Protect Against Cyber Attacks: A New Guide to Help Small Businesses

No business is too small to be the victim of a cyberattack. In fact, as larger companies invest more resources in cybersecurity, attackers are beginning to target smaller, less secure businesses. It is important for every small business to understand the risks and be prepared. To help, the National Institute of Standards and Technology (NIST) recently published Small Business Information Security: The Fundamentals. It provides a simple and actionable framework to help minimize security risks.

The NIST guide is divided into five basic categories (identify, protect, detect, respond, and recover) and provides useful worksheets to help identify important types of data. We have reviewed NIST’s guide and supplied an overview of the takeaways:

  1. Know the Risks

Hackers and cyber criminals pose one kind of threat to data security, but environmental incidents and equipment failure can be equally devastating to the security of business information. Security threats can come from personnel within a business as well, so vet employees and provide security training.

  1. Identify Data

The first step in any risk management plan is to identify what data needs to be protected and understand what vulnerabilities exist. Create a list of all the information a business uses (e.g. customer names, e-mail addresses, banking information, employee information, etc.) and know who has access to such information. Additionally, it is important to identify any vulnerabilities in a business’s systems. It is highly recommended that companies engage an outside consultant to conduct a mock attack to identify any system vulnerabilities.

  1. Protect

NIST’s guide provides excellent recommendations on the use of encryption, securing wireless access points and installing network firewalls. However, the easiest and most often overlooked recommendation is to train employees on security policies and establish clear guidelines on how they can best protect business information.

  1. Detect

While some security events are easily detectable, many are not. Businesses should consider implementing anti-virus software that is designed to detect intrusions. Additionally, it may be worthwhile to use a program that keeps a log of daily activity that occurs on the network. These logs may show trends that indicate an intrusion has occurred. An outside consultant can be a valuable tool in interpreting these trends as there may be a more serious problem that is not readily apparent.

  1. Respond

It is critical that every business develop a response plan to be followed after a security event has occurred. Appoint a person who will implement the plan, include the contact information of all internal personnel who should be notified, as well as directions on how to quarantine infected systems, if necessary. Furthermore, many states require customer notification after a security event. Thus, it is important to know state notification laws and how to properly comply.

  1. Recover

After a security event, it is important to evaluate the response procedures. Assess any weaknesses in the plan and make adjustments as needed. If possible, restore backed up data or implement a backup procedure for business data. Companies should also consider cyber insurance as part of any risk management plan.

The full guide can be found here: http://nvlpubs.nist.gov/nistpubs/ir/2016/NIST.IR.7621r1.pdf.

About The Authors

Matt has counseled clients on the evaluation of data privacy risks, responses and solutions, and he serves as a breach coach, providing analysis and advice to address data breach events, including forensics, notification pursuant to federal and state laws, credit monitoring, and public relations issues. In addition to breach response, Matt has counseled insurers on the underwriting of cyber/tech policies.

Tagged with: , , , , , , , , , ,
Posted in Cyberattack, Data Breach, Data Security, Privacy, Standards

Leave a Reply

Your email address will not be published. Required fields are marked *

*

About Cyber Law Monitor
In the new digital world, individuals and businesses are almost entirely dependent on computer technology and electronic communications to function on a daily basis. Although the power of modern technology is a source of opportunity and inspiration—it also poses huge challenges, from protecting privacy and securing proprietary data to adhering to fast-changing statutory and regulatory requirements. The Cyber Law Monitor blog covers privacy, data security, technology, and cyber space. It tracks major legal and policy developments and provides analysis of current events.
Receive Email Updates

Email:

Cozen O’Connor Blogs