As a small business owner, you may think that the chances of your company being targeted in a cyberattack are low. But with research by Ipsos MORI revealing that 52% of small businesses experienced a cyber security breach or attack in 2017, it’s clear that it’s not only big organisations that are vulnerable. Cybercriminals often see small businesses as easier targets, or as gateways into accessing larger companies’ data.
However, there are steps you can take which can effectively safeguard your business’ systems and data. Many of the small businesses we have relationships with at the Development Bank of Wales are working to improve their cyber resilience. Here are a few of the measures they have taken:
Creating an IT security policy
A formal, documented IT security policy should be the first step in protecting your business against cyberattacks. Outlining procedures and designating people’s roles and responsibilities will bring clarity to your security practices and ensure that your team knows how to reduce the risks. When it comes to cyber security, knowing not only how to prevent but also how to respond to incidents is essential, so having written guidelines on this process will minimise the impact of a cyberattack.
Creating an IT security policy and reviewing it on a regular basis will also help to ensure your business’ continued compliance with legislation such as the General Data Protection Regulation (GDPR). While the GDPR does not stipulate a specific set of cyber security measures to follow, businesses are expected to take ‘appropriate’ action to manage security risk and protect personal data against cyberattacks. A policy is an important way of demonstrating that you know your legal requirements and have processes in place to meet them, and will also assure your customers and stakeholders that their data is being kept secure.
Training your employees and developing a culture of awareness
A good IT security policy is not effective, however, unless it is shared with your employees and internal training is provided. Cyber security training should be part of an employee’s onboarding process and thereafter continuously provided. You could also consider appointing cybersecurity advocates in each department and conducting evaluations to identify any security vulnerabilities and see how your business can improve.
Taking measures like these to educate your employees and develop a culture of cyber awareness will go a long way in making your business more secure. This is especially the case given that cyberattacks very often occur as a result of simple human errors and a lack of vigilance. Teaching employees how to create strong passwords and to recognise common cybercrime tactics like phishing scams, for example, will help to reduce the risks.
Putting the essential technical security measures in place
In order to safeguard your business’ networks and systems against cyberattacks, there are some basic security measures that you should implement. These include putting up properly-configured firewalls, running security software such as anti-spyware and anti-virus programs, regular patching, keeping software and systems up to date, and managing user privileges so that there is no unauthorised access to data and services. An increasing number of employees are also working remotely, so businesses need to take the risks associated with this into account and put appropriate measures in place, such as encrypting devices and data.
Ensuring that your IT team understands the importance of maintaining core cyber hygiene and that all of your employees are aware of cyber security guidelines when it comes to things like remote and mobile working will help to keep your business’ data well-protected.