In 2015, the world's first "international cybermafia" stole up to $1 billion from more than 100 global financial institutions. The gang's "spear-phishing" emails opened the bank's digital doors and released trojans into each entity, which then directed ATMs to transfer huge sums of money into dozens of hacker accounts. Although your business might not have billions in the bank, data breaches like these could happen to any entity -- regardless of size -- and implementing a cyber security checklist is the first step to securing your digital walls.
Small Business Risks Are Higher Than Ever
As a small business owner, you may think your enterprise isn't big enough to be a target for this kind of theft. On the contrary: 2014 marked the first year that SME's were the largest population of cyber victims. In 2013 and 2014, Britain's Government Security Breaches Survey indicated that 74 percent of small organizations reported some form of cyber attack. Symantec reports that spear phishing attacks on small businesses reached their highest peak ever in February 2016. These statistics indicate that your small company is probably the target of at least one type of potentially fatal digital threat.
Your Cyber Security Checklist
America's financial systems have noted the rise in attacks on small firms and the threats those pose to the country's economy. FINRA, the Financial Industry Regulatory Authority, has created an exhaustive "Small Firm Cybersecurity Checklist" that breaks down the elements of computer system vulnerabilities and provides guidance on how to avoid losses to the digital thugs that exploit them.
The checklist defines "cybersecurity" as the "protection of investor and firm information from compromise through the use of information technology." Its elements are derived from the framework provided by the National Institute of Standards and Technology (NIST) and FINRA's own Report on Cybersecurity Practices.
There are five categories that encompass 12 sections. By following the cyber security checklist, you can put in place practices that will provide barriers between you and the cyber crooks:
The first step is to identify the vulnerabilities in your digital structure:
- Inventory all assets and their related risks.
- Clarify users and access points because each poses an individual risk.
- Ensure encryption practices are current and enforced.
- Scan for intrusions. Detection programming is critical to capture intruders before they can cause damage.
- Develop or enhance the response plan if (or more likely when) disaster occurs.
2. Protect Customer and Proprietary Data
If your company shares data with third parties across any external portal, it is at risk for theft of that information.
- Identify all third parties (and their vulnerabilities).
- Clarify the data that must be shared and eliminate sharing unnecessary information.
- Establish controls between your company and the third-party company to isolate those procedures from the rest of the business.
3. Detect Intrusions Through Mobile Devices
You and your employees likely access company data through mobile devices. Those devices are often the easiest entry point into corporate databanks.
- Identify all devices that touch the corporation and those with access to them.
- Clarify security elements within the device - passwords, encryption or others.
- Ensure the ability to wipe those devices clean remotely so your company retains control over their contents
- Clarify the authority of devices users to access enterprise data.
4. Respond to the Crisis
This is easier when a system-wide response plan is in place.
- Identify indispensable system elements.
- Ensure passwords and other protections are secure and up to date.
- Review malware programming for updates and currency.
- Ensure backups are scheduled and followed.
5. Recover Lost or Stolen Assets
Loss of vital company data or assets can put the business out of business.
- Ensure backup access is available.
- Ensure redundancies are current.
- Evaluate the entire recovery process. Once successful, hackers often return through the same paths to hack again.
If your business needs technology to function but isn't a technology company per se, it may be more cost-effective to outsource these processes. For assistance, and to learn more about CSG's managed IT services, contact us today.