Protect Against Cyber Attacks: A New Guide to Help Small Businesses

No business is too small to be the victim of a cyberattack. In fact, as larger companies invest more resources in cybersecurity, attackers are beginning to target smaller, less secure businesses. It is important for every small business to understand the risks and be prepared. To help, the National Institute of Standards and Technology (NIST) recently published Small Business Information Security: The Fundamentals. It provides a simple and actionable framework to help minimize security risks.

The NIST guide is divided into five basic categories (identify, protect, detect, respond, and recover) and provides useful worksheets to help identify important types of data. We have reviewed NIST’s guide and supplied an overview of the takeaways:

  1. Know the Risks

Hackers and cyber criminals pose one kind of threat to data security, but environmental incidents and equipment failure can be equally devastating to the security of business information. Security threats can come from personnel within a business as well, so vet employees and provide security training.

  1. Identify Data

The first step in any risk management plan is to identify what data needs to be protected and understand what vulnerabilities exist. Create a list of all the information a business uses (e.g. customer names, e-mail addresses, banking information, employee information, etc.) and know who has access to such information. Additionally, it is important to identify any vulnerabilities in a business’s systems. It is highly recommended that companies engage an outside consultant to conduct a mock attack to identify any system vulnerabilities.

  1. Protect

NIST’s guide provides excellent recommendations on the use of encryption, securing wireless access points and installing network firewalls. However, the easiest and most often overlooked recommendation is to train employees on security policies and establish clear guidelines on how they can best protect business information.

  1. Detect

While some security events are easily detectable, many are not. Businesses should consider implementing anti-virus software that is designed to detect intrusions. Additionally, it may be worthwhile to use a program that keeps a log of daily activity that occurs on the network. These logs may show trends that indicate an intrusion has occurred. An outside consultant can be a valuable tool in interpreting these trends as there may be a more serious problem that is not readily apparent.

  1. Respond

It is critical that every business develop a response plan to be followed after a security event has occurred. Appoint a person who will implement the plan, include the contact information of all internal personnel who should be notified, as well as directions on how to quarantine infected systems, if necessary. Furthermore, many states require customer notification after a security event. Thus, it is important to know state notification laws and how to properly comply.

  1. Recover

After a security event, it is important to evaluate the response procedures. Assess any weaknesses in the plan and make adjustments as needed. If possible, restore backed up data or implement a backup procedure for business data. Companies should also consider cyber insurance as part of any risk management plan.

The full guide can be found here: http://nvlpubs.nist.gov/nistpubs/ir/2016/NIST.IR.7621r1.pdf.


Authors

Matthew J. Siegel
Matthew J. Siegel works in the Global Insurance Department, focusing his practice in the areas of insurance coverage, cyber and technology risks, electronic discovery, construction litigation, and commercial litigation. He also co-chairs the firm’s Privacy, Data and Cybersecurity Industry Team and is a… more

Email:msiegel@cozen.com
Phone: (215) 665-3703
Philadelphia

Taylor P. Widawski
Taylor is an associate in the firm’s Seattle office. Taylor’s practice focuses on litigation with an emphasis on technology and privacy related matters. Taylor has experience defending against consumer class actions as well as litigation involving software licenses and general business disputes. She… more

Email:twidawski@cozen.com
Phone: (206) 224-1285
Seattle

Cozen O'Connor
http://cozen.com

Ranked among the top 100 law firms in the country, Cozen O’Connor has more than 800 attorneys in 31 cities across two continents. We are a full-service firm with nationally recognized practices in litigation, business law, and government relations, and our attorneys have experience operating in all sectors of the economy. Our diverse client list includes global Fortune 500 companies, middle-market firms poised for growth, ambitious startups, and high-profile individuals. In an industry built on talk, Cozen O’Connor has made its name by doing. We have built our firm one case, one victory at a time. Our attorneys have impeccable academic credentials and are able to combine intellectual rigor with practicality and efficiency. We provide sophisticated, business-minded advice aimed at one simple goal: getting the right result for our clients. No matter how complex, contentious, or critical the undertaking, we persevere until the job is done. What you’ve built, we can defend. What you envision, we can help construct.



Leave a Reply

Your email address will not be published. Required fields are marked *