This guide will provide you with the advice and template you need to create a cybersecurity policy for your organization, helping to prevent attacks and protect your business.
Small businesses (SMBs) make up 99.7% of all US businesses, and they’re under increasing attacks from hackers and malicious software. As such it’s more important than ever to get the right protection by having a comprehensive security policy in place.
The purpose of creating a cyber protection policy for your small business is to outline the resources and actions necessary to ensure business continuity and to protect your data. As a result, your staff will be better informed and able to take appropriate action to prevent attacks. Not only this, but your customers or clients will be reassured by working with a company that takes data protection and online security threats seriously.
Prominent threats to small business range from phishing, ransomware, and social engineering attacks to leaks from connected IOT (Internet of Things) devices. In 2017, software and hardware attacks accounted for almost 70% of data breaches worldwide:
Avast was responsible for blocking over 122 million WannaCry ransomware attacks in 2017. Along with the Petya and Bad Rabbit ransomware attacks, the joint cost to consumers and businesses amounted to more than $5 billion.
Ponemon Institute’s 2017 Study recorded the average loss due to data breaches as $3.6 million globally, and $7.35 million in the US alone. However, attacks not only threaten income, but also cause disruption by having a massive impact on productivity - many working hours are lost trying to resolve issues. And this is all before considering the damage to a business’s reputation.
The good news is that adequate network protection from such costly cyberattacks doesn’t have to be expensive. What’s more, as most cyberattacks tend to exploit basic vulnerabilities in systems, they are easy to prevent with antivirus software, patch updating and staff awareness training.
A cyber protection policy means your staff will be better informed and able to take appropriate action to prevent attacks
The computers used in your business are also known as ‘endpoints’, and each of them pose a threat to the security of your whole network if they’re not properly protected - they are an open door to hackers and malicious code. As such, endpoint security is one of the best places to start when looking to protect your network, especially with the rise of flexible working meaning that more employees can access systems remotely from home or open Wi-Fi networks. It’s essential that all your endpoints are secure because your network is only as strong as your weakest link.
Endpoint security offers a safety net to stops attacks at their point of entry. If they do manage to get a foot in the doorway, the antivirus software will ensure other machines in the network are not also infected.
IT teams value the advanced threat detection these security solutions provide while the centralized system simultaneously reduces the complexity of protecting the business.
The rise in mobile threats comes on the heels of an increasingly mobile workforce. As such, the need for a comprehensive security policy is paramount.
Some businesses issue mobile devices, while others allow employees to bring their own devices (BYOD). While the latter is cheaper for businesses, it means SMBs have less control over the device: what software and apps are downloaded, what information is shared, and what potentially unsecure Wi-Fi is used.
All of these can put your business at risk. For example, if an employee is emailing sensitive data from their phone, and they use unsecured Wi-Fi, that data could be seen and/or stolen if there are cybercriminals looking to intercept unsecure communications. If they download an unsecure app or click a malicious link, you may be giving these cybercriminals access to everything the employee has access to, including the possibility of corporate data being transmitted and even stored on an individual's personal device.
The potential issues range from data loss via a leak or loss of the device itself, to the damage that compromised devices cause when introduced to a centralized system. When staff members bring in their own mobile devices, they in turn are introducing attack points which can lead to security concerns.
This doesn’t mean that you suddenly need to fork out for expensive company-supplied devices for all your employees. But there are some basic BYOD guidelines you and your staff should follow.
A vital preventative measure to protect your business from data breaches and cyberattacks is to ensure your team completes cybersecurity training. By understanding the types of attacks - such as phishing, malware and ransomware - they will be better equipped to spot any suspicious activity and report it immediately.
Training your employees to spot a malicious email, link or attachment, for instance, is crucial to avoid data breaches caused by human error or individuals falling into cybercriminals’ traps and putting the company at risk. Encouraging employees to keep their apps and programs up to date will further strengthen your defences as new patches continually improve software security and tackle weaknesses. Alternatively, consider investing in trusted patch management software that reduces the need to manually check for updates.
Many small businesses work in the cloud – storing their data through internet services rather than on a device or server in the office. Google Drive, for example, can be a much more attractive prospect to a cash-strapped SMB than paying for an expensive management system. However, being able to access your business files anywhere and at any time comes with its risks.
Cloud security adds an extra layer of protection as traffic is filtered before it reaches the central server. Routing traffic through the cloud allows it to be monitored, checking for threats outside your system which allows your antivirus software to decide whether traffic is trustworthy or not, before it has access to your systems and network. This means malicious traffic can be blocked so it doesn’t reach your server(s), and it’s run from a centrally managed console.
Although cloud security can detect and resolve issues, there are processes that should be in place to ensure it protects your business. Issues arise over accessibility when network access is granted too freely. A prime example of this is when staff members leave the company, yet maintain access to business systems. Taking precautions such as regularly updating strong passwords and limiting the number of people who have access to sensitive data can dramatically increase security.
Depending where your business operates and in what sector, there will be government-supported compliance schemes that you must follow. For example, in the US, health care and medical insurance companies must adhere to HIPAA, the Health Insurance Portability and Accountability Act. In Europe, information must now be stored and accessed according to the General Data Protection Regulation (GDPR.)
The assumption is that data compliance is about protecting personal information – reassuring your customers that their data is kept securely and not shared without consent. More than this though, data compliance is an opportunity for you to protect your business from cyberattacks as secure data is harder for cybercriminals to access.
With over 4,000 cyberattacks a day, it’s never been more important to keep your data, customers and employees safe with a security system that effectively protects your business. But as this article has shown, endpoint protection is not enough on its own – staff training and data management best practice must be part of the mix. By using our guide as the foundation for your policy, you can get off to a good start on ensuring the reputation and financial success of your small business.
Download your free cybersecurity policy template by clicking here.
The new Avast Cybersecurity Basics Training Quiz provides training on Data Security, Identity Management, and Social Media Security
How SMBs can effectively protect their networks from cyberthreats – without breaking their security budgets