Running a business takes dedication—from day-to-day tasks and managing your employees to managing finances, a business owner wears many hats. When considering all the responsibilities at hand, cybersecurity may not be at the forefront of your mind. However, it’s a critical component that needs to be considered. You need to protect your employees’ and customers’ personal and financial information—and protect your business’s hard-earned cash. Below are ten common cybersecurity misconceptions that you need to be aware of, as well as the actions you can take to safeguard your business.
1. My data isn’t valuable
Organizations of all sizes maintain (or have access to) valuable data worth protecting. Such data may include, but is not limited to, employment records, tax information, confidential correspondence, point-of-sale systems, and business contracts. All data is valuable. Assess the data you create, collect, store, access, and transmit. Then, classify that data by its level of sensitivity so you can take appropriate steps to protect it.
2. Cybersecurity is a technology issue
Organizations cannot rely on technology to secure their data. Cybersecurity is best approached with a mix of employee training, clear and accepted policies and procedures, and implementation of up-to-date technologies such as antivirus and anti-malware software. Securing an organization is the responsibility of the entire workforce, not just the IT staff. Educate every employee (in every function and at all levels of the organization) on their responsibility to help protect information. The National Institute for Standards and Technology offers a guide with more information on creating, developing, and implementing an employee awareness training program.
3. Cybersecurity requires a large financial investment
A robust cybersecurity strategy does require a financial commitment if you are serious about protecting your organization. However, there are many steps you can take that require little or no financial investment.
Create and institute cybersecurity policies and procedures, restrict administrative and access privileges, enable multi-factor or two-factor authentication, train employees to spot malicious emails, and create backup manual procedures to keep critical business processes in operation during a cyber incident. Such procedures may include processing payments in case a third-party vendor or website is not operational. The “Quick Wins” sheet created by the National Cybersecurity Alliance is an excellent starting point for steps you can begin implementing.
4. Outsourcing work to a vendor will wash your hands of security liability in the case of a cyber incident
It makes complete sense to outsource some of your work to others, but it does not mean you relinquish responsibility for protecting the data a vendor can access. The data is yours, and you have a legal (and ethical) responsibility to keep it safe and secure.
Ensure you have thorough agreements in place with all vendors, including how company data is handled, who owns the data and has access to it, how long the data is retained, and what happens to data once a contract is terminated. You should also have a lawyer review any vendor agreements.
5. Cyber breaches are covered by general liability insurance
Many standard business liability insurance policies do not cover cyber incidents or data breaches. Speak with your insurance representative to understand if you have any existing cybersecurity insurance and what type of policy would best fit your company’s needs. The Federal Trade Commission’s (FTC) Small Business Center has more information on how to handle this.
6. Cyberattacks always come from external actors
Simply put, cyberattacks do not always come from external actors. Some cybersecurity incidents are caused accidentally by an employee—such as when they copy and paste sensitive information into an email and send it to the wrong recipient. Other times, a disgruntled (or former) employee might take revenge by launching an attack on the organization.
When considering your threat landscape, it is crucial not to overlook potential cybersecurity incidents that can come from within the organization and develop strategies to minimize those threats. The Cybersecurity and Critical Infrastructure Agency offers free resources to help you mitigate the risk of a cyberattack.
7. Young people are better at cybersecurity than others
The youngest person in the organization often becomes the default IT person. However, age doesn’t correlate to better cybersecurity practices. Before giving someone the responsibility to manage your social media, website, network, etc., educate them on your expectations of use and cybersecurity best practices.
8. Compliance with industry standards is enough for a security program
Complying with the Health Insurance Portability & Accountability Act (HIPAA) or Payment Card Industry (PCI), for example, is a critical component to securing sensitive information, but simply complying with these standards does not equate to a strong cybersecurity strategy for an organization. Use a robust framework, such as the NIST Cybersecurity Framework, to manage cybersecurity-related risk.
9. Digital and physical security are separate
Many people narrowly associate cybersecurity with only software and code. However, do not discount physical security when protecting your sensitive assets.
Assess your office’s layout and how easy it is to gain unauthorized, physical access to sensitive information and assets (e.g., servers, computers, paper records). Once your assessment is complete, implement strategies and policies to prevent unauthorized physical access. Policies may include controlling who can access certain areas of the office and appropriately securing laptops and phones while traveling. Here are some steps you can take to protect the information in paper files and hard drives, laptops, point-of-sale devices, and more.
10. New software and devices are automatically secure when I buy them
Just because something is new doesn’t mean it’s secure. The moment you purchase new technology, secure the device and ensure it is operating with the most current software. Immediately change the manufacturer’s default password to a secure passphrase. When creating a new passphrase, use a lengthy, unique phrase for the account or device. Did you sign up for a new online account? Be sure to immediately configure your privacy settings before using the service.
Dispelling the above cybersecurity misconceptions is essential to securing your business’s personal and financial information. Over the next few months, we’ll share greater insight and tips on other ways to protect your business.