Efficient and affordable cybersecurity can be built and delivered to small businesses using a three step analysis in combination with technology. Spending capital and expense on the latest and greatest gizmos and devices does not guarantee security.
At Modern Managed IT, we will provide a free consultation to evaluate your risks across three areas: (1) People, (2) Process, and (3) Technology.
People
The first area of risk or the first line of defense is the people in a business. Adding background checks and a cybersecurity awareness assessment to an onboarding process can substantially improve an organization’s risk posture with limited additional costs.
- Do you provide access to company computing systems to all employees, consultants, and contractors? Even those you may not background check prior to hiring?
- While adding background checks will help you avoid people with bad intentions it won’t prevent accidents made by good people in your organization.
- Do you have an onboarding assessment to determine a new employee, contractor, or consultant’s cybersecurity awareness? If not, how do you know your newest hire won’t make an innocent mistake?
- Security awareness training with an onboarding assessment is not meant to embarrass anyone or disqualify them from a role. It will allow you to know what steps need to be taken during onboarding to minimize the odds of a mistake.
Process
This step involves evaluating how different tasks are performed and what controls are in place to reduce the chances of accidental errors, intentional fraud, or malicious attack.
- Do your customers trust you to keep confidential records? How do you control access to the information and how would you know if someone gained access and copied all of them?
- Many businesses must have access to confidential information in order to provide services to their clients (ex. law firms, healthcare providers, financial advisors, etc.) but not every employee at the firm needs access to all customer records at all times. For small businesses a simple classification of active clients and archived clients can greatly reduce the risk from a data breach.
- For financial transactions do you allow a single individual to send money outside of the company’s bank accounts? If so, what dollar amount would be severely damaging or catastrophic?
- Nearly every business banking provider has Treasury Management services where you can set up drafter and approver controls meaning whoever creates a transfer cannot approve and send the money out themselves. By combining a drafter and approver process with separate communication channel verification the risk from financial loss is greatly reduced.
Technology
After you have evaluated your people and process risks it is time to look at your technology, both for existing risks introduced by lack of updates or improper configuration. Technology comes last as many firms have the systems with the capabilities in place to protect their business except they were not configured with an informed view of the people and processes in the organization.
- For access to financial systems and systems that store confidential data of the firm, including internal and client records, do you utilize two-factor (aka. multi-factor) authentication with a username and password + a SMS or token PIN number? In conjunction, are you using a password manager to ensure each employee uses a complex and unique password for every login?
- A password manager is one of the few pieces of technology that makes a business both safer and more productive (as they can automatically sync your passwords between devices and automate logins). By combining a password manager with the 2FA/MFA features for confidential data systems the risk of an account compromise is reduced to nearly zero.
- For the critical records at your company are you following the 3-2-1 backup rule (3 copies, 2 separate locations, with at least 1 offsite)? Along with the basics of the 3-2-1 rule do you store a timestamped read-only copy of information so you can rollback in the event of ransomware or other catastrophic latent data corruption?
- Offsite data backup with long term retention policies and a 24-hour or less RPO (recovery point objective) is more affordable than ever and simple to configure across systems of all types (Windows, macOS, and Linux) with the ability to restore individual files and folders allowing for a rapid RTO (recovery time objective) allowing employees to remain productive while a full system restore occurs.
The proactive costs to secure your business today is lower than ever while the cost of data breaches continue at record levels (easily over $250,000 for a medical practice with 2,500 patients — this is a conservative average estimate based on a $146 per record cost from a 2019 study by IBM).
With Modern Managed IT for $12 per month per employee you can add all of the core cybersecurity capabilities to your business including offsite data backup, email archiving (with eDiscovery), a password manager, and security awareness training. If you combine the technology with our Pro or Pro Plus managed service we’ll even configure and maintain it all.
