How to Create a Small Business Cyber Security Plan

November 25, 2020 •

An amazing entrepreneurial spirit is what drives small businesses. Small business is all about agility, innovation, service, and continuous improvement while managing risks efficiently. But do you or any of your employees have experience in cybersecurity risk?

Your business likely connects to the internet for one reason or another, and even if you don’t store customer data you probably take credit card payments. This makes your business vulnerable to cyber attacks.

A few statistics from Fundera:

The stats are alarming. You can help keep your business and your customers safe with cybersecurity plan. If you pair it with cyber liability insurance your company receives an A+ in cybersecurity protection.

Are you concerned that you are not technology-savvy? Don’t worry, if you know how to browse the internet and check your email, that’s enough to put a basic cybersecurity plan in place for your business! So what threats should you actually be worried about?

Common Cyber Threats to Small and Medium-Sized Businesses

Common types of cyber-attacks include phishing, malware, social engineering, ransomware and web-based attacks.

Malware: The term malware stands for malicious software. These can be different types of viruses intentionally created to damage computers and software applications so that data can be stolen and misused. Data stolen can be your financial data or passwords and other sensitive data.

Phishing (a form of social engineering): In a phishing cyber attack, an email with a link or attachment may be used. The specialty of phishing emails is they appear to be sent from legitimate organizations and will tempt the user to act. Once you download and click the attachment or click the link, malware may infect your computer network and systems.

Ransomware: In this scenario, the malware will infect your systems and prevent access until a specified ransom amount is paid. The route for infecting systems with ransomware is phishing emails and software vulnerabilities.

How are Cyber-attacks facilitated?

We unknowingly risk cyber security in so many ways throughout the workday. Here are just a few ways you may be vulnerable.

  • Unsecured devices like laptops, mobile, or access from personal devices: Many devices may not have secure access credentials, or as is common in the current environment with so many working remotely, your staff may access official files from their personal laptops at home. These devices may not have secure access and can get compromised.
  • Weak and stolen credentials: Stolen passwords are one of the most common causes of data breaches. Either passwords have been easily guessable or they may have been simple and common that got cracked by hackers using a program.
  • Application vulnerabilities: The software applications you use may not be updated with the latest security patches or have some vulnerabilities which can be used by hackers to infect your systems with malware.
  • Malicious internal staff: Internal staff in an organization may leak information for financial gain, may be disgruntled at work or left the organization on poor terms, taking with them valuable data and company information.
  • An error by an employee or vendor: We all make mistakes. Employees may be careless by sending an email to the wrong address or leaving access credentials out in the open around. They might also fall prey to a social engineering scheme.

Creating a Small Business Cybersecurity plan

Follow these simple steps to implement a comprehensive plan for protection.

Specify the Objectives of Your Cybersecurity Plan

Some objectives may include:

  1. Protecting sensitive business data and intellectual property.
  2. Meeting regulatory obligations.
  3. Following HIPAA regulations if you are a covered entity.
  4. Ensuring clients and partners that you treat the security of their data with the utmost importance.

Identify a Team for Security

Who is responsible for executing the plan and ensuring it is up to date? It’s a good idea to allocate security responsibility tasks to a few organization members. It might make most sense for the majority of these duties to belong to IT, but you may want to put together a security team with a few people from various departments for diverse perspectives. And for many businesses that don’t have an IT department, a diverse team will help spread the responsibilities and awareness throughout the company.

Assessing Your Business Risk

Once you understand your risk of a cyber-attack you can identify areas where improvement can be made. We have a free cyber risk assessment tool for small businesses to help with this audit step. It can quantify, benchmark, and mitigate the financial impact of a cyber-attack on your business.

A cybersecurity risk assessment can identify vulnerable points and help you to create a plan of action. This includes training your users, securing email platforms, and advice on protecting your organization’s information assets.

Identify Digital Assets

You’ll want to list all digital assets that need protection. These may include financial records, emails, client data, marketing documents, staff information, project plans, contracts, and any other important information.

Map Assets to Risk

Once you have identified your digital assets, map them against risks. Examples include:

  • Physical Risks – natural disasters that can effect your location or server; crime – such as vandalism or a break-in; accidental damage to phones or laptops by dropping and breaking or liquid damage
  • Employee negligence or employee misconduct
  • Technical failure of software or systems
  • Loopholes or weaknesses in company procedures that open the door to misconduct or negligence

Now that you have identified the risks facing each type of data we can address each risk with an airtight security plan.

Establish Security Policies

Security policies will ensure that your organization staff is aware of policies related to using and storing business data.

  • Data Security Policy: This should specify usage, storage of sensitive information safely and providing access only to authorized individuals.
  • Password Policy: Password policy should ensure a complex password is set with minimum length and a combination of uppercase, lowercase, special characters, and numeric- with a policy to change all passwords every 3 or 6 months.
  • Data Classification Policy: Data assets should be classified according to their access level, encryption requirements, sensitivity level, or other security-oriented categories.

Educate and Train Your Employees

There should be security training organized for your employees so they are aware of the latest cybersecurity threats and official security policies. A refresher course should be held every 6 months as well. Instruct employees to send all questionable emails to IT or company leaders for inspection. This helps create awareness of how often they come along. Software is available to test your employees with social engineering and phishing scams.

Monitor Official User Activities

Tracking events and system access logs help to identify suspicious activity and proactively prevent intrusions.

Secure Your Infrastructure with the Right Tools

Implementing the following tools will give your network and systems adequate protection:

  • Firewalls: These can be used as an initial line of defense on the network and applications.
  • Anti-malware software: These solutions will scan, identify, and eliminate malware.
  • Encryption solutions: These help to encrypt devices, email, and data.
  • Backup and recovery software: Keeping a backup ensures business continuity and you can be assured of your data availability.
  • IT audit solutions: These help in identifying threats, patterns, and access activities. It helps in understanding the current status of your infrastructure and risks.

These basic measures help in reducing the possibility of a cyber-attack on your business. However, cybercrimes are still possible, and hackers get better every year. We recommend pairing your security plan with a tailored cyber liability insurance policy for additional peace of mind.

Learn more about our cyber liability insurance coverage.

Get an instant quote using our quick and simple online cyber liability application.

Don’t forget to gauge your company’s risk by taking our free cyber risk assessment.