As our lives have become increasingly dependent on technology, virtually all personal and business data is kept on internet-connected platforms, which can become a gold mine for bad actors. 94% of organizations have experienced insider data breaches—whether by human error or malicious intent—in the last year (Businesswire).1
Although media coverage of cyber attacks focuses on enterprise organizations, small- and medium-size businesses also face significant risk. In fact, most SMBs exist without an adequate cyber risk management strategy—if they have one at all.
At Trava, we hear many reasons why:
“Our virus protection should be sufficient.”
“SaaS vendors’ protection should be adequate.”
“The IT team (or sole IT person) will get to it…eventually.”
“Cyber security is just too complicated.”
But it’s simpler than you might think. This four-part series delineates the essential components of a cyber risk management program, from assessment through mitigation and maintenance. It also provides useful tools and offers step-by-step guidance to choosing and implementing the right cyber risk management program.
The following 10 questions are a great place to start. Not sure of an answer? Then there’s no better time to connect with colleagues to learn more about where your company stands when it comes to protecting from cyber risk.
1. Do we have a formal cybersecurity program in place?
If not, it is an imperative first step. For SaaS companies, this infographic is a great place to start: Top 10 Things Every SaaS Company Should Do to Protect Their Data (Download the infographic.)
2. Is our team ready for a cyber attack?
If not everyone in your company has been trained to follow smart, strategic protocols, this will be your biggest weakness, since most cyber attacks occur due to mistakes made by people, not technology.1
3. How is organizational data currently safeguarded?
Determine which, if any, protective measures are in place when data is stored or in transit, and if current safeguards are strong or robust enough. (Not sure how to gauge their strength? Consult a cyber security firm like Trava for guidance.)
4. What credentials and authentication protocols are in place?
And how often are we auditing them? Assess who has privileged accounts—those that can give or remove permissions—and update protocols for deactivating access credentials of former employees.
5. Have we had enterprise customers ask us to fill out a security questionnaire?
Did we know what to do? Did we lose the client as a result? More and more, enterprise customers are requiring companies they do business with to prove compliance with data security protocols.
Read a case study on how Encamp landed their first enterprise customer with Trava’s integrated risk management solution.
6. What would a hacker do?
Try to get into the mind of a threat actor and ascertain what areas of your company they’d most likely target and what information they’d seek. Strive to find all weaknesses and then put in protective cybersecurity measures
7. How is due diligence performed when it comes to third parties (e.g. vendors, contractors, etc.)?
Do third parties have strong protective protocols in place or could they put your data at risk? Many significant data breaches have been traced back to third parties. And one reason cyber criminals attack small businesses is to get access to their vendors’ data.
8. Has our company been compromised in the past by threat actors?
If so, what has been done to prevent this type of incident from happening again? Do these protective measures still work?
9. Is our staff prepared to oversee a holistic cyber risk management plan?
If not—you’re not alone. Time, money, and lack of expertise are factors that lead SMBs to neglect cyber security, even when they know they shouldn’t. Increasingly, businesses are turning to companies like Trava, which offers risk assessments, mitigation support, and a virtual chief internet security officer (vCISO).
Download Trava’s complete guide to vCISO services to learn more.
10. Can our company benefit from obtaining cyber insurance?
Coverage can help if a business experiences disruption, loss of revenue, damage to equipment, public relations/marketing expenses, legal fees, and other costs associated with recovery after a cybersecurity event.
These questions are critical—and they may be daunting. Fortunately, you’re not alone, and you don’t have to design your cyber risk management program yourself.
Start your journey to comprehensive cyber risk management today.
Sources:
1 94% Of Organizations Have Suffered Insider Data Breaches, Egress Research Reveals, Businesswire, a Berkshire Hathaway company, July 13, 2021, retrieved Dec. 20, 2021