Wednesday, April 12, 2017

Small Business Cybersecurity: The People Connection

Data from 2015 shows that 20% of U.S. businesses hacked are small with less than 250 employees. 60% of those fail after the attack. For small and medium-sized businesses, the average cost of a data breach is $21,000.

In 2016 an accountant was hacked and financial information and social security numbers from accounts were stolen. By the time the breach was discovered, a false return had been filed with the IRS in my family's name.

Cyber criminals or hackers use stolen information to obtain money. Sometimes they use the data, but often it is sold to other criminals. With names and social security numbers, criminals can file fraudulent claims for tax refunds.

Hackers also steal bank account information, credit and debit card numbers and authentication details, personal information, medical records, trademark information, trade secrets and others. A list of names, phone numbers, and addresses can be used by IRS scammers. Those criminals make threats and convince people to wire money or mail debit cards.

Preventing business cybercrime requires several levels of defense. Employee internet habits are one layer of cybercrime security that should be addressed. Since downloads of software are one of the primary causes of virus attacks, employee internet policies need to be solid and well communicated.

Steps to prevent cybercrime caused by employee behavior:

Company policies

Robust and clear company policies need to be written, distributed, and updated regularly.
These policies would cover the following areas:
  • email and internet use
  • protecting confidential information
  • policy communication and updates

Security training

Periodic meetings should be held to discuss security issues and concerns. Use recent news reports and videos to highlight different security concerns. Be clear about new threats from cyber crime and security changes to address those threats. Employees should be educated to be alert to phishing emails and suspicious attachments or links. A cybersecurity manager should be named who can respond to employee questions in a timely manner. This person should also insure policies are written, updated, and communicated.

Control Access

Limit administrative and password access. Regularly change passwords and establish limiting access to levels of data where possible. When employees are terminated, immediate changes in network access should be made.

Protecting organizations from cybercrime is a complex issue. Employee internet behavior is one area that should be managed to keep business information secure.

A cybersecurity tip sheet for small businesses by the Department of Homeland Security can be found here.

This article originally appeared on my Web Technology blog which can be found here.

Advertising on this blog supports my writing. By clicking an ad, you are under no obligation to buy. If you see an advertisement of interest, please click.