How small tech firms can reduce cyber risk

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.computerweekly.com/news/2240218873/How-small-tech-firms-can-reduce-cyber-risk

Small to medium-sized technology firms are just as susceptible to cyber
risk as other similar-sized firms, according to international insurance
firm Travelers.

Although awareness of cyber risk issues may be higher large firms,
resources to respond are likely to be just as limited, according to Mike
DeHetre, vice-president of product development for select accounts at
Travelers.

“Their focus is on customer service and the myriad other things a small to
medium-sized enterprise (SME) owner has to do to stay successful,” he told
Computer Weekly.

“There is also often a false sense of security because they are small and
believe they are unlikely to be targeted by cyber attacks,” said DeHetre.

But attackers are not only focused on large companies, and the fact that
small tech firms often keep large amounts of sensitive data on customer IT
operations makes them more likely to be attacked, he said.

If small tech firms work for larger entities, they are even more likely to
be targeted as potential routes into those larger organisations through
connected IT systems.

According to DeHetre, there are five things small to medium-sized tech
firms can do to reduce their cyber risks.

1. Train employees to protect sensitive information

Even though time and resources are limited, all employees should learn the
importance of protecting the information they regularly handle to help
reduce exposure to the business.

This includes everything from locking up customer records to keeping
passwords strong and confidential. Employees should also be taught how to
handle a breach if one occurs.

“Like any safety training, it cannot be a one-off event; it has to be
ongoing to reinforce on a regular basis the things employees should be
doing and thinking about to ensure data is protected,” said DeHetre.

“It is about things like how you manage physical access to your laptop,
connecting to public Wi-Fi networks and updating passwords regularly,” he
said.

DeHetre said security training requires the business owner to recognise
that it is as important as customer service and ensure that time is managed
accordingly.

2. Ensure basic security protections and security updates

This means implementing appropriate firewall and antivirus technology and
ensuring that security software patches are updated in a timely fashion.

Small businesses should then evaluate the security settings on software,
browser and email programs, and select the system options that will meet
the business needs without increasing risk.

Regularly maintaining security protections on operating systems is vital to
them being effective over time.

“Again this requires business owners to put procedures in place that enable
employees to do the right thing and follow good practices,” said DeHetre.

3. Monitor use of mobile devices and public Wi-Fi access for employees

Establish usage standards and be sure they are clearly communicated. For
example, to avoid security breaches, employees should be instructed to use
public Wi-Fi only in very limited circumstances.

Hackers can easily intercept public Wi-Fi, so it is imperative that
employees cautiously use the internet and transmit information.

“There need to be processes in place to manage public Wi-Fi access, and if
employees are using their own devices, there needs to be a control
mechanism around that,” said DeHetre.

4. Have a plan in place to manage a data breach

If a breach occurs, there should be a clear plan that sets out who is to
manage the situation and what action should be taken, such as informing the
insurance provider.

“SMEs need to plan for data breaches in the same way that they plan for
natural disasters such as hurricanes, floods and fires,” said DeHetre.

This includes having data backup and recovery services in place to get the
business up and running as quickly as possible after a data breach, and a
plan to communicate with stakeholders and media.

“It all comes down to good business discipline and taking time to focus on
being a good business owner as well as a supplier of technology goods and
services, and putting controls in place,” he said.

DeHetre said while failure to put such control in place can be found at
both ends of the spectrum, some small companies are “absolute standard
bearers” on risk management concepts, proving it can be done.

“Then there are large companies that pay it no attention, but that is just
gambling and hoping that the worst will not happen – and ‘hope’ is not a
strategy,” he said.

5. Incorporate errors and omissions cover

This is a risk that technology companies need to be thinking about in
addition to data breaches as part of their whole risk management strategy,
said DeHetre.

“Tech companies typically have a greater errors and omissions exposure than
other companies because their business is providing services to their
clients,” he said.

“They are doing things like maintaining network systems that impact the
function of the business of their client companies. As a result, if they
make an error or omission in providing the service, they could case a loss
to the client company, for which they might be liable to provide
restitution.

“Errors and omissions insurance cover helps to address that and reduce the
risk of unexpected financial liability that could easily bankrupt a small
or medium-sized business,” said DeHetre.

This is particularly important for small companies that are suppliers to
bigger companies which will typically have contractual requirements around
data security.

While small companies rarely have subcontractors they have to worry about,
they do need to think about whether they have key clients that represent a
significant portion of their revenue, said DeHetre.

“They need to think about how that impacts the decisions they make, such as
how they put together their insurance coverage or the way they do disaster
planning,” he said.

Cyber risk is only one of several risks small and medium-sized technology
businesses can take steps to reduce, according to Travelers.

Other manageable risks include risks to data through property damage,
employee accident compensation claims and international travel risks.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!