Three Simple, Effective and Inescapable Security Steps Every Business Must Take
Technology security is very much mainstream. Even 2 years ago, many companies we met with were still vaguely confident that the issue was more relevant to Enterprises than them. If you are still of this mind, please trust us when we tell you that a breach or IT security event WILL happen to your business! The only thing you can control is how well you fortify against it and how you react to it. And the costs of a breach are not necessarily correlated to an organizations size. In other words, the effect on a small business is likely much more significant long term than on an Enterprise. A recent survey found that roughly 60% of small businesses will close within six months of a security breach.
Small businesses also have more significant constraints with time and money than Enterprises, so how does one take common sense steps to decrease the likelihood and improve the outcomes of a breach?
Write your policy down
We are amazed at how few businesses have any IT policy to speak of, let alone a sophisticated one! What good are some words written on a piece of paper that get comingled with 50 other HR docs? More than you might think.
In the event of a breach, it is imperative that you can sift through the noise. Who, what, where, when, why and how. In order to begin sifting you have to have a common understanding of what is and isn’t acceptable for your organization. Where is you data supposed to be stored and where is it not supposed to be stored (can people store company data on their personal DropBox account or only the company server, who has access to what and why, what are you allowed to do with the data (edit, publish, share with external parties, etc.) and who has the authority to make decisions about it when questions come up?
Additionally, what happens when there is an event. Who reports it, who writes it down and tracks it, who communicates with your clients, your board, your internal stakeholders. New research suggests that because our lives are rapidly becoming more digitized, the cost of data breaches will increase to $2.1 trillion by 2019 and the majority of these breaches will come from existing IT. Coming back to the question, “What good are some words written on a piece of paper and comingled….”
The real question is what happens when you have an IT security event and there is nothing written down. A client or your board asks you “how did this happen, what policies or systems did you have in place to prevent this?” Having a clear policy in writing becomes VERY important.
Talk about it
Simple advice: Discuss IT security with your team once a quarter, even if just for 10 minutes to review a paragraph of your policy. Make it clear it is important and make it clear that there will not be any retaliation if a staff member makes a security mistake. The worst thing is to have your staff fearful or raising their hand, and consequently leave a security concern unreported.
As an example, one of the most common security threats in this day and age is spear phishing. More than half of our clients have had a spear phishing attempt show up in their inbox. For more information on what spear phishing is click here. Spear phishing is a social engineering attack, whereby the perpetrators trick the client into wiring them money.
The only accounts we are aware of inside or outside our guise who have had issues or close calls with spear phishing are those that have failed to discuss the threat with their employees and remind them to be on high alert. One or two simple mentions of this threat could save your business thousands of dollars.
The larger your organization, the more likely it is that people won’t pay attention when you talk about IT security, so make repetition your strategy. By ingraining it into your meetings, even just 3-4 times a year, you will significantly increase the likelihood that your employees will have the awareness they need to make good common sense decisions.
If you have any concerns about security at your company, or do not feel confident enough with your knowledge of security to discuss it with your team, please reach out to us at Upward Technology.