Cyberattacks can hit businesses of any size, causing catastrophic damage to a business’s finances and to the integrity of its information security. Hundreds of breaches occurred at large corporations during 2011, affecting over thirty million sensitive or confidential records. Hackers went after Sony, NASDAQ, and other giant businesses, but small companies are also vulnerable to attack. According to a report in the Business Journals, as many as eighty-five percent of small business owners do not see cyberattacks, which may include hackers or malicious software, as a serious threat. Heightened security at these big companies, though, could lead hackers and other cyber criminals to focus their attacks on smaller businesses who may not be so prepared.
Guarding against cybercrime is simply good business for small companies. A hacker targeting a small business can cripple the business or even force it to shut down with a very simple series of hacks or viruses. If a cyber criminal targets a small business’ banking system, it could empty its cash reserves and leave it unable to operate. A hacker who compromises a business’ confidential client data could expose the business to enough liability to put it out of business.
The “Common Sense Guide to Cyber Security,” published by a coalition of government agencies and organizations, including the Federal Emergency Management Agency and the U.S. Chamber of Commerce, offers a set of security practices small businesses can use to protect themselves from cyberattack. After an initial set-up period, most practices involve simple daily maintenance and monitoring.
Risk Management Planning. Businesses should carefully assess the risks and weaknesses in their computing systems to see where protection is most needed. They should prepare contingency plans in case a breach or loss occurs, including how to continue business operations with alternate computing systems or at an alternate location.
Access Control and Accountability. A business’s network security plan should include access controls that limit who may access critical systems and information. A single department or officer should have responsibility for information security and for approving new hardware and software, thus ensuring accountability for decisions and errors. At the same time, a business should educate all employees and officers as a means of creating a “culture of security.” All employees should sign an agreement committing to the company’s cybersecurity policies.
Firewalls and Other Security Measures. Firewalls can protect businesses from many common attacks, particularly from viruses and malware. Companies should also encourage use of complex passwords that combine upper- and lowercase letters, numbers, and other symbols; avoid common words and phrases; and change at least every three months.
Data Backup, Removal, and Destruction. Businesses should routinely back up their critical data, ideally to a remote location with encryption. They should carefully consider the benefits and risks of backing up to an external hard drive versus a cloud-based backup service. They should also carefully monitor the removal of old and unneeded former client and employee data, ensuring that any old hardware has no trace of sensitive data. This often involves the physical destruction of storage media.
The California Internet security lawyers at the Law Offices of Salar Atrizadeh guide businesses and individuals through the regulatory and transactional pitfalls of the Internet, using legal knowledge and technological skill to create innovative solutions for our clients. Contact us today online or at (310) 694-3034 to set up a confidential consultation.
Commonsense Guide to Cyber Security for Small Businesses (PDF), U.S. Chamber of Commerce and the Internet Security Alliance, September 2004
More Blog Posts:
New Laws and Guidelines on Cybersecurity Disclosures Both Protect and Endanger Personal Information, Internet Lawyer Blog, April 17, 2012