Article first appeared in ET Rise on 4 November, 2017.
The India Risk Survey 2017 report ranks 'Information & Cyber Insecurity' as the biggest risk facing Indian companies this year. Indian organizations, both public and private, have witnessed over 27,000 security threat incidents, from January 2017 till June 2017 alone. Phishing, scanning/probing, website intrusions and defacements, virus/malicious code, ransomware, Denial of Service attacks, and data breaches are some ways in which hackers attack business websites, which can cause operational disruptions and potentially steal sensitive information.
Small and medium businesses (SMBs) , unfortunately, have been seeing rising incidences of cybercrime.
Growing digitization of business assets and access to sensitive customer information, while driving rapid improvements in business, are also making them more vulnerable. Shops, clinics, community centers, and small manufacturers have all been attacked in the recent past. In fact, 70 percent of cyberattacks occur at organizations with lesser than 100 employees. Reports also say that half of the attacked small businesses close down within six months as a result of the loss of customer loyalty and reputation.
Forewarned is forearmed
In the words of Arne Josefsberg, Chief Information Officer of GoDaddy:
"Perhaps the most important thing is to treat security threats seriously and to proactively assess your security measures. Many companies do not take security seriously enough until something bad happens. It is generally a lot more expensive to clean up after a security breach, than addressing it proactively."
Cyber security is more than just about running additional antivirus software and building firewalls — it needs to become a state of mind for the business and be made a part of all business processes. Let's look at some must-have cyber security measures for SMBs:
Cyber hygiene
Basics still matter and are some of the best defenses against viruses, malware, and other online threats. Assess the assets that are most at risk data, servers, network and ensure that the systems are updated with the latest security software, web browser, and operating system. Implement firewall security and run antivirus software after each update.
Cyber security culture
Human vulnerabilities play as important a role as software loopholes. Mandate basic security practices and policies for all employees, such as 2factor authentication, internet use guidelines and create and enforce rules on handling and protecting sensitive data. Conduct frequent training to sensitize employees about opening suspicious emails, encrypting their data, using strong passwords on their devices, installing security apps, and limiting activity over public WiFi. Implement and enforce incident reporting to help ensure that even the smallest breach is reported to management as well as IT teams.
Business continuity plans
Ensure regular backup of all critical data whether stored inhouse or on the cloud. Run scheduled attack drills and stress tests to identify vulnerabilities and ensure that data restoration and business continuity are executed as planned.
Cyber insurance
After the recent WannaCry ransomware incidents, small businesses have learnt the potential harm and legal ramifications of an attack. Consider investing in cyber liability insurance to help cover liabilities arising from theft, loss of data, breach of security and privacy.
Vendor management
With many of a businesses' assets either being hosted or managed by external service providers be it your web hosting services or cloud hosting service working closely with your vendors on a comprehensive plan for risk mitigation is critical. Take the time to understand the vendors' security certifications, encryption measures, business continuity plans, emergency contact information, etc., to know exactly the level of risk your business is exposed to and how they protect your business assets.
Constant vigilance
Even as the boundaries of business assets blur with anytime, anywhere digital access, constant vigilance has to become the mantra of all entrepreneurs and small business owners. Cyber security needs to be brought out of the domain of 'IT' to make it a strategic focus area, right up there with the growth and development of the core business, to help ensure a long term stability of the business and its reputation.