As a business owner, you know information is one of your most valuable assets. But when you're trying to put together a cybersecurity plan, figuring out exactly what resources you need to protect that asset can be a challenge.
“The problem with small business owners is that often they are stretched financially and cannot afford full-time personnel to take care of their digital systems,” says Jane LeClair, founder of the National Cybersecurity Institute at Excelsior College in Washington, D.C.
Fortunately, a full-time staffer isn't the only cybersecurity solution available to you. Here's a look at some of your options and what you need to know to choose the right plan for your business.
“For small businesses especially, it can be very overwhelming to look at this space,” says Michael Kaiser, executive director of the National Cyber Security Alliance. “We've been advocating a long time for small businesses to start with a really simplified approach.”
Identify your company's most important digital assets and focus on protecting them. Every computer should have security software, along with regularly installed patches (or updates) to improve programs and fix problems, Kaiser says. He also recommends using strong passwords and opting for multi-platform authentication — requiring more than a password to log on — for things like your email service. From that foundation, you can build up your cybersecurity system as needed.
You might need an extra layer of expertise if you have a large number of digital assets, or if your own knowledge of IT is limited. Even if you handle your data security in-house, Kaiser recommends engaging a consultant to evaluate your plan.
The most obvious case for a full-time, in-house cybersecurity solution is when digital information forms the core of your business.
“You've got users coming in and out, a lot of data that needs to be backed up,” Kaiser says. “You have internal operations, and you have all your servers onsite — you're not using the cloud. Staffing someone in IT security would be critical because you can't afford any downtime.”
LeClair points to several other variables to consider when deciding how much data security you need.
“Does the business use credit cards?” she asks. “Do they store information on customers or clients? Do they deal with sensitive information or products?” If your answer to any of those questions is “yes,” you should seriously consider having a person dedicated to securing your company's data. If you're not quite ready to bring someone on staff, you can look into hiring a consultant.
Vetting both consultants and potential staff members should go beyond looking at the string of acronyms behind their names.
“The most important part is going to be hiring someone who understands how to secure the kind of environment that you're working in,” Kaiser says.
LeClair agrees that experience should be your uppermost concern but says IT certifications can be valuable.
“There is some debate on credentials, but generally you might avoid someone that hasn't bothered to obtain credentials, such as Certified Information Systems Security Professional (CISSP), Certified Cloud Security Professional(CCSP), Systems Security Certified Practitioner (SSCP), Certified Cyber Forensics Professional (CCFP), Certified Ethical Hacker (CEH), or basics such as the CompTIA A+, Network+, and Security+,” she says. “Credentials alone do not guarantee expertise and knowledge, but they do speak to the professionalism of the individual who has sought to continually upgrade their knowledge and skills.”
Another key part of your solution: Beef up the cybersecurity savviness of your current employees.
“In the workplace we like to start by talking about creating a culture of cybersecurity,” Kaiser says. “That starts with a general awareness of the importance of protecting the company's data and protecting the networks that people use.”
Kaiser notes that there are many online cybersecurity training courses available, often at low cost. LeClair mentions two sources of free training, the SANS Institute and Cybrary. Her own Excelsior College, for example, is a regionally accredited institution that offers both cybersecurity certificates and degrees.
Protecting your business against cyberthreats doesn’t have to be overwhelming. Start with the simplest and most affordable tools available. And for more tips on managing cybersecurity risk, see this resource list from the U.S. Small Business Administration, and review our business-protection tips.
Disclaimer: Views expressed in this article and the third party links contained herein may not necessarily reflect those of Citizens Bank. Citizens Bank does not guarantee the accuracy of the information contained on the third party websites linked to in this article, nor do we endorse the products or services mentioned or provided on said third party websites. The information contained herein is for informational purposes only as a service to the public, and is not legal advice or a substitute for legal counsel, nor does it constitute advertising or a solicitation. You should do your own research and/or contact your own legal or tax advisor for assistance with questions you may have on the information contained herein.