It is no secret that cyberattacks are a serious and significant risk to businesses and organizations of all sizes. As more companies and organizations migrate their data and IT operations to the cloud and adopt the remote working environments necessitated by the COVID-19 pandemic, the importance of cybersecurity has never been greater.
There has been a 67% increase in security breaches over the past five years and the cost of cybercrime has increased 72% during the same period, according to a recent study by Accenture. A successful cyberattack can cause considerable harm and result in loss of valuable data, money and customer confidence.
No company is immune from a cyberattack; in fact smaller organizations are often more susceptible to the tactics of cyber criminals due to having fewer IT resources and to the lack of a comprehensive plan addressing cybersecurity.
So is your company or organization prepared for a cyberattack? Below are several questions that every small business or nonprofit organization should ask to better assess their preparedness for a cyberattack.
Do you know where your sensitive data is stored and who has access to it?
Organizations are often in possession of a large amount of important information. In addition to sensitive internal information such as financial results, management communications, and trade secrets and other intellectual property, companies also often hold valuable data regarding customers, employees and vendors.
Where is this information stored and is this a secure location for the information? If so, what steps are being taken to ensure that the location remains secure? Not only is it vital to protect the data’s location but it is also critical to monitor the access to this information.
Are the individuals with access clearly defined and are the access privileges regularly reviewed? Companies need to be aware of who can view the data and monitor this listing to confirm that unauthorized individuals (such as former employees) are no longer included.
Is there a system in place to backup and protect data?
In the event of a cyberattack, it is likely that part or all of an organization’s network and data will be unavailable for a period of time (or forever in the worst case scenario). Such downtime can have a significant negative impact on operations and result in substantial financial loss.
What is the process in place to make sure that critical data is backed up on a regular basis? It is critical to have an offline backup strategy to ensure that a copy of the data is safe from possible infection in an attack and to allow systems to be restored quickly and completely once the attack has been detected and removed.
Does your organization have a formal policy regarding passwords?
Passwords often serve as a simple and effective first defense against a security breach. However passwords need to have sufficient complexity and to be updated regularly in order to maintain their efficacy against a cyberattack.
Is there a required policy in place regarding the use of passwords? Best practice dictates that passwords should be updated at a minimum every 90 days, should include numeric and special characters, and should not be repeated across different sites or access points. In addition, mandating the use of dual-factor authentication (requiring a code sent via email or text message to be entered when logging in) can provide another layer of protection in the event a password becomes compromised.
Do employees receive regular training on cybersecurity procedures?
Users are often the weak point in a cyberattack defense and this vulnerability is not lost on cyber criminals. Scams such as phishing attacks are often targeted at individuals and look to exploit the human element to steal data or install malware.
Does your organization educate employees on the threat from cyberattacks and ways they can be avoided or thwarted? Along with being aware of the cybersecurity policies in place, employees should also learn how to spot a potential phishing attack and be aware of the protocol when a suspicious message or request is received.
Are there controls in place to protect mobile devices?
IT devices are no longer based solely in the office or warehouse; today almost all employees have a smartphone or other mobile device that allows them to access company networks anywhere that has an internet connection. The COVID-19 pandemic has accelerated this trend as more employees are working remotely and taking laptops and other devices out of the office and into their homes.
Have safeguards been put in place to protect these assets from cyberattacks? Devices should be set up so that their data can be erased in the event that they are lost or stolen and that they contain anti-virus software and similar protections. Employees should also be reminded to keep operating systems and firmware updated and use passcode, fingerprint or facial recognition technology to further prevent unauthorized access to the device.
Is cybersecurity strategy discussed at the management or board of director level?
Having the proper controls in place and security software installed can help fend off a cyberattack. However having a complete cybersecurity plan takes involvement from the key decision makers in the organization. A broad framework should be established that incorporates cybersecurity into all areas of the company.
Has management or the board assessed the risks that a cyberattack could have on operations and ways to address those risks, such as a disaster recovery plan? Has a strategy been developed for how the organization will respond to a cyberattack? It is prudent that management take a proactive approach to cybersecurity and develop a plan that addresses the risks and action steps unique to their operations.
It is vital that small businesses and organizations assess the threat from cyberattacks and take steps to better prepare for such an event. By developing a comprehensive plan and implementing the proper safeguards, the well-prepared organization will be in a strong position to protect and to defend against the inevitable cyberattack.
Management and board members should recognize the important role that cybersecurity now plays in an overall business strategy and work to develop a framework that addresses the serious threats now caused by cyberattacks.