Many people think that because their organisation is small, they are invisible in this digital world. Size is no protection. It is estimated that 71 per cent of small and medium businesses (SMB) have been impacted.
In a post COVID world, where small organisations are looking to backfill staff, reduce costs and face a workplace with significant cost of living pressures. Staff are focused on getting the job done and can easily be targeted by scams or online threats. When the list you appear on has tens of thousands of email address, size doesn’t figure in the equation.
Many organisations think that they have cyber security covered because they have a firewall on the internet service and AV on the endpoints. Advice from providers can focus on what they sell rather than what’s best for your organisation, so getting to the right outcome may not be a simple task.
This can be costly.
- Everyone is at risk regardless of size
- Safety needs to be weighed against costs to consider current investments
- Any approach needs to consider your environment and business processes
- Needs to be part of a plan to manage risk and continuity that works for you
So how do you move forward?
There are practical steps that can help a business of any size to reduce their exposure and avoid costly investments. The first step is to map out what you have, what your risks are and assess how ready you would be should the worst happen.
We developed a checklist for any business to secure its data, users and business operations to reduce the possibility of being exploited. The steps are as follows:
- Develop an appropriate security management plan for your data and infrastructure
- Implement balanced IT services and access management for all your services
- Correct user and application access for all staff and third parties
- Implement user and system access controls to limit data exfiltration
- Develop business continuity beyond data backups
This checklist was developed form the Essential Eight (E8) cybersecurity framework, designed for Federal Australian Government entities to protect citizen data from being stolen. We also incorporated other security methodologies such as NIST, CIS and ISO27000.
This alone is not enough. You should also consider some additional practical steps:
- Check your Cyber Insurance policy for coverage, caveats and applicability
- Confirm who has access to your data within and outside the organisation, and how it is used
- Assess how you store, use and backup your data today, then understand how it can be recovered and test it
- Update your understanding of your business obligations, under any regulatory or government and or industry-based standards
The ability to plan and implement any changes you require, based on your specific needs, is critical. We run various assessment for our customers and find that planning and preparation is never a lost investment.
Ultimately, Cybersecurity is not a static thing, you need to bring your business and people along this journey to succeed. The so-called bad actors are focused on monetising their efforts.
Your data, IP and financial information are a potential source of data that can be sold on the dark web or used to exploit others. They single out softer targets, as these take less effort to breach.