By Dr. Kevin Harris
Program Director, Cybersecurity, Information Systems Security and Information Technology , American Military University
Cybersecurity breaches impacting multinational corporations have become increasingly common in today’s digital age. These breaches can have significant consequences for large corporations, such as fines, lawsuits and devastating damages to brands.
Unfortunately for small businesses, the reality is that one cybersecurity breach could be insurmountable, leading to closure with an impact far greater than that of a large corporation. Entrepreneurs and small businesses alike must take steps to protect their digital assets if they wish to remain in business.
Get started on your cybersecurity degree at American Military University.
Cybersecurity Awareness Training Should Be Mandatory
The heavy demands of a business can easily contribute to neglecting to devote the time to gain additional skillsets in cybersecurity and other areas not directly related to the organization’s product or service offerings. Regardless of the size of a business, participation in cybersecurity awareness training should be mandated multiple times a year.
It is critical that individuals with limited on-site technical personnel stay current on rapidly emerging cyber threats. Various forms of cybersecurity awareness programs — including online and in person — exist and allow organizations to deploy a solution appropriate for their needs and environment. Regardless of the number of employees or available resources in an organization, cybersecurity awareness training must be incorporated.
Implementing Cybersecurity in an Organization
Large organizations employ a wide range of hardware and software solutions to mitigate the impacts of cyberattacks. But small to mid-size organizations would be remiss in not implementing a baseline of strategies, even if there is only one employee in the company.
Virtual Private Networks (VPNs) are a must for individuals who access the internet from multiple locations. While the prevalence of Wi-Fi enables individuals to work from almost anywhere, the data transmitted via Wi-Fi has a high likelihood of being intercepted by threat actors without the use of VPNs that encrypt traffic prior to transmitting.
The utilization of devices is another area of concern for smaller businesses for multiple reasons. For example, the lines are often blurred when employees work remotely, which in turn creates the temptation to use one computer for both personal and business needs.
In reality, using one computer for dual purposes should be avoided for a vast amount of practical and personal rationales. A machine should be dedicated specifically for business needs, and efforts should be made to avoid accessing client information on a personal device.
Additionally, family members should not be allowed to access a business computer for personal tasks such as watching movies, checking email or accessing the internet. This practice will reduce the chances of introducing malware to a business computer.
Mobile phones are other devices that store sensitive information and should be managed accordingly. Good security practices include ensuring antivirus software is up to date and utilizing screen locks.
Confirming that software — including operating systems and security suites — is updated regularly is often the responsibility of the device user if there is limited IT support. The significance of this role should be thoroughly comprehended by the device’s user.
Creating Robust Security Policies
To ensure best practices are not overlooked and to assign priorities, robust cybersecurity policies should be implemented throughout the organization to reflect the need for effective cyber hygiene. Password policies should guide users on best practices for password creation and state when documents with sensitive information are required to have password protections enabled.
Similarly, policies that direct users to utilize multi-factor authentication when available greatly reduce the likelihood of an authentication breach. External cybersecurity reviews or audits provide organizations with an outside analysis of risks and recommendations for mitigation. Cybersecurity review policies should also indicate the type of analysis required and the frequency of when external audits should occur.
Recovery after a Security Breach
In the event an organization experiences a breach, it is important that proper processes were implemented to limit negative consequences. Purchasing cybersecurity insurance is one prudent step organizations should take to limit losses. Ensuring that data is appropriately backed up at regular intervals also allows data to be recovered in the event of ransomware or other breaches.
In addition, organizations must consider how often they should back up their systems to avoid maximum disruptions. Data destruction practices should be implemented to address the process of securely deleting digital information that is outdated or no longer needed. The failure of adhering to comprehensive data destruction practices provides hackers with additional attack vectors.
Overall, ensuring a robust cybersecurity infrastructure is in place is imperative in today’s digital world. The failure to establish appropriate protection results in small to medium-sized businesses remain potentially one breach away from closure.
Naturally, cybersecurity may not be an internal skillset that employees possess. However, there are multiple support options available: awareness programs, security reviews and technical implementations.
Also, don’t forget to reach out to your insurance carrier for cybersecurity policies. Take the steps to avoid becoming a statistic; it’s not a matter of if you were prepared but how well you were prepared when a cybersecurity breach occurs.
About the Author
Dr. Kevin Harris is the Program Director for Cybersecurity, Information Systems Security and Information Technology at American Military University. With over 25 years of industry experience, Dr. Harris protected a variety of organizational infrastructure and data in positions ranging from systems analyst to chief information officer. His career encompasses diverse experiences both in information technology and academia. His research and passion are in the areas of cybersecurity, bridging the digital divide, and increasing diversity in the tech community. As an academic leader, he instructed students at various types of institutions including community colleges, HBCUs, public, private, graduate, and undergraduate, as well as online. Dr. Harris trained faculty from multiple institutions in the area of cybersecurity as part of an NSF multistate CSEC grant.