Part 2: The How
This resource has multiple chapters. Use the navigation on the side or below to browse each chapter.
In this series on cybersecurity, we’re exploring why Colorado businesses should take cybersecurity seriously and offering some helpful tips to shore up your data security. In Part One, we looked at the “why”: why your business should care about cybersecurity, with a particular focus on providing updates on Colorado’s new consumer data protection law. In Part Two, we’ll look at the “how” by diving into the practical and providing tips on best practices for keeping your systems safe.
Cybersecurity threats are a dangerous reality, with threats constantly changing and evolving. But there’s hope: according to Verizon, creators of the 2018 Data Breach Investigations Report (DBIR), “that same catalog of unscrupulous activities offers security pros a first-hand view into current cybercrime trends, and a map towards developing a prosperous and mature security program.”1
Developing a mature security program that you can implement in your own business, in part by teaming up with organizations who are keeping tabs on the trends of attackers, is a good organizational goal. These “best practices” can help you along that road.
Best Practices to Developing Your Business’s Security Program:
1. Stay Current.
Cybersecurity threats are changing and being created almost every day, so you should make sure your team—or even dedicate one member of your team—to periodically researching the best methods of safeguarding your organization based on the most recent threats out there (we recommend monthly, but no less than quarterly or annually). Even if you don’t have an IT team, you can still pick employees who are especially computer-savvy.
2. Cast a Wide Net.
Don’t just stop at just one area of potential threat. Be thorough when investigating all risks and how to stop them, from changing passwords regularly to keeping your malware-detecting software up-to-date.
3. Get Everyone in On It.
Employees are your biggest source of risk: according to Verizon’s DBIR, an average of 50% of users opened phishing emails within an hour and opened questionable links inside. To combat this, keep all employees informed and trained on a regular basis, ideally by using a combination of teaching techniques to suit everyone’s individual learning style (written, verbal, through example, etc.) to reduce the rate of ill-advised click-throughs.
4. Manage Ex-Employees.
Sometimes, the threat can come in the form of a betrayal from a past employee who has not had their full access revoked (see a related article here on how to protect yourself when someone leaves the company). Other times, employees who remain, but are disgruntled, can take advantage of their security clearance to cause problems.
5. Keep the Money Separate.
If you can, use a different system for payment processing than you do for other, less-secure programs. For example, we at Telios Law use Lawpay.com for any credit card payments by clients, which has been a great way to keep it separate and secure from other databases, because we literally never get that personal information.
6. Arm Yourself.
Keep all company computers equipped with up-to-date software that can identify, block, and remove malware. The best way to do this is to ensure that all software is updating and scanning automatically, and regularly—there’s a handy list of current, major threats and some corresponding software suggestions which can combat each threat at Business New Daily that we recommend. Ensuring all vital programs have two-factor authentication is a must as well.
7. If Necessary, Outsource.
Small businesses that can’t afford much IT staff may do well to adapt cloud-based systems, so that their IT teams can help protect your information for you. Many large cloud-based systems, such as Box, keep security to international standards like GDPR.
8. Have a Plan.
What will your company do if there is a breach? Having secure back-ups of all your data in a secondary location is a good way to recover anything which was ransomed or lost. Cyber Insurance is another option, which can help cover damages ranging from handling publicity to stolen funds. Find a plan of action that suits your company’s needs. Unfortunately, since risks can be hard to initially quantify, they may fall short when it comes to making up any real losses.
9. Know Your Legal Obligations.
As part of your plan, be sure you are aware of your legal obligations in the event of a breach. Complying with data breach notification laws in the event data is compromised (see Part One of this series), is very important. Don’t add insult to injury by failing to give consumers notice where required.
10. Be Vigilant!
Never get complacent or assume that your company will escape notice. Small businesses are an especially vulnerable target due to the fact that many assume large corporations are drawing all the fire, which makes them weak to attack and a surprisingly popular target: “Stephen Cobb, a senior security researcher at antivirus software company ESET, said that small businesses fall into hackers' cybersecurity sweet spot: They have more digital assets to target than an individual consumer has but less security than a larger enterprise.”2
The good news is that by keeping current, and by following the basic safety procedures, the majority of all attacks can be rebuffed with relative ease. It just takes consistency, thought, and remembering to lock the back door.
• A free exercise being hosted by FS-ISAC (Financial Services Information Sharing and Analysis Center) in the Fall on cybersecurity safety: https://www.fsisac.com/Exercises-CAPS
• A training exercise for your IT official where they simulate cyber-attacks from the hackers’ side: https://www.cbtnuggets.com/it-training/white-hat-hacking
1 What went wrong? An exploration in trends and data, available at: https://info.verizonenterprise.com/VBM-2018-DBIR-ulp.html.
2 Rivera, Andreas, (2018, April 11), Cybersecurity: A Small Business Guide, Business News Daily, available at: https://www.businessnewsdaily.com/8231-small-business-cybersecurity-guide.html
Because of the generality of the information on this site, it may not apply to a given place, time, or set of facts. It is not intended to be legal advice, and should not be acted upon without specific legal advice based on particular situations