As multinational enterprises put more resources into security and breach prevention, criminals are increasingly diverting their activity towards smaller businesses as softer targets. So it's vital to understand and manage cyber risks before your business is compromised and your security is held to account by banks, insurers or investors.
As a business owner, you may not be aware of what happens to the information your employees, customers and suppliers have access to. You may not even be able to state with confidence where your most important data is held – whether that's onsite on desktops and servers, in the cloud, on mobile devices… or the dreaded USB sticks. So where do you start?
Identifying cyber security risks
Step #1: Identify and document asset vulnerabilities
Your first step should be a risk assessment to understand what makes your business attractive to cyber criminals (customer data is likely to be your biggest commodity at risk) and where your main vulnerabilities lie.
Start with some basic questions, such as 'what information do we collect?', 'how do we store it?', and 'who has access to it?' You should then examine how you currently protect your data, and how you secure your computers, network, email and other tools.
For example, consider whether you have a formal written policy for social media usage on any device (including employees' personal ones) that connects to your company network. Do you provide internet safety training for your workforce? Do you wipe all old machines of data before disposal? Do you require multi-factor authentication (more than one way of confirming a user's claimed identity) to access your network?