What Should Be In Your Small Business Cybersecurity Toolkit?

cybersecurity

By Shawn Dobbins, Tony Mendoza

Hoping to fly below the radar of cybercriminals is not an effective cybersecurity defense strategy. The value of digital assets and information can, and does, exist independent of a business’s size or revenue. From company or customer credit card data, banking or other financial information, to personal health-related records, company trade secrets or work product: if there is a business imperative – or legal or compliance requirement – to keep information confidential and secure, it holds value and your business should protect it.

But many businesses do not understand the threats they face, the data they possess, how their employees, customers, and vendors interact with that data, or the tools needed to defend against cyber threats. Large companies may have greater resources to defend against and respond to a data breach when it occurs, but are small and mid-sized businesses adequately prepared? Small and medium sized businesses need a set of tools they can use to defend against cyber threats – a cybersecurity tool kit.

Cybersecurity Company Policy Development

Whether they know it or not, and whether they want to or not, every employee guards virtual doors through which cybercriminals are waiting to be let in. Your employees must understand your company’s cybersecurity policy. Your company can do that by creating policies that are clear, not too dense and long, and that are regularly updated. Good policies should also strike the right balance between being unnecessarily restrictive of employee creativity and productivity, and security.

What Should Be in the Cybersecurity Tool Kit?

A Privacy Policy. If your company collects electronic information from customers, a company privacy policy is a pledge to your customers about how you will use their data and how you will protect it. Customers need to know your company understands its legal obligations to them with respect to data privacy. If your company operates in regulated industries, such as health care, telecommunications, or financial services, there are special laws that apply to your business about handling customer data (e.g., the Health Information Privacy Act (HIPA) or Sarbanes Oxley (SOX)). If your business does not operate in a regulated industry, your business needs to assure its customers that you understand their expectations about handling their data and that you have made their privacy a priority.

Assign Roles and Responsibilities. Cybersecurity is not just something you delegate to your IT professional. Everyone in your company has a role to play in protecting company data. Your IT professional should of course have a thorough understanding of cybersecurity threats and must be able to advise and implement technological tools to protect your business (e.g., data back-up, firewalls, etc.). But there are cybersecurity responsibilities that likely fall outside of the bailiwick of your IT professional. Cybersecurity professionals speak of “layered security.” That concept encompasses an axiom of cybersecurity planning: the more sensitive the data, the more restricted the access should be. It makes sense for many businesses to take an inventory of the kinds of data it collects and stores. Once this is done, assign responsibility and access rights to the different types of data based on the level of sensitivity of the data.

Acceptable Use Policies (AUP). “Acceptable use policies” set your company’s expectations with employees on how they handle certain workplace technology, interface with the internet, and control physical access to entry points into your company’s network. Instead of one long AUP, consider drafting several “bite-sized” AUPs. Your company should have AUPs for: email usage, mobile devices, web browsing, social media, remote access to the company’s network, use of removable media, and telephone usage. The currency of most cybercriminals is trust. The successful cybercriminal engages in “social engineering” to try and win your trust – by, for example, making that phishing e-mail appear to have come from a trustworthy source. Your company needs to train its employees on how to recognize and avoid these threats, and it can do so, in part, through a comprehensive set of AUPs.

Physical Workplace Security Policy. Because cybercrimes occur via the internet, physical workplace security is often overlooked as point of vulnerability. Your company should have a policy that establishes expectations about physical securing of laptops and mobile devices, positioning of desk top screens (away from public spaces), document retention, organization and securing of printed materials containing sensitive information, trash removal and shredding, the need for security cameras, door locks, and alarm systems.

Passwords and Encryption Policy. One of the drudgeries that accompanies the cybersecurity era is the need for encryption and passwords. Who hasn’t cursed the forgotten user name or password? Sadly, password management is now just something that has to be done – like doing the laundry. But a thoughtful password and encryption policy can systematize password and encryption management practices for your business. And by applying the sensitivity/security axiom explained above, different levels of password security and encryption can be employed to make it less hassle to access less sensitive data.

Insurance. No matter how robust your cybersecurity tool is, no company is impermeable. And where there is risk, there is insurance. Your company should understand whether and to what extent its insurance policies cover cyber attack incidents and damages caused. Many insurance companies and professional firms will provide cybersecurity risk assessments. Some insurance companies are also now offering cyber insurance policies. Cyber insurance is still in an incipient stage of development. Many questions remain about premium amounts, underwriting risk, coverage, government regulation of cyber insurance products, liability limits, and overlapping coverage – all of which point to a larger question for small and medium sized businesses of whether purchasing a cyber insurance policy is worth the money spent on premiums. Small and medium sized businesses should understand what their existing insurance policy covers, ask their carrier if they offer cybersecurity risk assessments, and then evaluate the cost-benefit of cybersecurity insurance.

Incident Response Plan. If and when your company is the victim of an attack, your company should have a plan in place for how to respond. Seth Northrop, attorney at Robins Kaplan, wrote a great article on this topic in the April 2016 issue of Attorney at Law Magazine, and we refer you to it for a primer on developing an incident response plan.

Training. Last and definitely not least – the best laid plans are worthless if employees are not trained to follow them. Every company should invest in cybersecurity training for its employees. According to IBM’s 2014 Cyber Security Intelligence Index, human error was a component of 95 percent of all security incidents. Employee training should be comprehensive and thoroughly address all of the subjects discussed in this article. Training should occur annually, and training materials updated regularly.

The threat posed by cyberattack is very real for today’s businesses, and it is proliferating and constantly mutating. Small and mid-sized businesses are not immune from hacking, data loss, or security breaches. By taking proactive steps to develop and implement cybersecurity policies, plans, and practices, small and medium sized businesses can develop a toolkit to manage and mitigate their risk.


Tony Mendoza is the founder and owner of Mendoza Law LLC and leads his firm’s communications law practice. Shawn Dobbins is an attorney with Mendoza Law LLC and has advised domestic and multinational clients at the intersection of law, technology, and business for a decade. For more information, visit mendozalawoffice.com.