So what exactly can SMBs do to minimize the changes of being a victim of cyber crime?
My recommendations are incredibly simple, but highly effective. This is the beauty of this message. It boils down to awareness, education, cyber monitoring and damage control.
Awareness - small organizations are focused on building their business, not fighting invisible threats. A range of actions can be taken by business owners to stay informed about the current threat landscape and relevant risks to their industry. Cyber risk assessments, self-served or partner-led are available and affordable for the SMB now. This is one of the first steps the SMB can take to begin the process of understanding what is at risk. The important point to take away from this is to stay plugged in to the basics and remain diligent.
Education - as a small organization becomes successful, they add employees. It is critical to educate all staff on the full range of physical and cyber security risks on a continual basis. This is not a discussion on the first day of employment and never thought of again. With the blurred lines of personal and business use of technology assets (e.g., smart phones, tablets, laptops, etc.) this places the organization at significant risk ranging from malware to target phishing exploits. A regular education process is critical to help employees understand the proper actions and behaviors.
Cyber Monitoring - monitoring for active and real-time threats in a smaller organization isn't likely one of the first things that an entrepreneur or business owner thinks about in the morning. The good news is that they don't have to because their are credible cybersecurity firms that do this for them at an incredibly affordable price. Having visibility at the network layer for malicious activity is the first step to long-term success in a smaller organization. Think of this as the safety net when employees are lured into malicious attacks or as a means to reveal the activities that are happening inside the network that no one can see. There are plenty of verifiable data to confirm the inability of a smaller organization to recover from a serious cyber incident. Monitoring for malicious activity on a continual basis is something that a small organization could never effectively do on their own.
Damage Control - small organizations should have a cyber breach recovery plan. Even if it is as simple as having identified the proper authorities to contact and a local firm to provide guidance through the process, it is important to plan ahead.
Questions, comments thoughts. Email me at jncsousa@outlook.com
