Do you assume that getting hacked is only a big-company problem?
A new survey by Nationwide reveals that almost eight in 10 small business owners (79 percent) do not have a cyber attack response plan, even though a majority of them (63 percent) have been victims of at least one type of cyber attack.
And while many big companies may survive the hit, 60% of small businesses go out of business within 6 months, according to the National Small Business Association.
“The holiday shopping season kicks into high gear this month, with Thanksgiving, Black Friday and Small Business Saturday,” said Mark Berven, president and chief operating officer of Nationwide Property & Casualty. “But unfortunately, this is also the time of year when many cyber criminals target shoppers and businesses. Our goal is to help companies and their insurance agents protect customers year round.”
We asked for tips on small-business cybersecurity from Jack Bienko, director of the U.S. Small Business Administration’s Office of Entrepreneurship Education, and Dr. Jane LeClair, COO of the National Cybersecurity Institute. With their input, we’ve created this checklist to help you batten down your cyber-hatches:
- Get to class. The U.S. Small Business Administration offers a free 30-minute online class in cybersecurity and 3- to 4-hour walk-in workshops in conjunction with the FBI and the National Institute of Standards and Technology.
- Make a plan. The Federal Communication Commission’s Small Business Cyber Planner lets you customize a guide for your company based on whether you have a physical plant, accept electronic payments, have a website, etc.
- Consult a cybersecurity consultant. Marketing intelligence firm Cybersecurity Ventures keeps a list of the top 500 firms. The U.S. Department of Homeland Security also has educational resources.
Set the ground rules
- Inform the troops. An uninformed employee is a hacker’s best friend, so make sure your employees know security is serious business and what part they play. Include cybersecurity policies into training materials and your on-boarding process.
- Protect the jewels. Secure what National Cybersecurity’s LeClair calls the “crown jewels” of your business: the critical documents, whether financial details or customer information that would cause the most damage if compromised by hackers. They should be stored on a dedicated PC accessible only to the chief financial officer or chief accountant, minimizing exposure to malware that tracks keystrokes or leaves breadcrumbs that enable hacking.
Secure your staff
- Perform background checks. “The people piece of cybersecurity is a priority,” said LeClair. Thoroughly vet anyone who works with sensitive data or money, and pay attention to anyone who is acting strangely or going through a rough time.
- Keep employees educated. Hold regular staff meetings to discuss cybersecurity, including how to avoid phishing and other scams, and inform employees of security and protocol updates. Have employees set social media updates to “private.” (Additional tips from Nationwide.)
- Check out your vendors and bankers. Don’t assume the companies you do business with are as diligent as you are. Discuss cybersecurity with all of them, particularly banks which are frequent targets.
Secure your network
- Enforce quarterly password updates. Employees should use the “12-4 rule”: Create passwords with at least 12 characters and 4 types of characters (at least one lower case letter, one upper case letter, one number and one special character).
- Save your screens. Have password-secured screen savers to secure computers if they’re inactive for a period or their users step away.
- Watch WiFi and mobile. Secure your WiFi networks with a regularly refreshed password, and prohibit use of public WiFi on company computers and phones. And no transferring of sensitive material while logged on from the airport or coffee shop.
Secure your systems and data
- Shore up your firewall: Even an active firewall has weaknesses, so make anti-virus software a requirement for all network computers. And since malware can be brought in via an external drive, consider a “no flash drives” policy.
- Build thicker walls, if you need them. Dealing with overseas suppliers, holding a lot of data, or running e-commerce? You may want to increase your protection with a next-generation firewall (NGFW) or unified threat management (UTM) device.
Insure yourself against the worst-case scenario, including:
- Restoring data and damaged tech. Depending on your backup system, replacing lost data can be expensive, and viruses can make your technology obsolete overnight.
- Litigation liability. If you’re hacked, as the weak link in a supply chain, any partners or customers whose information you unwittingly exposed can sue.
- Reputation restoration. Restoring the confidence of customers is never easy, but insurance coverage can help defray those expenses.
For small businesses, insurance is a must, and it’s important to have a policy that covers the latest technological risks as well as conventional ones. Nationwide offers Cyber Liability Insurance as an available component of its small business packages—visit Nationwide’s small business insurance page for details.
“When it comes to hackers, every small business owner needs a game plan,” Berven said. “That’s why we created a site filled with solutions that can help companies protect their customers this holiday shopping season — and year round.”
For more facts, tips and resources on creating a cyber security plan, small business owners and their insurance agents can visit Nationwide’s cyber security website.