Jonathan M. Gardey, MBA, CFA®, CFP®
President and Chief Executive Officer
Running a small business can often feel like running a marathon while juggling chainsaws, and you only have so much energy to focus on certain things. Something has to give, and, often, cybersecurity is one of them. A 2020 study by cybersecurity company BullGuard shows that more than 40% of small businesses have no cybersecurity in place at all. If you do have some measures in place, they tend to be an afterthought or one-and-done thing to check off your ever-expanding to-do list. But you should reconsider that approach for the safety of our brand, your clients, and your reputation.
The stats from cybersecurity experts are pretty harrowing:
● Nearly 60% of small to medium business owners believe their business is unlikely to be targeted by cyber criminals.
● However, small businesses represented 43% of all data breach victims in Verizon’s Data Breach Investigations Report.
● And the average cost of an insider threat to businesses with 500 employees or less was an eye-popping $2.98 million, according to IBM.
Not only can a data breach be a huge pain in the rear to clean up and pay for, you can also suffer long-term repercussions from the hit to your reputation and the loss of trust from your customers. So now that we have your attention, here are five quick ways to beef up the cybersecurity for your small business:
1. Get Professional Help
Unless your small business provides IT and cybersecurity services, you are likely not an expert. So, get one.
Yes, you will have an added expense. But the expenses of prevention are almost always less than the cost of cleaning up a data breach. Plus, the peace of mind that your business data and customer information is secure can be priceless.
While you are looking for a cybersecurity partner, be sure to keep the processes for your staff in mind. You don’t want a solution that makes it hard for people to follow them. That often results in everyone making up their own system, and that will only exacerbate the problem.i
2. Audit Your Systems and Partners
Third parties can be one of your biggest risks when it comes to cybersecurity. So take a look at all of your partners and make sure you know that they have the right measures in place to protect your data and customer information. ii
This includes any technology you use to conduct business. What systems do you have to log into? What about the rest of your team? And is every device — desktop, laptop, tablet, cell phone — also secure running that program?
If something isn’t up to snuff, now is the time to make a change. No one likes having to change systems and go through another implementation, but it will be less of a pain now than it will be if a breach or hack occurs.
3. Switch up Your Passwords
A poll by password management company LastPass shows that 59% of people use the same password everywhere, which can leave your systems increasingly more vulnerable. So as you are doing the audit of all your systems, eliminate the use of repeated passwords. This will help ensure that if one password is compromised, that breach can be isolated.
Of course, everyone is using so many separate systems these days, especially at work, so trying to remember all of those different passwords can seem impossible. Consider using a password manager for you and your team, so everyone isn’t writing down their passwords on a Post-It note they keep inside their top desk drawer. iii
Password managers securely store usernames and passwords as well as the login links. They can also suggest/generate strong passwords for you. No more “iforgotmypassword” or “ihatepasswords!”. Some of the most popular and highly rated password managers according to PCWorld and G2Crowd, are 1Password, LastPass, and RoboForm.
4. Set Up Two-Factor Authentication
As you are doing the audit of all your systems and changing your passwords to be strong and unique, look for two-factor authentication opportunities. iv
You may not think you know what two-factor authentication is, but you’re seeing it pretty much everywhere. For example, you use a username and password to sign into your bank’s app. Before you can access your account, you have to enter a code that was sent to you via text message, use the facial recognition feature on your phone, or answer a personal security question, such as the name of your first pet or the mascot of your high school. The first factor is your password; the second is the code, facial scan, or security answer.
You may see more advanced two-factor authentication at places like your doctor’s office that require a fingerprint or a security badge to be scanned into a device that hooks up to a computer.
As a small business, you likely don’t have the resources to go as high tech as you see in the movies, but be sure to add two-factor wherever you can.
5. Train Your Staff
Even with all the best cybersecurity measures in place, your business won’t be secure if you don’t properly train your team.
Phishing emails, especially, can be hard to spot and are the leading cause of data breaches for both small and large businesses, according to that same Verizon report. Phishing occurs when an email that appears to be from a trusted source — even from someone else in the same company — is sent to individuals or a whole group to entice someone to share their personal information (such as passwords) or to click on a link that then allows the sender to access your network and data.
Here are some ways to keep your team on-guard:
● Training: Conduct training during onboarding and on at least an annual basis to go through policies, procedures, and things like how to use the password manager. Make sure it’s engaging and switch things up so that people don’t tune it out.
● Tests: Hackers are getting more and more sophisticated, so you need to also. There are IT professionals that offer services that can help you run a test to see if your employees are staying vigilant. Tests can help you identify employees who need retraining.
● Reminders: Download these posters outlining cybersecurity best practices from the Department of Homeland Security and put them around your office or shop. You can also send out emails or post notices to let your customers know what measures you have in place.
Cybersecurity is not just a single action, but an ongoing process that must be implemented and maintained to remain effective. Failure to put the right framework in place can expose your business, your clients, and your reputation to various risks of fraud or theft. We hope these tips will set you on the right track towards protecting your small business.
Important Disclosure Information
To better understand the nature and scope of the advisory services and business practices of Gardey Financial Advisors Inc., please review our SEC Form ADV Part 2A, available via the SEC's website @ www.adviserinfo.sec.gov. (Click on the link, select “Investment Advisor Firm,” and type in the firm name. Results will provide you both Part 1 and 2 of the Gardey Financial Advisors Form ADV.) Statistics from third-party sources are deemed to be accurate but have not been confirmed by Gardey Financial Advisors.
This communication is for informational purposes only and does not purport to be a complete statement of all material facts related to any company, industry, or security mentioned. The information provided, while not guaranteed as to accuracy or completeness, has been obtained from sources believed to be reliable. The opinions expressed reflect our judgment now and are subject to change without notice and may or may not be updated. Past performance should not be taken as an indication or guarantee of future performance, and no representation or warranty, express or implied, is made regarding future performance. Readers who are not market professionals or institutional clients of Gardey Financial Advisors should seek the advice of their financial advisor before making any investment decisions based on this communication. Our firm does not render legal, accounting or tax advice. Gardey Financial Advisors works closely with our client’s other professional advisors. Readers who are not market professionals or institutional clients of Gardey Financial Advisors should seek the advice of their financial advisor, tax, or legal advisor before taking any action that may have tax consequences.