The last few years has shown an increasing amount of cybercrime and malware. Industry leading experts predict this trend will show no stoppage in the future. Unfortunate as it is, cybercrime pays. Cybercriminals are broadening their horizons and new players are jumping in looking to grab a piece of the pie. The current threat landscape is broad and expansive, and it can be challenging to keep up with all of the potential threats and vulnerabilities in existence. As a result, all businesses, especially smaller companies, should expect to increasingly become targets.
Below are four key areas where smaller businesses need to be diligent in their cyber security measures:
Some companies do not have the luxury of a dedicated IT staff or budget, much less a team focused on Information Security. Consequently, many basic security practices may be overlooked or performed sporadically at best. Routine practices such as using anti-virus, scheduling automatic updates, minimizing administrative access and enforcing secure password policies are prime examples. Common practice in larger enterprises, these policies need to be developed and defined in businesses of all sizes to protect data, assets and people.
Planning & Preparedness
The industry is realizing an ever-rising use of malware and ransomware tactics. Ensuring a business can maintain its operations in the face of an attack, or in its aftermath, is crucial. According to Nationwide’s 2015 Small Business Owner Study, 79% of smaller companies do not have a response plan in place. 
An incident response plan should, at the very least, define the following:
- -Overall goal of the plan
- -Definition of an incident
- -Lifecycle of the incident (Prepare, Detect, Analyze, Contain, Eradicate, Recover and Refine)
- -Actions or steps that need to occur in each lifecycle phase.
Businesses should invest in an appropriate data backup solution in the case of a breach or loss of data. Attention should be given to protecting employee and customer data through the use of encryption software and two-factor authentication for accessing sensitive information.
Although it may not be a requirement for all companies, some do need to comply with one or more regulatory standards such as HIPAA, PCI and Sarbanes-Oxley as examples. Many think it may not be worth the cost and effort to maintain compliance. Many may not understand how to become compliant and, as with PCI non-compliance, see a monthly fee as a “cost of doing business.” However, costs may not be limited to a monthly charge if there is a breach of customer credit card data. Even if only a limited number of credit card transactions are conducted, if a breach occurs, the cost/benefit calculation of ensuring compliance shifts drastically. From additional fines to investigating how a breach happened and loss of customer trust, the cost of non-compliance begins to grow.
Compliance solutions should not be overly complicated and burdensome. They should align with the associated volume and risk of those transactions requiring compliance.
Awareness & Training
People are one of the most important and vital components in securing a business from threats. No matter how good the security policies, if people are unaware and feel that it “is not their job,” there will be a huge gap in any security plan.
All employees should be trained to be aware of company policies, as well as have a basic understanding of the avenues of attack and how cybercriminals can infiltrate a system or network. They should be armed with knowledge and taught to recognize the signs of an attack and how to stay safe while using the company’s assets and network. At a minimum, employees should be able to explain acceptable use of company assets and their responsibility when it comes to helping secure the company.
Cybercriminals have targeted small business and will continue to take aim at weak security controls. As a result, small businesses need to understand they are most certainly a target and need to be ever diligent in securing themselves against cyber threats.