J.C. Watkins & Douglas Brent, Procurement Consultants, Kentucky APEX Accelerator
This article was originally published in our monthly Kentucky APEX Accelerator Newsletter. If you have any questions about this topic, your regional procurement consultant is here to help! Not a client? Sign up here.
Good cyber hygiene is essential for keeping small businesses safe from online threats. As cyberattacks like ransomware become more common and sophisticated, the old advice, such as avoiding online shopping over public Wi-Fi, is no longer enough to adequately protect your business. Cyber bandits are no longer solely focused on stealing your charge card details and are more likely to try to gain access to other companies’ systems via small firms.
In other words, if you think your business isn’t interesting enough to be a target of cyberattacks, you could be mistaken. Indeed, when Target Corporation experienced a major breach of its point-of purchase systems, the original attack was on an HVAC vendor to Target, whose weak cybersecurity controls, combined with remote access to Target stores, gave criminals a pathway. (Read the full article here.)
For federal government contractors, good cyber hygiene is not just a good idea—it is the law. At a minimum, vendors performing on federal contracts are required to provide “Basic Safeguarding” of their information systems that process contract information (FAR 52.204-21).
Because of these changes in the cybersecurity landscape and evolving legal requirements, small businesses need to focus on modern strategies to protect themselves and their clients. This involves adopting updated practices and creating a strong security culture from the top down.
The business owner or CEO of a company plays a key role in maintaining cyber hygiene. This individual needs to make cybersecurity an integral part of the company’s culture. This means talking about security in meetings, setting concrete goals for improving security practices and ensuring that the staff follows these guidelines consistently. For example, a business should monitor, control and protect its organizational communications. This could include making sure that employees are trained on spotting “phishing” emails as well as understanding the cyber risks of utilizing business social networking tools like LinkedIn. (Read more on this topic here.)
While the CEO of a not-so-very-small firm might hire a full-time Security Program Manager to handle the day-to-day aspects of the security program and keep everyone updated on progress and challenges, there are ways that even very small businesses can support the development of improved cyber hygiene. In a construction firm with two full-time staff and a part-time bookkeeper, for example, the business owner could assign basic cyber hygiene tasks as part of the bookkeeper’s responsibilities.
The Security Program Manager or equivalent role has a crucial job in making sure that all employees are trained in security best practices, such as using multifactor authentication (MFA) and avoiding phishing scams. MFA is a way of verifying your identity when you sign into online accounts using more than one factor. For example, a login process may require both a password and a code generated by an authentication app on a personal device. MFA can help protect your data, identity and money from hackers who have obtained your username and password. Think of the first “factor” as something you know (your password) and the authentication code as something you have (the device where the code appears).
Regardless of the company’s size, someone in the firm will need to create and update an Incident Response Plan (IRP), which details how the company will respond to security incidents. In other words, this document outlines what to do if the firm is found to have been cyber-compromised.
Lastly, someone in a very small firm will have to be responsible for implementing technical measures to protect the business. This includes ensuring that MFA is used by everyone, keeping software updated and regularly backing up important data. Additionally, someone may want to remove administrative privileges from user laptops to prevent malicious software from being installed. For federal contractors in particular, FAR 52.204-21 states that system access should be limited to “the types of transactions and functions that authorized users are permitted to execute.” By following these practices, small businesses can significantly improve their cyber hygiene and better defend against online threats.
For more details on the topic of cybersecurity for small businesses, you may want to visit this resource page published by the Cybersecurity & Infrastructure Security Agency (CISA): Cyber Guidance for Small Businesses | CISA
If you would like additional information or support related to this topic, the Kentucky APEX Accelerator team stands ready to assist. You can email us at kyapex@kstc.com or visit our website at www.kyapex.com to request support.