As the owner of a private business, what’s your immediate reaction when the subject of cyber security comes up?
Recent research indicates you may well feel a sense of unease: in PwC Global CEO Survey, almost half – 47% – of respondents from privately-owned businesses rated cyberattacks as the top threat to their organisation’s growth. But are private businesses right to be worried? And if so, what should they do about it?
The reality is that the cyber threats facing private businesses are no different from any other type of organisation. Cyber criminals are essentially opportunistic and will look to attack wherever they see vulnerabilities.
However, private businesses have some distinctive characteristics that create specific cyber security risks and which need to be addressed.
Today, digital and physical security are becoming indivisible and everything we do online has consequences in the real world. From critical business systems to social events, virtually every aspect of work and life is exposed to the all-seeing gaze of the internet – and thereby to cybercriminals. And when they come knocking, private businesses need to be ready.
These are the 5 areas that we believe private businesses should address now to make themselves more cyber secure.
1. Educate family members on the importance of online security
Your teenagers will roll their eyes but it’s important to remember that in a family business, all of the family are the faces of the company. Apart from reputational damage and personal safety, unguarded use of social media can create many risks. If you’re the principal in the family business, you’re probably fairly careful with your online activities.
But what about the rest of the family? For example, do you know what photos your children are posting on social media? What locations, properties or people are showing in the background? Are location services enabled that show exactly where the photo was taken?
Educating family members about acceptable use of social media may help mitigate some of these risks.
2. Make cyber security an embedded part of the business culture
Private business owners often feel (erroneously) that they’re not big enough to be attractive targets. This mindset can lead to an unwillingness to spend money on cyber security until a threat actually materialises. However cyber attackers don’t generally chase specific targets but focus on opportunities to gain entry.
Rather than being an afterthought, cyber security needs to be baked in at all levels of the business – owners, executives, employees – through regular awareness training and practical guidance. Security is everyone’s responsibility, and everyone has to be alert to the risks. This applies to members of the owner’s family too.
3. Implement a mobile device management tool
According to Statista, over 6 billion people globally have a mobile phone. The problem is that many people use the same handset and apps for their personal and work activities. So if a device is compromised or lost it can impact the business’ data and systems and possibly offer attackers an access point.
The solution is to implement a Mobile Device Management (MDM) tool on everyone’s handset that segregates the work and personal data, ensuring it’s properly managed, protected and backed up.
4. Control access to all company data: both virtual and physical
Data is the lifeblood of any business and the main target for cyber attacks. As a minimum, make sure that your company is applying tools like multi-factor authentication, strong passwords that are updated regularly and the latest security patches.
In smaller companies it can be common practice for people to share passwords and accounts, because it makes things easier. Don’t do this: if an incident occurs, it makes it much harder to tell who was involved or responsible.
It’s not just a company’s front-line data but also any backups that are exposed to the internet. So you should not only back up your important or sensitive data, but also ensure the backup is segregated from access via the internet so attackers can’t reach it.
Finally, don’t forget the physical aspects too: many cybercriminals still rely on getting someone into the office to breach systems, so it’s vital to have proper physical access controls and logs. It’s equally important to perform due diligence on anyone who has remote access to the systems, such as suppliers or contractors.
5. Have a plan – and know who you’re going to call
If a cyber incident does occur, it’s imperative to have a plan already in place for what to do. While most private businesses have IT support, they often lack the forensic information security skills they’ll need once a breach occurs.
You should determine in advance what steps you’ll take and which cyber security expert you’ll call to investigate and help. One option to consider is taking out cyber insurance: as well as potentially covering costs like systems remediation and business interruption, insurers will often have lists of approved experts.
The board had not connected the dots between the two agenda items because its view of cybersecurity, as well as the CEO’s, was more focused on risk dashboards and surveillance than on the security implications of business decisions.
It’s an issue we’ve seen variations on for years. Simply put, far too many boards and CEOs see cybersecurity as a set of technical initiatives and edicts that are the domain of the CIO, chief security officer and other technical practitioners. In doing so, they overlook the perils of corporate complexity—and the power of simplicity—when it comes to cyber risk. We’d propose, in fact, that leaders who are serious about cybersecurity need to translate simplicity and complexity reduction into business priorities that enter into the strategic dialogue of the board, CEO and the rest of the C-suite.