One of the prominent qualities of a CEO is their ability to delegate responsibilities of tasks to people who are more competent in areas they are lacking in.
Unfortunately for many executives, they fail to follow cybersecurity best practices and go as far as to ignore advice given by experts. This decision has major issues as even the most minor of incidents can have dangerous consequences for both the business and the customers.
The potential negative impact can be seen more clearly in small- and medium-sized businesses. The owners are placed in positions and wear many hats out of necessity.
It’s understandable that owners with limited resources must make do without hiring professional staff to take care of cybersecurity needs. As such, here are some of the common mistakes small and medium business owners make that put their cybersecurity at risk.
They Lack An Incident Response Plan
A study done by the Ponemon Institute on behalf of IBM showed that 77 percent of organizations lack a consistent cybersecurity incident response plan. Furthermore, over half of the organizations that do have these plans aren’t testing them regularly.
As they say, failing to plan is a plan to fail and that is especially true for cybersecurity incidents as a single cyberattack can cause businesses to close for good. If an organization doesn’t have a plan yet, it’s essential to make one right now. These plans entail the following steps:
- Preparation
- Detection of threats
- Responses to threats
- Recovery processes
- And a post-incident follow-up
This plan must be ironed out and tested regularly to verify that it is effective and efficient at what it does.
Not Investing In Cybersecurity Awareness Training
Almost nine in 10 data breaches are a direct result of an employee making a mistake. What this research shows is that many data breaches start with the weakest links first and these links aren’t the firewalls and security programs, but rather the people themselves.
Some of the common mistakes that result in breaches is when employees:
- Share passwords in plain text form
- Connect to unsecured public Wi-Fi networks
- Use easy to crack passwords
- Visit dubious websites
- Click on links in emails or download files that have malware stored
These common mistakes are crucial and any simple cybersecurity awareness training is going to cover these things. When these are done regularly and are presented in an easy-to-understand manner, training can prevent employees from being the weakest link in the chain.
Even if people have gone through the training before or have read plenty of cybersecurity articles in the past, it’s still key to show others how important this is.
Not Following Best Practices For Cybersecurity
Executives are highly valuable targets and cybercriminals will use all kinds of sophisticated techniques to target them.
One technique that is used is called business email compromise (BEC). As the name suggests, it exploits the fact that many CEOs contact employees through emails. The same is the case with business partners.
Using either publicly available information, or information they previously gained, attackers can impersonate trusted senders into tricking CEOs to disclose sensitive information. For example, they can impersonate an employee asking for the CEO to wire transfer money for travel expenses.
To protect against these threats, best practices for cybersecurity are necessary such as:
- Check for signs of email spoofing (normally misspelling of employee names or not having the company name after the ‘@‘ symbol)
- Verifying unusual requests over phone (i.e. employees asked for travel expenses but you know no one has been travelling lately)
- Using strong and unique passwords
Not Investigating The Source Of The Incident
When a problem does occur, many people just want the problem to be dealt with so business can go on as usual. While the recovery process should strive to meet the objectives, it’s also important to remember that containing the problem isn’t solving the problem.
Yes, pulling the plug and recovering data from a previous backup can be the quickest solution to ensure the business continues, but it might not be the best one. Unless a root cause analysis is done to find out how the problem happened in the first place, businesses shouldn’t move forward until they are assured that there isn’t a repeat problem.
Accessing activity logs can be a huge difference for an analysis as it’s easier to find the root problems. Also, this is another compelling reason to invest in security monitoring too.
Not Telling Affected Parties On Time
The direct financial impact to businesses is severe of course, but financial consequences also stretch beyond the company as well. Notably, not reporting data breaches according to laws can financially ruin companies and the owners as well.
There have been several instances where companies are breached but never report or inform the public of those breaches until months after it has happened. By then, the damage is done and people are unable to do anything about it.
Even though it’s difficult and companies would rather avoid this situation entirely, not disclosing the breach immediately will forever destroy the reputation of that company among business partners and customers alike.
It’s wise to approach the public so they are aware of what happened and are informed on what’s being done to prevent another breach from happening.
Mtek Digital Managed Business Service
Mtek Digital provides help with virtually any business technology requirement. From IT services to Web and Video Marketing, we’re capable of servicing the tech industry throughout Canada. Contact us today.