This article first appeared on Forbes.com on June 2, 2022. Dylan Natter is the CEO and founder of centrexIT, a San Diego-based Managed Service Provider devoted to industry-leading standards of professionalism and care.
We all know cybersecurity is a serious threat, so I won’t bore you with statistics you’ve heard a thousand times. But consider this: Studies indicate the cybercrime industry is more profitable than the worldwide illegal drug trade. Cyberattacks will continue and are only going to increase, especially with global conflict and political unrest on the rise. Bad actors leverage technology to automate attacks. They don’t care who you are, so small to midsize businesses (SMBs) are not immune.
From my perspective as CEO of centrexIT, a San Diego-based IT provider, every SMB today needs to understand how to prioritize data security and mitigate risks. It is 100% the responsibility of business leaders to ensure the success of their companies—and data is the keystone to business success. It’s dangerous to assume that IT alone is doing everything that needs to be done. Proactive action must be taken by company leadership to avoid a cybersecurity disaster.
My team has worked with clients in many industries to analyze risk and develop secure systems. The fact that data security is complicated, which it is, is no excuse for it not to be an executive’s top priority. Every leader can follow these three tangible steps to protect their business.
1. Identify and document your most important systems.
What kind of data does your business have and where is it stored? Make a list of your top systems—the ones that, if compromised, would put you out of business.
When a system is compromised, the effect can be roughly categorized two ways: business-critical or inconvenient. Don’t worry about the “inconvenient” category for now. Identify all of the business-critical data and document the following details:
- Where is it stored?
- What kind of data is it?
- What is the value in the data?
- Who has access to it?
- Do you need it to run daily aspects of your business?
- Does it have explicit security impacts, like financial records and account information, Social Security numbers or other customer or employee personal data?
- What would happen if your competitor gained access to your intellectual property?
2. Do a business impact analysis.
How long can your business operate without your critical data? Planning for the worst will inform how comprehensive your IT security posture should be. There are many security issues to consider, some of which include the deletion or manipulation of data, ransomware, socially engineered attacks, email hijackings and dormancy attacks.
First, consider the risk or impact to your business if a data system failed and some—or all—of that data was gone. How would your business recover if vital data was lost through an accident or technical failure?
Next, imagine a system being compromised and in the hands of cybercriminals. If bad actors got access to your data, how bad would it be? In this case, not only is the data potentially gone but it could be used against you, your employees or customers. It could also be held for ransom or used to steal directly from your company. What’s even scarier is that this can all happen without you even knowing it.
3. Secure and back up your systems appropriately, based on your analysis.
Once you’ve assessed your most critical areas, focus on these three things for business continuity:
- Data backups to prevent data loss in case of an accident or breach.
- Securing data access.
- Having a plan when things go wrong.
First, your critical data must be recoverable for the business to continue. Period. The end. We use the “trust but verify” method. We trust our backups are working, but periodically perform a restore to verify the integrity of our data.
Second, you have to protect your data from bad actors on the internet who could steal and use it for any number of purposes. What safeguards are in place to ensure that the people who are accessing the data are the right ones?
And finally, you need to have a tested plan to follow when something happens because getting hacked is not a matter of if, it’s a matter of when. You need to ask the right questions, such as:
- What are the steps we take when a disaster is declared?
- How will we communicate if our primary communication methods are compromised?
- What are the key roles or personnel required to identify, manage and remediate the disaster?
- Do we have all the information necessary to safely progress to the recovery stage?
Keep it simple and prioritize insurance requirements.
Follow the security requirements specified by your insurance provider. The last few years have been extremely expensive for insurance providers, and if you don’t follow the parameters defined within your insurance policy, they won’t pay your claim. Here are a few common things an insurance carrier will ask for:
- Make sure all software and operating systems are up to date with the latest versions to address vulnerabilities.
- Requiring employees to use a multistep process for logging in to systems can significantly reduce unauthorized access. Multifactor authentication (MFA) is one of the top recommendations from the Cybersecurity & Infrastructure Security Agency for any critical system.
- EDR, or endpoint detection and response, is like antivirus software on steroids. Protection is achieved by continuously monitoring endpoints, analyzing the data and sending out rule-based automated responses when anomalies occur.
In my experience, when a business is resistant to adding security, they’re often concerned about the inconveniences to their team. But leaders shouldn’t let minor inconveniences stand in the way of business continuity. While something like MFA can add a few moments to the login process, it’s a small sacrifice compared to the alternative: going out of business. Know your systems. Before deciding your security is sufficient for your future, make sure you always ask, “How bad could it be?”