Picture this: It's tax season, and your HR director receives an email from someone who's pretending to be you--the CEO. The HR director thinks that the email is legit and complies with the request to send over copies of all of your employees' W2s. Days later, the email sender--who's actually a skilled hacker--uses those W2s to file a batch of fake tax returns.
Cyberattacks like this happen every day. And if you're running a small or midsize company, you're a direct target for an attack. Small and midsize firms fall victim to the vast majority of data breaches because they tend to:
- Lack sufficient security measures and trained personnel
- Hold data that's valuable to hackers (e.g., credit card numbers, protected health information)
- Neglect to use an offsite source or third-party service to back up their files or data, making them vulnerable to ransomware
- Connect to the supply chain of a larger company, and can be leveraged to break in
Our most recent report - a research collaboration with Cisco and the National Center for the Middle Market - is based on data from 1,377 CEOs of small and midsize businesses that tell a similar story. Sixty-two percent of our respondents said that their firms don't have an up-to-date or active cybersecurity strategy--or any strategy at all. And that's a major problem, given that the cost of a cyberattack can be high enough to put a company out of business; according to the National Cyber Security Alliance 60 percent of small and midsized businesses that are hacked go out of business within six months.
If you're among these CEOs, it's time to make a change. Follow these four steps to start building a cybersecurity strategy that keeps hackers out of your business.
1. Determine your company's current cybersecurity status.
Bring together members of your senior leadership team, board of directors and investors to conduct an informal audit of the business. Get a sense for the level of security you have today.
Questions to ask: Is anyone in charge of our cybersecurity? What defenses do we already have in place? Is our strategy comprehensive and coordinated? If not can we pinpoint our weak spots?
2. Identify the key person accountable for your cybersecurity.
Engage leaders from across the organization--not just those within IT. Include people from different functional areas, such as human relations, marketing, operations and finance. Other players essential to this conversation are your lawyer and your accountant/auditor.
Questions to ask: Who should be responsible for our cybersecurity? What process can we implement to ensure accountability? How can we communicate and increase awareness about cybersecurity in our different departments and teams?
3. Take an inventory of your assets, determine their value and prioritize your most critical assets.
Identify the "crown jewels" in your company, whether those are employee records, intellectual property or customer data. Recognize that you will never be 100% safe from an attack, so prioritizing areas of defense is important.
Questions to ask: What are the most important assets we need to protect? Customer data? Intellectual property? Employee records? Can we measure the degree of confidentiality, integrity, availability and safety of our most critical assets?
4. Decide what business capabilities and cybersecurity measures you want to manage yourself versus outsourcing.
Consider whether it makes sense to outsource certain aspects of your business to a cloud-based system to increase your security. At the same time, consider whether it makes sense to engage a cybersecurity expert or provider. Decide whether you want to work with a consultant to figure out your cybersecurity plan or if you want to outsource your cybersecurity entirely.
Questions to ask: What aspects of our business--such as order fulfillment--should we handle internally versus outsourcing to a third party (e.g., Amazon, Cisco, Google)? Should we outsource our cybersecurity to a third-party service? Should we use a fractional CIO model and seek out cybersecurity consulting? Or should we handle the entire process ourselves?
The best defense is a good offense. Make it a priority to protect your data for the benefit of your employees, your customers and the long-term health of your business.