Every year over at USA Today, I write a “Top Trends in Small Business” column that looks at the most important developments that I see coming down the pike for small business.
Mostly my predictions are hits as I am often briefed by large tech companies as to what they have in the pipeline. But I have had my share of misses too,
- No, Facebook is not going to ensure your privacy is protected, and
- No, big data isn’t going to change the “very nature of how you will do business.” And, well, no
- Robots are not coming for your job
But one trend and prediction that is more prescient than ever, and one I have made year after year (because the threat keeps getting worse), and the one I never miss on, is that yes, you likely will get hacked, and yes, small businesses are especially vulnerable to cybercrime, and yes, you better do something about it.
Now.
The statistics are startling: Almost half of all cybercrime is now directed at small business, yet 75% of all businesses do not have a response plan. Many small businesses never re-open after a cybercrime attack.
Yet, all of that said, there is one piece of good news:
95% of all cybersecurity breaches are due to human error.
Good news? Yep, you bet. Because if humans are causing the problem, we can also fix it. Employees can be taught how to identify and avoid cybercrime.
Here then are the steps to take to create an affordable employee security training program:
1. Get buy-in.
The people who work for small businesses are typically very busy. Aside from their own responsibilities, they usually have plenty of other hats to wear, filling in here, helping out there, etc.
One of the things they do not think about, and really have little time or bandwidth for, are tech issues generally, and cybercrime risks specifically. Typical answers are,
- “It’s not my problem”
- “Won’t happen here” “
- I don’t know what to do”
So it is vital to call a company-wide meeting and scare the bejebers bejeebers out of them. There is no way to get your team to take the risk of cybercrime seriously if they don’t know how serious the risk is. Share the fact that, by some accounts, more than half of all businesses that are seriously hacked go out of business. Explain what ransomware is. Let them know that cybercrime puts their own livelihood at risk. Share corporate horror stories.
2. Bring in the pros:
It is probably not enough for the small business owner or IT guy to share the potential risks. Bringing in an outside expert, or even a cybercrime victim, will show the importance of the danger and how seriously you are taking it. Make sure that your team really gets that you are a target.
Explain that because of social media, it is easy for a criminal to find out a lot of very personal information about you, your team, and the business. The bad guys use this info to create trust. For example, a staff member could get an email from someone with a link and it says, “Our mutual customer Bill Bellamy says you love the Beatles too. I thought you might like to see this rare footage!” Your employee clicks the link, and bam, malware gets on your system.
Once your team understand the risks of how phishing (for one) works, they will begin to take prevention more seriously.
3. Present your plan and policy:
Your data protection plan should have several components:
- You need to back up your data remotely and regularly, using a system like CrashPlan.
- You need to create and go over your policies regarding proper use of email, downloading and updating software at only your list of approved sites and vendors, etc.,
- Your plan and policy for how personal phones, padstablets, and other devices are to be used,
- And what cybersecurity software you use or will be using.
That last point needs underscoring and special attention. Because the best thing you can do to prevent cybercrime is to have a robust, streaming, cloud-based, cybersecurity system, you need to choose a great one and then train your team on how it works and how it should be used. This is a training session in and of itself.
4. Make cybersecurity part of your company culture:
The above training should be part of the training every new hire receives, and it should also be part of your ongoing trainings. Cybersecurity should be emphasized in meetings that have nothing to do with cyber, and you should also make this knowledge/training/value system a section in whatever policy manual your team receives.
Bringing us to,
5. Put it in writing:
Verbal training that includes experts, video, hands-on demonstrations, and so on are important, but to both reinforce it and to make sure everyone gets it, create a written cybersecurity manual. This manual should include the proper way to do things, the policies mentioned above, and so on. Make sure everyone signs for the manual and acknowledges receipt thereof.
Yes, that sounds extreme, but it’s not as extreme as having your bank account drained by keylogging software that has been surreptitiously installed on your system by a careless employee.
