Your business better have a cybersecurity plan

According to the IBM-sponsored study 2018 Cost of Data Breach, the average cost of a cyber breach has spiked by more than 6 percent since 2017, or about $3.86 million per breach.

Cybersecurity is not merely a big-business issue. Small companies often make the mistake of not considering themselves targets for cyberattacks, thinking they don’t have anything worth stealing.

Yet nearly all businesses have valuable information cybercriminals seek — employee and customer data, bank account information, social security and credit card numbers, and access to business finances and intellectual property. Ten out of 11 breaches result not from human error, but from malicious or criminal acts.

The same study found the average cost per lost record is $141 to $148, a 5 percent increase over 2017. Multiply that by the number of computer records and that price tag quickly gets exponential.

Aside from expensive technical investigations and service, a breach also costs a business lost custom, negative impact on reputation (worried customers shop elsewhere after learning of a breach), and employee time. Having a solid cybersecurity plan — recommended by the Department of Homeland Security as well as the Small Business Administration — in place before a breach occurs can save money and mitigate potential damage.

Their top 10 cybersecurity tips are:

1. Protect against viruses, spyware, and other malicious code.

Make sure each of your business’s computers are equipped with antivirus software and antispyware, readily available online and from local vendors, and update regularly. Be sure to stay updated; vendors regularly provide patches, bug fixes, and security updates. Configure all software to install updates automatically.

1. Secure your networks.

Safeguard your Internet connection by using a firewall and encrypting information. Wi-Fi networks should be secured and hidden. To hide a Wi-Fi network, set up your wireless access point or router so it doesn’t broadcast the network name (the Service Set Identifier, or SSID). Password protect access to the router.

1. Establish security practices and policies to protect sensitive information.

Establish policies on how employees should handle and protect personally identifiable information and other sensitive data. Clearly outline the consequences of violating those policies.

1. Educate employees about cyberthreats and hold them accountable.

Educate employees about online threats and how to protect your business’s data, including safe use of social networking sites. Employees may inadvertently be introducing competitors to sensitive details about your firm, its customers or staff. Training can inform business managers and workers about how to post online without revealing trade secrets or sensitive information.

1. Require employees to use strong passwords and to change them often.

Consider implementing multifactor authentication that requires additional information beyond a password to gain entry. Check with vendors who handle sensitive data, especially financial institutions, to see if they offer multifactor authentication for your account.

1. Employ best practices on payment cards.

Work with your banks or card processors to ensure the most trusted and validated tools and anti-fraud services are being used. You may have additional security obligations related to agreements with your bank or processor. Isolate payment systems from other, less secure programs and do not use the same computer to process payments and surf the Internet.

1. Make backup copies of important business data and information.

Regularly backup the data on all computers, automatically if possible, and at least weekly. Critical data includes word processing documents, electronic spreadsheets, databases, financial files, human resources files, and accounts receivable/payable files. Store backup copies either offsite or on the cloud.

1. Control physical access to computers and network components.

Prevent access to business computers by unauthorized people. Laptops can be particularly easy targets for theft or can be lost, so lock them up when unattended. Make sure a separate user account is created for each employee and require strong passwords. Administrative privileges should only be given to trusted IT staff and key personnel.

1. Create a mobile device action plan.

Mobile phones and tablets can create security and management challenges, especially if they hold confidential information or can access the corporate network. Require users to password protect devices, encrypt their data, and install security apps to prevent criminals from stealing information while the phone is on public networks. Be sure to set reporting procedures for lost or stolen equipment.

1. Protect all pages on your public-facing websites, not just the checkout and sign-up pages.

If your business has experienced a cyberattack, inform local law enforcement and the state attorney general as soon as possible. Stolen finances or identities may be reported to the Internet Crime Complaint Center IC3.gov, and fraud should be reported to the Federal Trade Commission Onguardonline.gov.

For more information and a free cybersecurity guide for small business see the Idaho Attorney General website Cybersecurity.idaho.gov.

Next month: What the heck is ransomware?

• • •

Sholeh Patrick, J.D., is a columnist for the Hagadone News Network. Email: sholeh@cdapress.com