Doing business online is new in many ways to the typical small business. There's added risk as well, in the form of cyber attacks or incidents delivering a severe blow to your success. Survey how cyber threats could impact your small business, and how you will respond, recover and keep your business running.
New Threats and Losses
Depending on your product or service, the internet may give you limitless horizons. There are also new aspects of your business to protect from cyber threats. E-commerce may mean your staff or customers need 24-hour online access, your business has an online reputation to guard, and service disruption could choke off a key revenue stream.
Risks can come from several sources:
- Hackers or cyber spies may try to access your computer systems directly
- Malicious code could harm equipment or slow operations
- Cyber terrorism against your business or ISP
What's in Your Emergency Plan?
Looking at a traditional emergency plan and tailoring it to a cyber emergency is a starting point. In planning for a physical disaster your plan would address:
- Whether to continue your business
- Who among your staff will take on emergency duties
- How other business contacts and partners will help you
- Identify and assign to staff essential business functions
- List suppliers and contractors and backup sources
- Emergency contact information for staff
- Relocation of staff and operations
- Emergency drills and reviewing response plans
- Records and data backup and recovery
Most of these items would be included in a cyber response plan in some form.
Arranging for IT, security and response services is probably needed for your small business. You probably don't have an IT staff or department; you may be the IT department. In lining up security services, you'll need to consider the range and threat types covered, preventive services and response and mitigation services. Ask if different levels of service and consulting are available. Find out how preventive and response services might play out. What are response times? What steps are taken to mitigate the damage? What are the outcomes in other cases, and what can you expect?
It can seem intimidating; big cyber threats against your small business. However, you're not alone. The National Cyber Security Alliance and Symantec conducted a small business study, which gathered information on internet use and security practices in small businesses. Most small businesses surveyed employed 25 or fewer employees, had revenues of less than $1 million, and didn't have an IT manager or department. Many respondents were, however, confident in their companies' technology security measures.
Ounce of Prevention and Pound of Cure
No matter the size of your business, testing your disaster plan is important. It's really the only way to know whether it will perform when you need it the most. You want testing to show how your plan will work, and focus on the reasons and parts of the plan needing improvement. Equipment, software or human factors may need changes to ensure the plan works when a real crisis arises.
Questions for Your Attorney
- Can you review a contract for security and disaster response services for my business?
- If I have a disaster and loss, should I look to my insurance policies for relief, or could security product and service providers be liable?
- Will cyber security providers warrant protection against cyber terrorism, or is that threat not covered, just as terrorist acts are covered under many insurance policies?