The vast majority of small- and medium-sized businesses (SMBs) do not hold anywhere near the volume of data that Equifax maintains, and in the event of a data breach, an SMB will not be in a position of having lost control of the personal and financial records of more than 143 million people.
Even so, the recent Equifax data breach is a stark reminder to all SMBs that they need to have their cybersecurity houses in order because any loss of data can result in expenses and liabilities as well a substantial loss of customer faith and trust in the SMB.
One of the greater problems that SMB managers face is that the cybersecurity world is evolving rapidly, and those managers do not have the knowledge or experience to ask the right questions about the SMB’s cyberdefenses.
These five questions are a good starting point for SMB managers to begin an assessment of the SMB’s cybersecurity strategy.
1. What type of data does the SMB hold and maintain, and how valuable is that data?
SMBs that conduct sales on credit or with credit or debit payment processing services inevitably hold their customers’ payment information, including bank accounts and credit and debit card numbers.
Even if the SMB does not store detailed financial data, it likely maintains records of the names of individuals and their places of employment, including whether they have authority to place orders. Hackers can use that identifying information to dig deeper into the internal processes of an SMB’s customer.
The absence of financial data does not eliminate the value of that data to a hacker. Apart from customer data, the SMB’s own financial records can be a gold mine for a determined hacker.
2. How aware or involved are the SMB’s employees in its cybersecurity efforts?
Do the SMB’s employees assume that an IT department or a third-party technology consultant will handle all cybersecurity matters, or are they vested in the SMB’s cybersecurity strategy?
If the SMB has established cybersecurity policies and procedures, determine if its employees have copies or are aware of those procedures and whether they have received instruction to follow them.
If employees use weak passwords, routinely click on email attachments, or log into the SMB’s networks through free public wifi, the SMB should revisit its policies and procedures in order to make its employees more engaged in the SMB’s cybersecurity.
3. Does the SMB have a multi-layer cyberdefense technology strategy?
Does the SMB’s cyberdefense technology begin and end with a single firewall or does it have several layers of defenses, including multi-factor authentication (MFA) for logins, policies for regular software and operating system updates, and data storage segmentation to erect better protections around very sensitive data?
A single firewall is no longer effective in guarding an SMB’s information systems against hackers. Every SMB needs a coordinated cyberdefense technology strategy that embodies current tools and techniques to fend off cyberattacks.
4. Could the SMB afford to rebuild internal systems and to reimburse customers in the event that customer data were lost in a data breach?
Does the SMB have an incident response plan that will facilitate recovery of its operations and provide for payment of losses and liabilities associated with a breach? Will a data breach do permanent damage to the SMB’s reputation? In many cases, even a lesser data breach can cost tens or hundreds of thousands of dollars.
Some SMBs are even out of business within six months after a breach because they do not have the financial resources to remediate all the damages caused by the breach. Cyber insurance can cover data breach losses and liabilities and allow an SMB to get back on its feet more quickly and with a minimum of damage to its reputation after the SMB loses data to hackers.
5. What data backup procedures has the SMB implemented?
SMBs are particularly susceptible to ransomware attacks that freeze access to systems and data and that effectively shut down the SMB’s operations until a ransom is paid to hackers.
SMBs with robust backup systems that are maintained separate and apart from the SMB’s primary network will be better able to recover frozen data and to resume operations without paying any ransom.
The SMB should regularly test and practice backup recoveries to avoid confusion when the backup is actually needed.