A recent survey reveals a surprising number of small businesses are unprepared for cyber criminals. Almost eight in 10 small business owners (79 percent) do not have an incident response plan for responding to and limiting the effects of a data security event. This is problematic given the steady rate of increase for cyber attacks for small businesses.
Cyber attacks are on the rise in organizations of any size
Nationwide, a leading insurance provider for small businesses, polled 500 small business owners with fewer than 300 employees about cyber attack preparedness. Perhaps the most surprising finding was that 63 percent of small business owners admit to having been victim of some type of cyber attack.
Respondents without an incident response plan in place most often (46 percent) cited confidence in security software as the reason they do not have plans in place. At the same time, 73 percent are at least somewhat concerned that cyber attack could affect their business.
A study from The University of Alabama at Birmingham Collat School of Business reports similar findings for SMBs, with 61 percent admitting to being a victim of a cyber attacks. For large enterprises, they are even more common. Perhaps the most shocking finding by the UAB study is that 82 percent of large companies reported a breach by their own staff.
Infographic by University of Alabama at Birmingham Online
What can you do about it?
While it is essential to defend the digital perimeter of your company with detection software and network hardware like firewalls and UTMs, organizations should assume that cyber attacks will occur anytime and any place. The only hope to mitigate the risk is to develop a plan for after the attack.
What exactly is an incident response plan?
An incident response plan is a written set of instructions for detecting when sensitive company data has been compromised, and how to respond with the goal of minimizing damages resulting from the incident.
For many companies, the incident response plan assigns specific duties to company personnel in the event of a cyber attack. These may include changing passwords, required notifications to regulatory agencies, handling media inquiries, and providing instructions to employees, among other items.
How to implement an incident response plan
Every company is unique with the tools and personnel they deploy to handle data security, so there is not one formulaic way to craft an incident response plan. There are plenty of guidelines and resources designed for small businesses to assess and meet their data security needs as they pertain to an incident response plan.
Federal and state governments have published several incident response plan resources directed at small business owners.
- US Chamber of Commerce: Internet Security Essentials for Small Business
- FDIC Incident Response Program Supervisory Insights
- FCC Small Biz Cyber Planner 2.0
Security software providers and others in the private sector have resources to assist SMBs as well. Here are some particularly useful and current examples.
- AVG: Small Business IT Security Health Check
- Microsoft: Use Windows Server 2012 to create a security incident response plan
- HBR.org: 10 Steps to Planning an Effective Cyber Incident Response
Safeguarding against cyber attacks
It goes without saying that preventing data incidents should be the first step in an overall data security strategy. This starts with protecting your business network with a firewall or Unified Threat Management Device. For endpoint protection, many experts advise taking a layered approach with security software. Staff using the company network should receive anti-phishing training so they can detect and thwart attempts to gain unauthorized access to company data. Vigilant users are the best antimalware tool a company can have. Business leaders that double as IT should stay current with the basics of data security and not perpetuate IT security myths that may leave company data exposed.
- Infographic: The Cyber Threat Intelligence Perception Gap
- Infographic: Website Security: Use Your Entire Network for Protection
SMBs: What factors do you consider and which ones do you not worry about in your incident response plan?