Cyberthreats are a clear and present danger for every business. As sudden as a heart attack, a cyberattack can compromise your computers or highjack your wire transfers — leading to rapid loss of cash, data, records, leadership credibility, employees and customer trust.
Small and midsize companies are particularly vulnerable to cyberattacks. Hackers consider them soft targets because they tend to hold valuable data but lack sufficient security measures to thwart a cyberattack. In fact, a recent study conducted by my company Vistage revealed that nearly two-thirds (62 percent) of CEOs do not currently have an active cybersecurity strategy in place. More than one-quarter (27 percent) have no plan at all.
If your company is one of those, take measures to beef up your cybersecurity right now. I interviewed three cybersecurity experts on how to get started; this checklist can help you get started.
1. Assess your cybersecurity.
To gauge the strength of your cybersecurity, use a reputable tool — such as the Cybersecurity Framework offered by the National Institute of Standards and Technology — to perform an assessment. As part of this process, gather your senior leadership team, investors and board of directors to perform an informal audit. Review, value and prioritize your assets and decide what cybersecurity measures you want to manage internally versus outsource.
2. Bring awareness to employees.
Train employees to abide by basic security principles. This includes enforcing the use of strong passwords, maintaining appropriate internet use and handling customer information and data with care. It’s a good idea invest in a stock test package or use phishing simulations to teach people how to spot common signs of an attack.
3. Implement robust policies, processes and procedures.
At the very least, have an acceptable use policy. Limit employee access to sensitive data and information, tailoring access according to each person’s role and responsibilities. Put someone in charge of checking firewall logs, antivirus logs and anti-malware logs on a routine basis. Create simulations for cybersecurity attacks and figure out your game plan, including who you’d call in an emergency.
4. Make smart technology choices.
Don’t rely solely on antivirus software to keep you safe; most companies require something more robust. Consider you truly need from the full range of security options, including antivirus software, endpoint security systems, firewalls, data back-up solutions, encryption software, two-step authentication and password-security systems.
Get application controls so that your company’s computers only run a preapproved set of business-essential programs. Finally, uninstall the free, lite and trial versions of programs on your company’s computers, which can serve as toeholds for hackers.
5. Call on experts.
Even if you have IT resources, you should meet with a cybersecurity expert on a biannual basis, much like you would a financial planner. If you don’t have an IT resource, consider using a fractional model (i.e., contract or third-party service provider) to engage IT experts when you need them. Finally, conduct an external review of IT to ensure that your company’s data and network is secure and current.