Small Business Saturday means it’s time for an annual cyber refresh

5 steps that SMBs should take to review and refresh their security policies and procedures.

As we approach Small Business Saturday, it’s a good time of year for small and mid-sized businesses to refresh their thinking around data security and incident response planning. In the same way that we are taught to change the batteries in our smoke detectors twice a year at Daylight Saving Time, Small Business Saturday should trigger an instinctive “cyber refresh” for SMBs everywhere.

If the idea of an annual review isn’t exactly motivating, think on this. According to the 2018 Verizon DBIR, 58% of malware attack victims were categorized as small businesses. Further, the Poneman 2017 State of Cybersecurity in Small and Medium-Sized Businesses reported that cyberattacks cost small and medium-sized businesses an average of $2,235,000. When you’re small, the cost of a cyber event – both in real dollars and in broken trust with your customers – can be devastating.

By ensuring your cybersecurity program and incident response plan are updated annually, you can reduce the odds that any single event brings your operations to a halt. (It should go without saying that if you don’t already have a good cybersecurity program, this is the perfect time of year to catch up!)

Here are the five steps that SMBs should take right now for an effective cyber refresh.

1. Re-evaluate your risk

For an SMB, the key to effectively managing resources across the security space is to have a solid understanding of your risk profile. What are you’re trying to protect, and where are you most vulnerable? This review should go beyond simply identifying which server stores customer credit card information. It should look at a broader set of data to identify both the obvious data that need protecting – intellectual property, personnel information, financial data, etc. – and it should also review the data types that are specifically vulnerable for small and mid-sized businesses. SMBs can be valuable targets for hackers looking to access your customers. In these situations, being the backdoor entry point can greatly damage your reputation as a trusted partner and greatly increase the long-term cost of an incident. Staying on top of your risk profile with a refreshed risk assessment should be a key part of your annual refresh.

2. Review your security policies and procedures

Once you have an updated risk profile, the policies and procedures that determine everything from access controls to acceptable use – and consequences for violations – should be thoroughly reviewed and any necessary updates made. In addition to an updated risk profile, a quick look back over the previous year can tell you whether any major changes are necessary or if everything is still optimally configured. Have you added a new product or service; entered a new market or region; undertaken any transactions that altered the operational structure of your organization? If any of these, or any other change indicators, apply to your organization, then you need to take a deeper dive into re-evaluating the effectiveness of your current cybersecurity policies and procedures. 

3. Refresh your incident response plan

An annual cyber refresh is also a good time to ask yourself if your incident response plan still effectively covers the needs of your organization. Pull it off the shelf and see whether you accounted for a whole-of-business approach, or did you focus exclusively on network and IT security? The Achilles’ heel of too many SMBs is forgetting to account for communications and/or downplaying the operational impact as they are developing an IR plan. During an actual incident response, these oversights can have significant consequences, especially for SMBs where trust and reputation is critical to maintaining a strong customer base, and there are fewer resources available to help you weather the storm. If your current plan makes these mistakes, then this is a good time to resolve those shortcomings.

4. Schedule an incident response training

Every incident response plan should be thoroughly practiced and understood by everyone with a role in its execution. The most effective incident responses are ones where the muscle memory of repeated training enables smart, objective decision making, rather than the “just wing it” execution of a team that doesn’t have a good grasp of the situation. Training exercises, war games and/or simulations don’t have to be all-consuming, but at least once a year, you should put your team through the ringer to really make sure you’ve got it.

5. Brush up on basic hygiene

When is the last time your company updated its anti-virus software? Are you one of the 19% of SMB employees who share their password with a coworker? The basic steps for cyber hygiene are not complicated, but in the fast-paced world of most SMBs, they are often at the bottom of the priority list. Take this opportunity to tighten up basic security practices across your organization and brush up on your company-wide cyber hygiene. Simple steps, like requiring password updates, enabling multi-factor authentication and regularly updating your anti-virus software, can prevent big problems down the road.

You would never let your family sleep in a house without functioning smoke detectors, so you change the batteries twice a year along with your clocks. Your business deserves no less. This year for Small Business Saturday, give your company an added bonus for the holidays. An effective cyber refresh is a great way to start the new year on solid ground.

This article is published as part of the IDG Contributor Network. Want to Join?

SUBSCRIBE! Get the best of CSO delivered to your email inbox.