I have limited time and budget; how do I get started?
By Tim Marlin
The Internet has been a huge boon for business in recent years, helping companies of all kinds reach unprecedented levels of productivity, profitability and visibility. Yet, along with the Internet’s many benefits comes the real and growing threat of cyber attacks that can put a business’s revenue, reputation and customers in peril.
Cyber security is a concern for businesses of all sizes, but small and midsize businesses (SMBs) are particularly vulnerable. SMBs were victim to 60 percent of all cyber attacks in 2014, according to Symantec’s 2015 Internet Security Threat Report
, and that trend is expected to continue.1
This may surprise SMBs who believe hackers wouldn’t waste their time on a business their size, but cyber criminals can now launch automated attacks upon thousands of businesses at once and profit from economies of scale. SMBs make easy targets because they often lack the robust security that can keep hackers at bay. This not only puts the SMB’s information assets at risk, it can provide an electronic gateway into the networks of larger companies with which the SMB does business.
SMBs may not fully appreciate their Internet risk exposure, nor have the time, money or expertise to invest in the sophisticated technologies and internal programs that their big business counterparts are able to afford. But there are steps SMBs can take to improve security and mitigate their potential financial loss even with a limited budget. These three controls are a good place to start.
1. Build a Security-aware Organization
Cyber security isn’t just about preventive technology; it requires the awareness and participation of everyone within the organization. A top-down approach, beginning with policies and procedures that are sanctioned by the business owner or a team of senior managers, conveys to employees the importance of information security and the need for their collective effort to protect the company’s assets.
Security-aware organizations have the following key components in place:
A written information security plan that identifies the organization’s security policies, goals and priorities. At a minimum, set forth policies for network security; use of company email, social media, instant messaging and the Internet in general; the handling of proprietary company information; and activities that are prohibited on company-owned devices, networks and other resources.
Many state regulators request written information security plans when investigating organizations that have experienced a security breach. Having a plan in place not only establishes internal policy for employees, it can also demonstrate to regulators and customers that security is a priority for the organization.
An inventory of the business’s core assets and sensitive data, where it is stored and who within the organization has the authority to access it. Include personally identifiable information (PII) for employees and customers (such as social security numbers, healthcare records, credit card numbers, etc.), bank account data, company intellectual property and any other information that could damage the business if it got into the wrong hands.
Access control. Limit access to computers, company networks and confidential data based on an employee’s need to know.
Employee training programs. Workplace security depends upon a workforce that is trained in company protocol, alert to the signs of a potential breach and knows how to respond. Training on basic security practices and policies is essential. Phishing awareness exercises can further help employees recognize and avoid email, websites and phone calls that are designed to infiltrate company systems or steal personal information.
2. Establish Security Safeguards
The following baseline measures are recommended to help safeguard SMBs’ sensitive data from unauthorized access and use:
A security breach is a near certainty for businesses today – more a matter of when, not if, one will occur. For SMBs, preparedness is key to surviving the fallout.
An incident response plan (IRP) prescribes the way a business will respond to and manage the effects of a security attack. Its goal is to limit the damage and reduce recovery time and costs. All SMBs should prepare an IRP that includes the following components:
Identification of an incident response team that includes, at minimum, security staff who are system-savvy and a manager authorized to make decisions on behalf of the business
Clear delineation of possible incidents (such as unauthorized access or malicious code) and how to identify and contain them based on the business impact (confidential customer data vs. intellectual property)
Procedures for eradicating the root cause of the attack and all traces of malicious code, restoring data and software, and monitoring systems for any remaining signs of weakness
Always work with your insurance carrier to ensure that any procedural requirements for coverage are integrated into your final plan.
Find an Insurance Carrier that Provides More than Just Coverage
Having appropriate cyber insurance coverage is just as important as having best practice-based policies and procedures in place. Partnering with the right insurance carrier can help SMBs proactively improve their cyber security posture and reduce financial losses. Experienced carriers like The Hartford provide full breach risk management solutions to help SMBs prevail in the face of an inevitable security event.
Publicly Available Resources
These resources provide in-depth information that can help SMBs develop cyber security policies, plans and procedures to keep their business safe:
About the Author
Tim Marlin is head of cyber underwriting for The Hartford. He has over 15 years of cyber, technology errors and omissions, professional, and management liability insurance. Tim can be reached at firstname.lastname@example.org
1 2015 Internet Security Threat Report, Volume 20, http://www.symantec.com/security_response/publications/threatreport.jsp
Any product described in this document may be offered by one or more of the property and casualty insurance company subsidiaries of The Hartford Financial Services Group, Inc. All products may not be available in all states or to all businesses. Certain products may be provided on a surplus lines basis and require the use of a surplus lines broker. Surplus lines policies are generally not protected by state guaranty funds.
The Hartford® is The Hartford Financial Services Group, Inc. and its subsidiaries. ©2016 The Hartford Financial Services Group, Inc. All rights reserved.