodic checkups and reminders can be conducted via quiz questions and tips delivered to employees via email. This helps employees to keep cybersecurity top-of-mind.
We recommend you include cybersecurity training in your onboarding process for new employees. Don’t rely on training they may have recently had elsewhere – your business is unique and requires training customized to your assets and processes. It is also good practice to train employees when new software or technology is adopted.
New Technology Training
To gain insights on training employees on new technology, check out this article from EdgePoint Learning:
How To Train Employees On a New System Or Technology: 5 Tips
Cybersecurity Management
These days, every business needs a management plan for its cybersecurity and digital infrastructure. Failure to do so presents risks to business data, finances, reputation, and continuity – not to mention employees and customers. Key roles in the management plan include the CEO and the IT Security Lead.
The CEO may not be a cybersecurity expert, but they do have the ability to establish and foster a culture of security throughout the company. A few of the top responsibilities of the CEO are:
• Selecting and supporting the company IT Security Lead
• Reviewing and approving IT security plans, mitigation plans, and other digital strategies for their business
• Participating in employee cybersecurity training in order to foster a culture of security and keep themselves
up-to-date on cyber risks and safety best practices
Appointing the IT Security Lead is not the time to pinch pennies or “make do.” It is a crucial role for the safety of your business, employees, and customers, so it deserves careful consideration and a commitment to professionalism.
Your company’s IT Security Lead needs to have the training and experience to fully develop, implement, and maintain a cybersecurity plan that fits the needs of your business. The IT Security Lead could be a dedicated full-time position, a dedicated part-time position, a portion of a full-time employee’s responsibilities, or an IT support and security provider.
Again, it is the CEO’s responsibility to determine what option is best based on company size, operations, and needs. The key is to make sure your company makes this an ongoing priority, not just something that gets squeezed in when time allows.
Resources
This discussion has touched on three best practices for cybersecurity in businesses of all types and sizes. Should you like to learn more, two trusted resources are:
• The National Cybersecurity Alliance’s CyberSecure My Business™ program
• CISA’s Cybersecurity Awareness Program Small Business Resources
And remember, you are always invited to reach out to us at Magnify247 for IT and cybersecurity support and service.
