What types of cyber threats should I be worried about?
Some businesses have unique threat profiles, however, almost all should be concerned with the most pervasive threats out there such as phishing, password compromise, web application attacks, and malware. Don’t fall into the common trap of thinking that you’ve installed antivirus and have “moved to the cloud” so you’re all done with security. It’s a lot more complicated than that!
I already have an internal or external IT/Security team, how do I know what they are doing is effective?
Great! If you have an internal dedicated IT and/or security team then you are a rare find among small and even many mid-sized businesses. Many opt to use external IT providers to handle their technology needs which is also a good choice for many businesses. Even though these teams may be “doing security”, there is no way to know how effective they have been or whether they are following industry best-practices. Get another set of eyes on things for a peace of mind.
What types of cyber defense tools should I be investing in? Is what I’m currently using effective?
The short answer is, the best you’re able to afford. This is something that a trusted advisor like myself can help you determine given the very large amount of choices available to you. What you may be using now might be just fine, or it may need to be replaced with something more effective. Many times, if the tools you’re using are just fine, there probably needs to be a change to processes, configurations, or hardening systems to increase effectiveness.
Unfortunately, the short answer is that you should be. The good news here is that ransomware is the smoke, not the fire. Pretty much all modern ransomware attacks that you hear about in the news were 100% preventable. If you treat the fire of how ransomware is initially delivered, then you won’t have to worry about the smoke at all. I can help you ensure that you have the correct preventative tools, processes, and technology to be prepared for this threat.
I’m worried about ransomware, how do I ensure my business is prepared for this threat?
For highly regulated industries such as healthcare and finance (to name only a few), compliance is a big deal. Many small and mid-sized businesses find that they receive pressure from existing or prospective clients, government regulatory bodies, or industry standard organizations to become compliant with whatever their cybersecurity expectations are. The good news here is that most clients I work with do not need to go down the full certification route, and are perfectly fine with a due diligence approach to satisfy compliance issues. I can help with a wide variety of compliance, regulatory, and standards issues that will alleviate the outside pressure you’re feeling.
How do I tackle cybersecurity compliance issues?
The answer to this question is highly specific to the organization and the data or intellectual property you’re protecting. A manufacturing company will probably not need to spend nearly as much as an engineering firm with highly valuable proprietary research they need to protect. There are too many variables to give a generic answer to this question. What I can tell you is that the general rule is that you don’t spend more to protect something than it’s worth to you as a loss.
How much should I spend on cybersecurity?
Attackers consider small to mid-sized businesses as “soft targets”. This is because, for the most part, small to mid-sized businesses do not spend the time and effort to ensure they have an operating information security program. There is usually less budget for security, less staff available for security tasks, and cybersecurity is usually an afterthought until something bad happens. This makes your business an attractive and easy target for cyber attackers. If you’re on my site then I hope you’re seriously considering not waiting until something bad happens!
Why would my business be targeted?
For most businesses it’s about ensuring you have a good security foundation, solid processes, effective technology, and are prepared to deal with security incidents when they do occur.
How do I protect the business if I don’t have dedicated cybersecurity staff?
Every business, excluding the rare exceptions, should have policies in place that account for unforeseen security incidents, disasters, and business continuity concerns. You want to have this memorialized in a policy and/or plan because at the time when something bad happens, you will be thankful you have something to refer to. Not to mention, most of your important clients will want you to have this in place before doing business with you. Last, it’s the old adage of, “If it’s not written down it didn’t/doesn’t happen.”