An employee of a small business with limited cyber attack awareness training receives an email from what looks like the accounting system. The email has the company logo and looks legit. It’s asking them to approve a purchase by clicking an approval link.
The employee clicks the link and unwittingly provides a malicious actor direct access to the company’s sensitive financial data.
Hazards to a company’s data are sometimes only a well-meaning employee’s error away. In fact, IBM reports that human error accounts for 95% of data breaches. But cybercrimes are only a problem for big businesses, right?
In fact, small businesses are three times more likely to be targeted by cybercriminals, according to a new report cited in Forbes. The reason? Bad actors are under the impression that small businesses don’t have the protections in place to defend against an attack.
With this in mind, the Federal Trade Commission has published a 24-page infographic that details small business cybersecurity best practices to reduce the risk of a cyber attack. We’ve compiled 3 key takeaways:
1. Mitigate Human Error
Scenario: An employee has clicked on a malicious link and now his computer is frozen
Ransomware criminals exploit people with innocent-seeming emails, which act as a gateway to freeze your network and hold your data hostage. If you’re attacked with ransomware, the FTC recommendations include:
- Disconnecting your computers
- Contacting the authorities
- Keeping your business running with a backup plan in place
- Not paying the ransom – there’s no guarantee you’ll get your data back
- Notifying your customers
2. Deploy Best Practices
The National Institute for Standards & Technology (NIST) cybersecurity framework (CSF), provides standards for a variety of technical disciplines, including cybersecurity, that are designed to support the development of best practices to reduce cyber risks. According to the FTC, NIST CSF best practices to protect your business include the following:
√ Identify—Develop the organizational understanding to manage cybersecurity risk to systems, assets, data, and capabilities. The FTC recommends making a list of the equipment, software, and data your business uses.
√ Protect—Your company should develop and implement appropriate safeguards to ensure delivery of critical infrastructure devices, such as controlling who logs onto your network, using security software to protect your data, and conducting regular backups of data. The FTC stresses the necessity of training your entire team about cybersecurity.
√ Detect—Your business can develop and implement the appropriate activities to identify the occurrence of a cybersecurity event. The FTC suggests monitoring computers for unauthorized access, checking for unauthorized users or connections, and investigating unusual activities on your network.
√ Respond—By developing and implementing the appropriate actions to take when a cybersecurity event is detected, the FTC recommends notifying those whose data could be at risk, reporting the attack to law enforcement, and updating your cybersecurity policy—and testing it regularly.
√ Recover—After a cybersecurity event has occurred, businesses should take the appropriate action to remedy the equipment and parts of the network that were affected, while keeping employees and customers informed of your response and recovery activities.
3. Proactively Prevent
NIST CSF helps businesses reduce their cybersecurity risk, according to the FTC. While the framework is voluntary, it offers your business an outline of best practices for your cybersecurity strategy. NIST CSF helps your business understand, manage, and reduce cybersecurity risks, including human error. It allows organizations to decide on their own risk-based implementations.
The implementation of a company’s cybersecurity policy should extend to anyone with access to sensitive data. Those employees should be authorized and trained before being given responsibility prevent an attack and know how to mitigate the damage if one occurs.
How We Help
As an independent third-party cybersecurity and compliance firm, 360 Advanced helps you navigate the progress through your NIST CSF assessment. We streamline the process for your entire team, allowing you to lower your overall cost of compliance and gain peace of mind. Our team’s unlimited support and guidance allows you to channel your focus on what matters most—the health of your business.