As recruiters, our client records are full of sensitive information. This makes us sit up and listen every time we hear about another phishing scam or cyber attack.
That led us to talk with Ted Ipsen of Positroniq LLC, a cybersecurity expert with more than 20 years of experience.
As a small business, we asked him how much we need to worry. Isn’t cybersecurity mainly a concern for mega companies? Ipsen says businesses of all sizes need to pay attention to data protection.
Small and mid-sized companies are especially at risk because they usually don’t have full-time security professionals on staff.
A small company may not think of itself as an ideal target for cyber criminals. But hackers aren’t breaking into huge companies one at a time.
“Many times, attackers use automated tools to scan huge swaths of the Internet for vulnerable machines and network services, and then exploit them automatically.”
And cybercrimes are growing more and more sophisticated every year.
The underground system has undergone “a sort of industrial revolution,” he says. “Attackers specialize in one particular phase of the attack chain and sell their services for a piece of the action.”
One attacker identifies a system vulnerability. Another writes the code to exploit it. Yet another acts as a distributor.
This makes cybercrime even tougher to combat. As a result, security requirements are tightening everywhere for small vendors and collaborators. Big companies now have detailed security requirements for potential vendors.
New government regulations create even more pressure. Want to construct buildings for the Department of Defense? Your company now has to meet a specific security standard to ensure you’re protecting unclassified data and may be subject to a security audit.
How can you navigate all of this?
“Be proactive and implement at least basic security practices and programs,” says Ipsen.
Security professionals help companies develop protocols and put customized systems in place that will minimize risk and help them recover in case of an attack.
All companies can start developing a data protection plan and demonstrate “security maturity” by following the National Institute of Standards and Technology (NIST) cybersecurity framework:
What information do you need to protect, including information connected with your supply chains, vendors, and potential vendors? Where is data stored and what are the potential risks within those systems? Are you sure you know where all your data is?
Ipsen points out that It’s common for employees to copy sensitive data into spreadsheets or other files that are stored in insecure locations, such as a workstation or network share. Over time, these unofficial copies of data get scattered across the network or travel to unsecured networks on laptops. When you’re looking at your data, make sure you know all its locations.
Restrict access to data by classifying data and limiting employee access. Good password practices are essential. Help combat password fatigue—using the same password for everything—by setting up limited-life passwords, or management-only password access, or using password management software.
Classify data into “public,” “sensitive,” and “restricted” categories and set up protocols for each. Ask, for each data category, who needs access and why and only give access to those who need it to perform their jobs. Limit, for instance, employee access to sensitive financial records.
Use encryption technologies to protect in-transit data—information that’s being transmitted or received across networks—and to secure at-rest data—information that’s in a file or database.
Finally, and perhaps most importantly, invest in security awareness training for staff so they can spot techniques used by hackers to trick employees into sharing information.
Sometimes organizations don’t realize they’ve suffered a data breach because they’re relying on technological systems to detect problems or they don’t have the expertise to spot ways that data may have been compromised. Make sure that an information security expert, whether an expert contractor or an in-house employee, is periodically looking over your systems to make sure they’re up to date and functioning properly and to identify potential problems.
Be prepared with a plan you can deploy effectively and rapidly, in case you experience an attack or data breach. Create a playbook that includes a detailed communications plan. Decide ahead of time how you’ll contain the incident and mitigate vulnerabilities so it doesn’t happen again.
A business continuity plan will help make your company more resilient by allowing you to continue operations even as you’re in disaster recovery mode. If you store data in an off-site temporary location and have a trustworthy backup plan, you can continue working off yesterday’s backups, even if a third party is holding your data hostage.
Managing your company’s cybersecurity is a huge job. But being aware of the risk and investing time in developing proactive plan will help keep your data safe and minimize damage. It will also ensure partner companies that their sensitive information will be protected if they work with you. And if other companies know their data is safe with you, it will make you more attractive as a vendor.
“The internet is just a world passing notes around a classroom.”
― Jon Stewart