How to Prepare Your Business for a Cyberattack

In past articles, we’ve outlined tips for safe cloud storage, network firewalls, and curbing bad security habits. Each of those blogs touched on the dangers of a cyberattack, but let’s dive deeper into how to best protect your small business when a cyberattack happens.

Remember that this is a matter of when, not if. Etech Global reported that in 2017 cyberattacks cost companies, consumers, and governments around the world $600 billion. Last year, EMS Corporate reported on a CyberKeeper study that revealed that 67% of small to mid-size businesses experienced a cyberattack in 2018. They also estimated that $6 trillion would be spent globally on cybersecurity by 2021, which is just around the corner.

There is no better time than now to prepare for a cyberattack. Here are some actionable steps for you to take, broken down into two categories: technology and personnel.

Technology Preparation for a Cyberattack 

1. Create a Security Response Plan

The best way to deal with a potential security risk is to consider all the possible outcomes of a cyberattack and create a response plan to mitigate those problems. You need to ask yourself tough, realistic questions.

Consider: What signs or events should trigger your security response plan? What person or team should be designated to own the response plan? If just one person owns the plan, what is the chain of command if a cyberattack happens when that person is unavailable? Who does that person or team notify first about the cyberattack? What is the priority list for recovering business operations or systems? Who is managing the communication channels and setting expectations for staff and clients? How will the recovery process be carried out? (This will vary depending on the type of security breach.)

If you don’t have satisfactory answers to some or all of those questions, then your action plan needs to be focused on creating and documenting an appropriate security response for each scenario.

Just like a one-time security training won’t suffice for your staff, writing this plan once and forgetting about it until a breach happens won’t do. Updating and clarifying the security response plan should be part of your companies’ annual review process.

2. Set up or reinforce your Firewall

Hopefully you already have a firewall in place. If not, getting that set up needs to be your top priority. If you have a firewall, do your research and see if you need updates, additions, or perhaps even a different system altogether. Using the best firewall you can afford is a worthy investment in your company’s cybersecurity..

3. Require multi factor authentication for password-protected systems

Support your employee best practices by setting up multi factor authentication. Yes, this gives them one more step when logging in, but that additional level of security makes it even more challenging for a hacker to access your systems. It is also a good visual reminder for your employees of the importance of cyber security. Multi factor authentication is especially helpful for protecting your email security, but can be applied to other systems as well.

4. Perform regular data backups

If your small business operates on the cloud, then you are already benefiting from regular data back-ups. If not, consider switching to cloud-based applications and at very least ensure that your IT team is performing regular data backups.

5. Consider cyber insurance

Many small business owners assume that their business insurance covers cybersecurity breaches, however many policies do not include this type of coverage. Check and see if yours does, and if not consider purchasing cyber insurance for your company. This can protect your company from the negative financial consequences of cyber crime.

Prepping Your Personnel for a Cyberattack

You can implement the best security practices and pay for the most up to date firewalls and protections, but those efforts will unravel if you don’t put time and resources into providing regular security training for your staff. 80% of data breaches are a result of human error, so you can’t afford to skip these steps.

1. Good Onboarding

Create a simple cybersecurity training that you can use as part of your onboarding process for new employees. This doesn’t have to be overly complicated or time-consuming, but ensure that they know your expectations for cybersecurity best practices.

We recommend that this training includes at least: randomizing and regularly updating passwords, using a password manager, only connecting to secured wi-fi, immediately updating systems when notifications prompt them to do so, and logging out of each system after the tasks in that system are complete.

2. Ongoing training

Don’t expect your onboarding to be a one-and-done deal. Schedule regular updates or training sessions to inform your team of new steps and technologies that relate to cybersecurity. You can do this in a way that is informative, but not invasive or distracting from their daily roles. This can be as simple as linking a relevant article in your monthly staff newsletter, or as dedicated as a bi-annual all-staff training. Make cybersecurity training an expected part of your company culture.

3. Outgoing security measures

While many small businesses do have a good onboarding process as mentioned above, how many review the steps in place to ensure that security measures are maintained after an employee leaves their job? Having security measures in place for outgoing employees is even more important, in my opinion, than your onboarding process. (Though of course it is recommended that you have both!)

You all know I love story time, so here’s a good one. In a former role I managed a staff of students that worked for the fundraising division of a university. Within that staff was a smaller group of student supervisors who had access to a shared email account that I managed. After my first group of student supervisors graduated, one of them logged back into the supervisor email account and messaged the group something to the effect of “guess you haven’t changed the password yet, lol.”

Cheeky? Yes. But it brought the point home and reminded me that it was my responsibility to update all email and system passwords after students graduated. I got lucky in that my student only logged in out of curiosity and let the supervisor team know right away. But there are countless instances where an employee leaves a position with ill will and uses their security access to harm the organization.

Whether your employee is leaving on good or bad terms, you need to have steps in place to ensure that any systems they used are no longer accessible to them after their last day.

Preparing your employees and stepping up your cybersecurity against attacks can be challenging. Tech Masters can guide you through those processes with ease.