Small business is an inherently risky thing, and it seems to be getting riskier all the time. The vast majority of startups will fail within the first year, and many won’t even make it for that long. There are many ways in which a business can fail, but we are going to focus on the IT side of things today. Let’s look at a few proactive IT-related steps that will help you to avoid excessive risk.
1. Keep Everything Updated
No matter what kind of software your company uses, it is going to need updates from time to time. It may seem like an easy and self-explanatory task, but a lot of people fail to keep their systems and software properly updated. Not only do you need to update your existing software, but you also need to recognize when the entire program has become outdated and find another one.
If you want an example to show how important this matter is, you need look no further than the Equifax data breach from late 2017. Equifax is one of the three big credit bureaus, so they have the personal information of most citizens on file. This breach was so big that Equifax was sanctioned heavily by the Federal Trade Commission for negligence.
In all, Equifax was ordered to pay about $425,000,000 as part of a settlement with the federal government. So, what caused all of this? Nothing more than a failure to update. A group of Chinese military hackers (four of which have since been indicted) took advantage of a known security flaw in Equifax’s software. That flaw had already been patched, but Equifax failed to update in time, thus making them liable.
2. Maintain Constant Data Backups
When we talk about risks from an IT perspective, we are mostly talking about cyber-attacks. There are many kinds of them, but ransomware might be the scariest of them all. Even many governments have been powerless against these attacks, but there is one easy way to defeat them: A robust and efficient system of data backup. Most companies don’t do this, and that’s what makes them vulnerable to ransomware.
Ransomware basically locks you out of your system by using strong encryption. Then, they send a ransom demand, requesting payment in return for a password to unlock the data. However, those who have taken the time to do proper backups can laugh in their faces, wipe the affected machines, and restore their system to its former state. At the most, you might lose a few days of productivity, but that’s a lot better than being extorted for large sums of money by criminals.
The damage that can come from data loss is massive, both in terms of monetary losses and reputational damage. For small businesses, this risk is even more pronounced. According to these statistics, small businesses are very likely to go belly-up following a cyber-attack. In fact, 60% of small businesses that suffered a serious attack found themselves out of business within six months. When you look at it that way, the trouble of doing regular backups will become a lot more worthwhile.
On the subject of backups, we would advise you to keep multiple copies of your most important data. It is always important to categorize your data from “least important” to “most important” (or whatever terms you prefer). The least important data can make do with only one backup, but your most important data should be in more than one form. You can use cloud backups, external hard drives, disc-based media, and/or any other reliable method of data storage. This is necessary because some hackers will target backups as part of their attack strategy.
3. Take Steps To Avoid Network Downtime
For most modern businesses, the internet is completely essential. At times, you can lose huge amounts of money from a small amount of network downtime. For small businesses, who often operate within smaller margins, this can be a complete disaster. According to this research, the average company loses $5,600 for every minute of downtime they experience. As a small business, you will probably suffer a little less, but we’re still talking about serious money here.
Thankfully, there are several things you can do to reduce downtime. For one thing, you should look for a managed IT support service. If you find yourself asking: “what are the best small business IT support services near me?” then you probably haven’t looked very hard. There are plenty of options to choose from, even though they are not created equal. Look for a small business computer support provider that is willing to offer you an SLA (service-level agreement). These agreements will set firm limits as to the amount of downtime that is acceptable.
Another good step is to establish an “intranet,” which is a private network consisting of connected machines within a certain organization. At the very least, this will allow you to quickly restore communication amongst your company in the event of an outage. An extra working server or two can also help to keep you online during hard times.
4. Take Security Seriously
Attitude has a lot to do with whether you succeed or fail. This is common knowledge, but not everyone has the right attitude about computer security. When you operate a business (even a small one), you are a more appealing target for cyber-attackers. The average individual doesn’t have enough wealth to be worth a hacker’s time, which is why companies are targeted more often.
So why would a cyber-criminal target your small business when they can target a much richer target? That’s a good question with a logical answer: Your business is probably a lot less protected. Small businesses don’t usually have the money for the best computer security software, the latest hardware, or any of the high-end security services used by the larger companies. As a result, hackers know that you are a softer target. All of that (and more) is outlined in this report from the National Institute of Standards and Technology (NIST).
It would be a good idea to study this report, which is basically a list of security-centered recommendations. Since it comes from a respectable source, it is worth further study. As the header says, you need to take security seriously, and this report is a good place to begin. Here are some of the key points for easy reference:
- Security threats come in 3 forms: Environmental, business resources, and hostile actors
- Risk is assessed using four factors: Threats, vulnerabilities, impact, and likelihood
- Always maintain awareness of where your data is stored
- Sort your data by its importance
- Develop an inventory of all hardware and software
- You should get a vulnerability scan at least once a year
- Penetration testing is also recommended
- If necessary, don’t hesitate to outsource your security plan
- Do thorough research on any IT security company with whom you do business
- A good cybersecurity plan should do five things: Detect, identify, respond, protect, and (if necessary) recover
- Always be careful of emails with weblinks or attachments
- Do not allow unauthorized/personal devices to connect to your business network
- Be careful about downloading and the privileges to do so
Obviously, these are general points, but all of them are quite helpful.
5. Evaluate Your Costs Carefully
With all this talk about hackers and breaches, we have forgotten about one other important area of business risk. We’re talking, of course, about the risk of going broke. When you are at the “small business” stage, you are probably paying back loans while also saving money to expand. Needless to say, that involves a lot of careful cost-based evaluation.
From an IT perspective, your most important decision will be whether to use an in-house team or a managed IT services provider. There is no one right answer to this question, but there are several facts that you should know. In-house IT teams are kind of like a roll of the dice…You might get lucky, or you might crap out. However, many companies like to employ in-house professionals because it is convenient. When something goes wrong, your team is right there to handle things.
At the same time, a managed IT service provider will probably vet their employees more vigorously than the average company. Since information security is their business, they are in a better position to evaluate potential employees. Unless you happen to be very well-versed in all the latest tech, they can probably do a better job of finding the right people. Of course, you do have to make sure that you choose a reputable provider in order to get any of these benefits.
So, in the end, you have to consider your costs: The costs of paying an in-house team a competitive wage, the costs of paying your IT service provider, any relevant equipment costs, and the potential costs of a security breach. You are looking for the perfect mix of affordability and effective protection.
6. Insist On Good Network Monitoring
No matter what sort of IT setup you choose, you will want to make sure that it provides for good network monitoring. This will solve multiple problems at once, so don’t underestimate its importance. There are several good free monitoring tools out there (this writer recommends Nmap), and any good IT technician should know how to use them. These programs work by monitoring all traffic and all connections on the network.
Not only do they monitor all connections and data traffic, but they can also be used to monitor system performance. Things like download speed and latency give you real-time metrics that indicate the health of the network. This is also relevant to security because most malware will use a lot of system resources. Thus, a large and sudden drain on the network’s resources will be an immediate red flag on which your IT team can act.
In some ways, this relates to the downtime problem that we discussed earlier. When your network does go down (and they all go down from time to time), quick detection is a must. The sooner the problem is found, the sooner it can be fixed. Network monitoring, when used properly, will allow the problem to be detected immediately. Monitoring is also highly useful for testing purposes as well. Whenever you are making a change to the network, you can simply alert your IT team to be on the lookout for any anomalies. In this way, bad ideas and problematic software/hardware can be quickly weeded out.
7. Don’t Forget The Importance Of Physical Security
For businesses, cyber-threats are probably more common than physical threats these days. Nevertheless, there are still plenty of thieves and criminals who do things the old-fashioned way. You don’t want to forget about these threats when considering your overall business risk.
Instead of hacking a device, thieves can simply steal the whole thing. Or, they can skip the computers altogether and go after personnel and customers. There are all sorts of ways in which this might be done, and none of them are pleasant. People could get hurt, or even killed. If so, you might end up being legally liable for those damages since you failed to provide a secure work environment. For a small business, a lawsuit like this is basically a death sentence.
You probably don’t need us to tell you that small business is risky. Chances are, you have already experienced this reality for yourself. However, we hope that this article has given you some new insights into this issue and that you have enjoyed its content. By implementing these simple and basic ideas into your IT strategy, you can avoid many risks (both internal and external). If you would like to learn more, please fill out the contact form below.