Creating a Culture of Security
Five Ways Small Businesses Can Combat Cyber Crime
By David Wasik, Senior Vice President, Small Business, Capital One and Ron Teixeira, Executive Director, National Cyber Security Alliance
As small businesses increasingly rely on new Internet technologies to remain competitive within the local and global marketplace, they are also becoming more susceptible to cyber crime attacks.
Cyber crime can have a devastating impact on a small business, which often lacks the in-house technical expertise and resources to quickly and fully recover from attacks. Small businesses can even unknowingly aid in cyber crime by using unsecured computers that can be hijacked and used to attack other online businesses or even our nation’s critical infrastructure.
While there are numerous technological steps businesses can take to better secure their environments, it infrastructure and controls alone are not effective in combating cyber fraud. Business owners must also take steps to create a “culture of security” among both their employees and customers.
unfortunately, many small business owners are not currently taking such measures – little more than half employ such simple precautions as requiring employees to sign security policies, according to a survey by the national Cyber Security alliance and Cisco Small Business.*(1)
By taking such basic steps, business owners can establish expectations with employees about their role in protecting customer and company data and set the tone for culture of security in the workplace.
Below are five technological and cultural adjustments small business owners can make to better defend themselves against the myriad threats posed by cyber crime.
1.) Assess Risk and Identify Weaknesses
As small business owners, you should analyze online and operating systems to determine the areas most at risk. For example, is your customer data, internal accounting information and other sensitive data linked to the internet?
As part of this risk assessment, you should also ensure that updated anti-virus programs, anti-spyware programs and firewalls are installed on all computers and that employees are required to change their passwords every 60 to 70 days.
2.) Back-Up Critical Information
You should establish a schedule to perform critical data backups and system upgrades on a regular basis throughout the year. Creating backups on a regular basis ensures that critical data is not lost in the event of a cyber attack or natural disaster. Store all backup copies in remote locations away from the office, such as on an external hard drive, and encrypt any sensitive data about the company or its customers.
3.) Create a contingency plan
You should also draft a contingency plan to follow if the business suffers a cyber attack. This plan should include steps on how to continue business operations at an alternate location when necessary. time is a critical factor during and after a cyber attack. Therefore, practice your plan to ensure a rapid and thorough response. Be sure to test the plan annually.
A common outline in a contingency plan can include:
- Immediate action
- Investigation into causes and effects
- Restoration of resources
- Reporting the attack or incident to the proper channels/authorities
4.) Educate Employees
It is imperative to demonstrate to employees and customers that cyber fraud is a concern you take seriously. This involves educating employees and training them on proper internet practices and technology solutions, as well as encouraging customers to protect themselves, as consumers, against cyber fraud. You should also integrate a cyber security rollout plan within the yearly business plan. This plan should also include steps for measuring success.
5.) Implement a Security Agreement
You should require employees to sign a security agreement to demonstrate that they are active participants in helping to maintain a secure online environment. This agreement should also require employees to report any suspicious online activity or known internet crime to the proper authorities.
If fraud or criminal intent is suspected, you should report it to the local law enforcement agencies, the local Federal Bureau of investigation, Secret Service or State attorney general’s offices. Some states also require business owners to notify their customers if criminals have had access to customers’ non-encrypted personal information.
Cyber Security is Good for Business
Not only are you, as a small business owner, obligated to inform your customers if their personal information has been compromised, but you can also earn their respect as a trusted business partner by promoting the security practices you have implemented to protect their data.
Consumers are starting to take notice of how businesses secure their data and are more willing to trust and reward businesses for good security practices. in fact, nearly 85 percent of consumers in a recent survey said they would increase their shopping at a store known for good cyber security practices, while only 20 percent said they would continue shopping at a store that had a recent data breach, according to market research firm Javelin Strategy & Research.*(2)
The losses resulting from cyber crimes can severely damage a businesses’ reputation and often outweigh the costs associated with the implementation of a simple security program. By implementing a security program that involves both technical controls and cultural adjustments, you, as a small business owner, can take a big step in fighting cyber crime.
1 “2006 Fraud Survey Report”, Javelin Strategy & Research, January 2006
2 2007 NCSA and Cisco Small Business Survey, InsightExpress,