Operating a small business is hard work. You pour blood, sweat and tears into making it a success so surely you want to do everything to protect it?
With the average computer security incident reported to NetSafe in 2014 costing $10,700, taking care of your hardware, software and information security is a must for every small business owner or manager.
Solo or micro Kiwi companies with less than 5 staff make up a large part of the New Zealand economy and as the owner or operator of a small company you can often find yourself wearing many hats on a daily basis covering sales, marketing, accounts, customer service and actually delivering the product or service that keeps the business going.
Ensuring the security of your business assets is also a very important part of keeping your company operating, whether it be the vehicles you use to deliver goods, the property you operate from, the customer database you work with and the IT systems you use to communicate with suppliers.
With IT playing an central role in so many companies these days, it’s essential that you undertake a cyber security assessment to keep track of your important information assets and protect them.
What is information or cyber security?
The protection of information and information systems from unauthorised access, use, disclosure, disruption, modification, or destruction in order to provide confidentiality, integrity, and availability
When we think about information and information systems we’re covering people, processes and technology.
This can include email, invoices, payroll, employee and client data, intellectual property and the computer systems that staff use to collect, store, process and deliver information.
Using the Connect Smart SME Toolkit can help you uncover precisely what business information and systems could be a target for cyber criminals. And assessing your cyber security risks can help identify what are the critical financial and information assets in your own business that need to be protected.
Conducting a simple risk assessment
By not protecting your small business information and systems you risk:
- Decreased productivity
- Legal liability
- Loss of confidence
- Loss of reputation
- Loss of business
An assessment or audit of your business can identify:
Here’s how these interact:
A THREAT acting on a VULNERABILITY produces a RISK and probable bad consequences
A simple, real world example for a small NZ business would be:
Threat: Spam email with malicious attachment delivering ransomware
Vulnerability: Employees not trained to identify or delete spam emails
Risk: Network is compromised and hardware infected
Consequences -> Business data encrypted, records lost
Conducting a risk assessment can highlight these kinds of weaknesses in your business.
Ideally, for the example above, you’d have several protective measures in place to tackle the malicious email risk that could include anti-virus software that automatically updates on all computers and a data backup regime that keeps regular, incremental copies of essential business data that can be easily accessed to recover from an infection.
Taking the time to review your company’s critical information and systems can help kick start the process of protecting it.
12 Questions that can help identify risks
Step one of the Connect Smart toolkit poses the following questions:
- Do you have an overall security policy?
- Do you and / or your employees access business emails on mobile devices (including phones and tablets)?
- Do you train your staff about using mobile, the internet and email securely?
- Do you back up your critical business data regularly?
- Do you have a firewall installed on the computer(s)/servers used for your business?
- Do you use security software (such as anti-virus and anti spyware) and up-to-date operating software?
- Do you connect any of the computers or mobile devices in your business to the internet using a wireless network?
- Do you know how to prevent data theft?
- Do you know how to reduce and manage spam?
- Do you store business critical information on mobile devices?
- Do you educate your staff not to give out confidential information that could compromise your company’s cyber security, either over the phone or online?
- Do you delete or disable your staff’s IT accounts when they leave the company?
Answering these questions gives you the ability to score your business on how prepared you are to face the kinds of cybersecurity threats that NZ SMEs are experiencing everyday.
Spot some gaps? Then it’s a good opportunity to address these risks and talk with your own IT staff or your IT contractors on what to do next. Perhaps you need to upgrade those old Windows XP computers? Maybe staff all use one shared password to login? Or you may suddenly realise that the information you need every day to keep your company going has never been backed up and one virus infection could put you out of business for good.
Keep it simple
Drawing up an information asset register is one simple step to help you record exactly what information your business uses and relies on to keep bringing cash through the door.
We’ve listed some other useful guides below that may assist you:
Richard Kissel from the American National Institute of Science and Technology’s Computer Security Division offers some great exercise templates for identifying and prioritising information types and ways to estimate the costs involved should bad things happen to your business data.
- Cloud computing guidance for NZ
The Office of the Privacy Commissioner has several useful guides for SMEs around moving IT and information to the cloud, good data practices and dealing with security breaches: