There are thousands of reasons why your business might fail. Small businesses have an even greater risk, due mostly to their lack of capitalization that can’t withstand a sustained business interruption or a completely unexpected large expense. In today’s interconnected cyber world, businesses of all sizes and scope need every employee in every department on the defense to prevent those fatal blows to their bottom line. Hoping employees simply “do the right thing” based on sporadic and loose cybersecurity training is no longer worth the risk, if it ever was.
Organizations like the Women’s Health Care Group of Pennsylvania could be facing the closing of their doors after 300,000 medical records were breached via ransomware, discovered in May 2017. Avoiding such an attack may seem a tall order, particularly for organizations with fewer technology and training investment resources than larger enterprises. The good news is that it’s all about maintained attention to the risk, taking things seriously, and cultivating a culture of cyber consciousness. A good place to start? Business owners should be guarding against simple phishing attacks.
In a recent Duke University CFO Magazine study, they discovered 80% of U.S.-based companies have been successfully hacked. Hasn’t yet happened to you? It will. Other studies show that in most cases, even the biggest corporations don’t learn of a compromise for months after the initial break-in. And if you’re not paying attention yet, in 2016, an IBM study found 60% of small companies were unable to sustain their business after a cyber attack.
Sure, the odds are stacked against you, and you may be thinking your staff should treat the Internet like a dark, syringe-filled alley off a busy street in a large city. But here’s the thing: security is everyone’s business. It’s not something you pass off to a contractor, or your geeky relative – it’s now a Business Imperative.
Here are five timely strategies to improve your chances when protecting your company’s digital assets.
Don’t, don’t, don’t
You may not realize it, but one of the greatest threats to your business is phishing. There are a good number of variations on this attack, but simply, it’s an effort to fool someone into doing something they shouldn’t. If successful, the attacker gets the keys to the building. So, just like you show everyone how to lock and unlock the front door to the office, teach, re-teach, and audit how staff uses email. Don’t click on links in email – ever. Don’t open attachments directly from email. In fact, don’t use email for much of anything if you can avoid it. It is the open window on the back porch into your business.
Migrate to the cloud
If your business is more than five years old, you likely have files stored on an in-house file server. Stop reading this article now and find someone to help you migrate those files to the cloud, using a service like Google Drive, Box, Dropbox, or Microsoft. You can’t afford someone good enough to protect your perimeter network and manage credentials better than someone like Google or Box, so don’t try. The best part is, once the files are in the cloud, backup is simplified and productivity increases since everyone has access to everything from anywhere and from most any device. The one caveat is to be aware of your cloud provider’s security settings. There may be boxes to check that help keep these cloud-hosted files secure from third parties, and it’ll be your responsibility to have the right settings and controls in place.
Collaborate in new ways
Not every business is the same, but you should explore the new crop of team collaboration tools from companies like Microsoft, Atlassian, and Slack that make internal messaging more productive and can protect your team from phishing attacks. Some teams can perform their entire work effort in a cloud-based tool customized for their work function. Think Workday or Xero for finance and accounting, SalesForce for sales and marketing teams, and tools like ZenDesk for customer service. Many of these tools can be a real replacement for internal email, and I’ve seen companies nearly eliminate email use when the company makes a commitment to a modern collaboration tool, meaning their exposure to possible phishing attacks in minimized. To boot, all of these tools have industry-leading security and live in the cloud.
Know your teams’ technology acumen
It’s pretty easy for staff to claim compliance to your technology security policies. And let’s be frank, too many people see security as something that gets in the way of their work. From an infrastructure and asset security perspective, policy compliance is just too important to ignore and cast aside. There are service providers that will perform security audits, and you should invest in an annual phishing audit. Just like your building will test the fire alarm yearly, you should use audits as a way to test preparedness and compliance to corporate policy. Provide training, and where possible, just better tools to make it easy for staff to be good stewards of your corporate security policies. Track these metrics year over year, just like you do revenue and profits.
Enjoy the free coffee
You should build a security strategy that assumes even your own internal office network is as insecure as the local coffee shop. This starts with physical security by training staff to always shut down or lock their computers when they leave their desk. It can extend to making your only network-accessible devices be your printers, and all other services are placed in the cloud. Using this strategy, even if a hacker could penetrate your perimeter defenses, there’s nothing worth stealing from any other device, server, or database on the network, because all of these services are locked down in the cloud. Unlike the coffee shop down the street, at your office, the coffee is free.
Technology is never static, it keeps advancing and moving forward. If you still are doing business the same way today as you were five years ago, you are desperately at risk. Everyone needs to evolve and that takes work. Thieves and hackers have learned how to exploit the tools and how we work. Their attacks are both simple and sophisticated, so be prepared. Expect to get hacked, and have a plan to protect your staff, coworkers, and consumers when it happens to you. Security is everyone’s business. Remember, the only thing riding on you doing it right, is the livelihood of your business.