How to Create an Effective Small Business Cybersecurity Policy
What’s the #1 reason to create (and enforce) a small business cybersecurity policy?
Getting hacked poses a serious risk for your business, if it hasn't already happened.
Hacking, viruses, phishing, malware, worms, Trojans—cyber attacks go by various names, but the common denominator is that everyone has the potential to be attacked. Seriously, everyone—from the well-publicized 2016 hacking of the Democratic National Committee to the daily cyber attacks of more than 25 million small businesses in the US, it happens to everyone.
So what’s a small business owner to do—throw up his hands (and his customers’ financial info) and give up? Far from it.
Just like any business operation, you need a plan. Creating, enforcing, and updating your cybersecurity policy isn’t a ‘nice to have’ asset of your company. Depending on your business, there are potential legal consequences for not doing so. It is imperative, it is essential, to commit time and resources to create a small business cybersecurity policy.
Not sure how much cybersecurity costs? We've got you covered.
Note: If you’re new to cybersecurity, you may want to start with 10 Simple Things to Improve Your Company's Cybersecurity Posture.
This is not the time for fear—this is the time for action.
In this blog post, we’re going to give you practical info that you can use to learn how to create a cybersecurity policy specifically designed for small business. We’ll cover how to get started, planning, accountability, technical regulations, and more.
But before we get started, take a look at these top cybersecurity issues that plagued small businesses in 2016—see anything familiar?
Mobile malware - The ubiquity of mobile devices gives hackers more opportunities to load malware into apps and mobile sites. With the amount of work conducted via mobile, companies must be extra careful with how they address the security of their employees’ devices.
Internet of Things (IoT) data theft - IoT has allowed for some remarkable innovation in smart homes and offices, but the rapid growth has also left some holes in the security of these ‘things’ we now use every day. Yes, hackers can access a Wi-Fi light bulb, but they can also hack an IoT-enabled smart lock.
Ransomware and extortion - The act of taking data hostage or taking control of an IoT device (like a smart lock or security camera) and demanding money to return access. It’s ugly, but it happens.
Corporate espionage - If you have something proprietary that’s stored digitally, don’t count on the scruples of a foreign competitor for its security.
OK, the stage is set—let’s dive into some practical info for developing a small business cybersecurity policy.
Getting Started—Begin With The End In Mind
There’s an unattributed saying in business:
“If you don’t know where you’re going, I guarantee you’ll get there.”
While it’s tongue and cheek, this speaks volumes about the importance of setting goals for business initiatives. Not sure what the goal of your cybersecurity policy should be? Here’s a great start:
Enable workers to work effectively in a secure environment.
The policy must serve both of those needs at the same time.
You’re probably thinking this sounds way too simple—What about PCI compliance, what about HIPAA?
Yes, you need to meet the security standards of your industry, but if you do so in a way that inhibits the productivity of your workers, you’ll have an entirely separate issue. For example, let’s say you install email encryption software, but your employees can’t figure out how to use it. Productivity will dip as desktop support tickets pile up, and if the issue isn’t resolved promptly, employees will likely use workarounds that fall outside of cybersecurity best practices.
To reiterate, a small business policy must include a goal of maintaining (or enhancing) productivity while providing a secure environment.
One last point for setting a goal—make sure that the CEO strongly supports the policy. Write a memo, chat about it in the hallways, make an announcement at the company holiday party, but make sure the CEO has active and visible support of the policy to ensure employees take it seriously.
If the cybersecurity policy is created in HR or IT in a vacuum, it will likely stay there and not gain the company-wide support it needs to be effective.
Plan for the Worst
Small Business Trends reports that cyber attacks among small business are up 18% from 2011 to 2015, with 43% of phishing scams targeting small business. We covered a few potential horrible outcomes above, but it’s important to think through the worst-case scenario so the plan can be made to combat it.
For example, imagine the feeling of dread as you’re composing an apology to 1,000 customers who’ve had their financial information stolen from your servers. And yes, this includes any cloud servers you outsource data storage to—the customer will still hold you accountable for choosing that vendor.
But if loss of customer credit card info truly is the worst outcome possible, as it is for many retail small businesses, your cybersecurity policy will have procedures in place to manage the attack and mitigate the negative feedback.
You’ll know exactly what to do and how to take action immediately.
In this way, you have a lower chance of constantly updating your cybersecurity policy with reactive measures after an attack occurs.
Cybersecurity attacks are always incredibly stressful, and usually require a team effort to solve. Once somebody recognizes a breach of information, for example, think about all the activity that needs to happen besides just fixing the breach:
- Who arranges the technical solution?
- Who contacts the customers?
- Who decides if the company will cover the loss?
As you’re planning for the worst, you’ll raise questions about who is responsible for what and when.
Assigning accountability for those actions is a crucial part of a strong cybersecurity policy.
Accountability measures should also include contingency planning—if one of the people who is responsible for an action item is on vacation, who is next in line? Is there an appropriate contact to reach out to, and if so, what’s the preferred method of contact?
There is such a wide range of cyber attacks, having a clearly defined policy for your processes for dealing with an attack is far more important than the technical execution, as it could change from one instance to the next.
Imagine replacing a company-wide email with “HELP!” as the subject line, and all the resulting email chains, with a single phone call placed to somebody with the means and authority to start fixing the problem. This efficiency is yet another purpose of a small business cybersecurity policy.
One last note on accountability—ensure that all employees are held accountable for cybersecurity, not just the people who respond to a cyber attack. Computer conduct for day-to-day activities needs to be explicitly named in a policy—things like what sites are appropriate for work, how to communicate sensitive information with customers, and what company info is OK to share publicly.
Oh, and please PLEASE PLEASE take a few minutes to educate your employees on phishing scams. Phishing is the #1 cause of cybersecurity issues in small business, and it’s on the rise. Phishing scams are nasty and becoming increasingly sophisticated.
Employee actions, no matter how benign in intent, have the potential to put the company at risk, and therefore need to be named and assigned accountability.
Know the Regulations of Your Industry
Depending on your industry, you may need to implement a slew of technical (and non-technical) safeguards in place to protect your business and customer data. There are far too many different regulations to fit into in this blog post, but here are a few examples for reference:
Payment Card Industry Data Security Standard (PCI) - If you accept credit cards, either as a brick and mortar storefront or ecommerce website, you must be PCI compliant. There are four different levels of merchants depending on the volume of transactions processed, and most small to medium sized businesses will fall under level 4. Level 4 has the most relaxed security standard, but there are still plenty of regulations you’ll want to read.
Health Insurance Portability and Accountability Act (HIPAA) - HIPAA has been around since 1996, but the proliferation of digital health records in the last 15 years has made this a huge issue for the healthcare industry. There is a litany of HIPAA requirements, both technical and non-technical, from secure email and texting for patient communications to the type of locks you use on your building. HIPAA violations can be absurdly expensive, so don’t get caught out of compliance. Interestingly, HIPAA even requires certain standards just for procedure documentation in your cybersecurity policy.
International Traffic in Arms Regulations (ITAR) and Export Administration Regulations (EAR) - If you’re involved with government contracts, you’ve likely seen these acronyms before. For anything with direct defense-related applications, the US government has named stringent regulations to keep sensitive info out of the hands of cyber criminals. For items with civilian and military application, you’ll need to understand and comply with EAR regulations. There’s quite a bit more, but it gets more technical from here.
National Institute of Standards and Technology (NIST) 800-171 - Controlled Unclassified Information (CUI) is sensitive to the interests of the United States, but not fully regulated by the government. NIST 800-171 is a standard for storing and distributing CUI, and if you’re working with the government in any way, you probably need to know the details.
Working as a vendor? You’ll likely need to be, at a minimum, on the same level of security compliance as your customer. Many contracts will actually require certain levels of security compliance, but in general, it’s a best practice to match your partner’s security level.
Enterprise software providers are great examples of this. Microsoft Office 365 is one of the premier office productivity suites, clearly eager to be the go-to resource for large markets like healthcare, and look at the extensive documentation on their commitment to security compliance.
Whether your small business cybersecurity policy is non-existent or just in need of an update, we hope this post has sufficiently outlined the need for a comprehensive policy. If you’re ready to take the next step and start creating your policy, we suggest downloading the free ebook 10 Simple Things to Improve Your Company's Cybersecurity Posture.
This resource details the most important pieces of your cybersecurity posture and provides practical tips for improving your company's cybersecurity.