We hear a lot about cyber security today. The recent breach of Target’s “Point of Sale” system for credit and debit card transactions is one big example that comes to mind. The fact is that cyber security is something that should concern everyone, from businesses, to government entities, to individual citizens. Small businesses, not just big companies, are at risk of being targeted. At iConstituent, we have learned important lessons about cyber security and how small companies can manage their cyber security risk. We have hired some of the best security experts we could find and made substantial upgrades in our security infrastructure to protect our company’s assets and our customers’ information. Most importantly, we have learned that nobody can guarantee they are absolutely secure, and even small companies need to invest in being as secure as possible.
What can I impart to others who run small companies? A lot. Here is some advice:
First, recognize that cyber security is not just an IT issue. For one thing, the consequences of a cyber attack can be so severe that they demand management’s attention: when the company’s finances, customers, or reputation might be on the line, management must own the problem and the risk.
Management must also lead because the solution to cyber risk is not just an IT solution: managing risk requires the whole company to work together. Management must make decisions about how to allocate resources and must set policies for the company. Human Resources needs to train employees, and employees need to act in a secure way on the company’s network. Legal has to make sure the company has the right insurance and protections in place. Communications supports sending important information to customers and other third parties. The company’s cyber security efforts are only as good as the weakest link, and the solution requires a team effort, so management has to lead and make sure the whole company is committed to cyber security. As CEO of iConstituent, I am ultimately the person accountable for our cyber security and for making strategic decisions about how we manage our risk. It’s the only way this works. So, where to begin?
The second piece of advice is to set priorities. Cyber security can become a big, tangled, never-ending problem if you let it. If you try to protect everything, you will protect everything inadequately, and you may soak up endless budget doing it. This is especially challenging for small companies. Instead, decide what matters most: what information and assets are most critical to protect, and how are we going to protect them? Convene your management team to talk about this, and solicit input from employees across the company, too; these questions may seem like they have obvious answers, but you will be surprised by the different answers you might get, many of which may be different and more accurate than you first thought.
Third, to keep focused on those priorities, it is important to have a plan. For a small company, a 12-month plan helps you plan your budget and set goals that are achievable in a reasonable timeframe. While planning is important, flexibility is, too: cyber security is dynamic, is never “finished,” and requires constant change and effort; so, as you measure progress against the plan each month, be prepared to adjust course as circumstances demand.
As a small company, a helping hand can be important, which brings me to my fourth suggestion: smart outsourcing can be an effective way to cover the basics of technology and staff support to monitor and protect your networks, without the expense of building your own complete, in-house security program. One useful element is a Managed Security Service Provider (MSSP), which can help prevent or mitigate a breach. Other third parties can help you limit your risk if an incident happens. Cyber risk insurance is one example. Of course, the devil is in the details, and you have to be careful about the specifics when outsourcing to reduce risk, for example checking the insurance policy for the right coverage and reasonable premiums. Outsourcing has many benefits for small companies that do not have the size or budget to build their own, in-house cyber security program. But, it is critical to keep in mind that while you can outsource many functions, you cannot outsource ultimate responsibility for your company’s cyber security: the management team needs to oversee the whole program and tie the various pieces together.
Fifth and finally, it is essential to prepare for the worst-case scenario: a successful breach that puts your company’s customers, finances, or reputation on the line. Even the best laid security plans can succumb to an attack, so make sure you have an incident response plan, and practice it together as a management team: do a drill to test the key elements of the plan and make sure each person knows their responsibilities and what to do in a crisis.
Cyber security is a dynamic, challenging problem. Staying secure is especially hard for small companies that have fewer resources and less time to prevent and prepare for attacks. But, it is essential to do your best to keep your company’s network and customers’ information secure. I hope these tips, learned through our small company’s own experiences with cyber security, are helpful to you and help you start down the road of improving your company’s cyber security. Remember: just like running a small business, cyber security is a never-finished job, and the journey is as important as the destination. Good luck!