Three Key Factors That Small Business Owners Must Consider To Enhance Their Cybersecurity

Awareness
Awareness (Photo credit: Emilie Ogez)

By now most small business owners are aware that Cybersecurity is an issue. But, how much time and capital should be spent on cybersecurity protection? This article discusses three key factors that should play into that decision.

Factor #1 Awareness.

According to some experts, the biggest problem that small business owners face is simply awareness of the risk. This includes awareness by employees as well.

Most data leaks and other security incidents are caused by employees who are either unaware of security protocols or indifferent to them. Regardless of the level of security in your data center  or the strength of encrypted communications, the weakest link will almost always be the human beings interacting with the network.

To address this risk, small business owners need to focus on training and awareness for employees. However, company management is usually focused on sales and customer service. Further, owners often lack the time and expertise needed to properly assess security risks. Companies in any industry should look to partner with a third-party security firm to asses risks and develop appropriate training.

Factor #2 Employee Training.

Training is the first line of defense against cyber threats. This training needs to include the entire company, and should cover three key areas: (a) proper password management on all company services and devices, including clear procedures for new and departing employees, as well as day-to-day usage; (b) clear guidelines for the sharing of information with remote employees, partners and third parties; and (c) a plan for monitoring usage and privileges to the company’s digital assets.

Employee training needs to account for how the public will access your company’s products or services. For example, what if a hacker got into a system by pretending to be another user? By rolling out new features slowly, its easier to identify and fix security loopholes.

All stakeholders need awareness of: (a) the type of information you’re transmitting (e.g. payment information), (b) the visibility of information you’re transmitting (e.g. highly-publicized public launch vs. a quiet rollout of some new software), and (c) the level of security inherent in the transmission (e.g. encrypted emails and documents shared via a secure server or data shared publicly through public networks and via social media sites.

Factor #3 Vigilance (Monitoring).

For some companies everything is available and accessed online. Since online relationships are built upon trust, it is critical that the company actively monitor the security and transparency of this relationship. Many tools are available to measure and respond to risk factors and gauge likelihood of an impact to help determine the level of investment required. Resources can be assigned to anything with high likelihood and high impact.

For example, monitoring potentially fraudulent user accounts has an immediate commercial benefit as well as reducing risk.

Unfortunately, a common misconception is that putting up basic defenses like firewalls will protect security vulnerabilities. However, after reinforcing your Cybersecurity defense, the focus should shift to monitoring and alerting. In many cases, this may require up-front investments to enable tracking and alerting to irregularities in network and data activity. Fortunately, in the event of a breach or a loss of data, this monitoring information will be the key factor in addressing the problem and pinpointing the issue. Managers, employees and business partners need to understand that Cybersecurity is an ongoing process. Awareness, training and monitoring will go a long way toward enhancing a small business’ Cybersecurity preparedness.

About the Author:

David M. Adler, Esq. is a partner in the Chicago office of Leavens, Strand, Glover & Adler, LLC, a boutique intellectual property and entertainment law firm in Chicago, Illinois whose mission is providing businesses with a competitive advantage by enabling them to leverage their intangible assets and creative content in order to drive innovation and increase overall business value. The practice is organized around five major substantive areas of law: Intellectual Property Law, Commercial & Finance Law, Entertainment & Media Law, Corporate Law and Contract Law.

Contact us for a free consultation today. Dadler @ lsglegal (dot) com or (866) 734 2568

NLRB Raising Profile of Social Media in the Workplace

According to the National Labor Relations Board, the Thomson Reuters Corp. Social Media policy may be violating federal law. At issue is the company’s Twitter policy. The NLRB maintains that it improperly restricts an employee’s right to use Twitter to discuss working conditions with co-workers.

According to the Newspaper Guild, a labor union representing Reuters employees, Reuters publicly disciplined reporter Deborah Zabarenko for posting a Twitter message that said, “One way to make this the best place to work is to deal honestly with Guild members.” The NLRB is taking the position that Reuters policy impairs employees’ rights to discuss working conditions and that it applied the policy improperly.

This marks the second case initiated by the NLRB involving a company’s social media policy.

In the first case arising last October, American Medical Response of Connecticut Inc. allegedly violated labor law when it terminated an employee allegedly for criticizing her boss on Facebook.

The significance of these cases should be clear to any business. First, it is important to have a Social Media policy in place. More importantly, however, Social Media policies need to be written with legal and regulatory compliance in mind. An overly retractive Social Media policy or one that penalizes employees for expressing protected speech will result in legal liability.