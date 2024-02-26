No matter what industry you're starting up in, cybersecurity shouldn't be an afterthought. Ransomware attacks garner most of the headlines: Just last week, UnitedHealth subsidiary Change Healthcare was the latest major victim, experiencing a cyber attack that disrupted pharmacies nationwide. But even smaller-scale digital-security events, such as a former employee making off with a client database, can cause havoc for a small business.

There are upsides to putting in the work it can take to ensure your digital security. Being able to demonstrate you have strong cybersecurity protocols in place can be a competitive advantage, says Daniel Eliot, the head of small business engagement in the applied cybersecurity division of the National Institute of Standards and Technology (NIST).

Today NIST released an updated version of its Cybersecurity Framework, a set of guidelines for preventing, detecting, and mitigating cyber threats. It includes a new quick-start guide for small and medium businesses with "modest to no" cybersecurity plans in place. Eliot describes the guide as a "conversation starter" for companies to think through cybersecurity. It includes questions to ask, starter checklists, and additional resources.

Eliot describes a few straightforward things any business can do to get started on their cybersecurity stragegy.

List Your Security Priorities and Responsibilities

"Protecting your most sensitive assets that you rely on to run your business is a good starting point," says Eliot. "Running a small business with limited resources is all about prioritization: Where can we best spend our time and our money? Cybersecurity should be approached in that same way."

Think through what's most critical to your business, whether it's protecting your intellectual property, making sure your ecommerce site doesn't go down, or being available to customers 24/7. Also take note of what you are required to do legally and contractually to secure systems and information.

Lock Down Important Systems

Make a list of important company accounts, and check that multi-factor identification is on for each of them. For devices such as Wi-Fi routers, change the default manufacturer password--"everyone has access to that password," Eliot says--as soon as you set them up.

Limit access to sensitive data or systems to people who need that access to do their jobs, and restrict access for employees that no longer need it. "A lot of small businesses think if everyone has access to everything, it'll help us be more productive," says Eliot. But keepign access open can increase your threat level; if one account is compromised, it could be used to access all of your information.

Have an Offboarding System in Place

A "common mistake" small businesses make is not deactivating employees' accounts when they leave a company, says Eliot. Former employees can then potentially take trade secrets or customer lists to competitors--or their credentials could be compromised, which could allow hackers access to your systems.

Take Care With Cell Phones and Laptops

If you're donating or recycling old devices, be sure to delete all files and reset the device to factory defaults first. Keep account of all company devices, and if one goes missing, wipe it, too. "People just lose devices all the time," adds Eliot. Apple and Android phones have remote-reset options, as do many laptops and types of remote IT administrator software.

Get the Right Help

If you can't handle the priorities and contractual or regulatory requirements you've already identified, consider engaging outside help. Eliot suggests talking to others in your industry about what cybersecurity services they've found helpful.