The sheer scope of cyber crimes that have been perpetrated throughout the COVID-19 pandemic are staggering. Data shows a 600% rise in cyber crime incidents directly due to shifts in the workforce towards remote work and hybrid work arrangements, a shift to cloud-based networks and a growing reliance on the Internet of Things (IOT) and IOT devices expanding the attack surface threat actors can act upon, and a shift in focus to attacks on SMBs across industries.

Cyberattacks have cost businesses billions in losses and had a significantly negative impact on the reputations of the brands that have been attacked—and in several cases when healthcare technologies have been targeted—have even cost people their lives. 

While it’s still important for business owners to take preventative steps to protect their digital assets and customer data, it’s equally important to treat cybersecurity as a practice in risk mitigation and to have plans in place to recover from and minimize the fallout in the aftermath of data breaches, ransomware attacks, and other types of cyberattacks. 

In this discussion, we’ve invited the UpCity community of experts to offer SMB owners, entrepreneurs, and start-up leadership guidance around protecting client data, methods for developing cyberattack and disaster response plans, and general cybersecurity-focused best practices. 

What Specific Preventative Measures Should You Take To Protect Sensitive Customer Data?

Customer’s sensitive information and protected patient information have increasingly been the focus of cybercriminals. Threat actors are using every tool and tactic at their disposal, including social engineering and phishing campaigns to install malware on target systems in order to later execute ransomware attacks or gain access to sensitive data.

Chief Information Security Officers (CISO) and other security experts are focused on implementing comprehensive technology-based security measures such as tightening cloud security, updating and strengthening firewalls, and implementing tools for real-time network monitoring. They are also integrating cybersecurity awareness training for staff into their overall strategies.

Our experts shared what measures they have implemented in their own cybersecurity policies.

“We are ISO 9001 certified and ISO 27001 certified, which means we take significant measures to protect sensitive data. We have a well-defined process for managing information security risks and ensuring that they are addressed in a timely manner. We have defined roles, responsibilities and accountability for information security at all levels of the organization. We perform regular risk assessments to identify potential areas of concern, including those related to information security. We regularly review our policies, procedures and guidelines to ensure that they are up-to-date and effective.” —Simon Kadota, Marketing Specialist, DNSnetworks

“We have only three people who have access to servers and networks. I maintain full access at all times, but the other two individuals can only gain access as needed. We ensure that no one else has access ever. We also exclude all confidential information, such as social security numbers, drivers’ licenses, and credit card information from databases we design, no matter the argument for convenience. Convenience isn’t an excuse when sued for a data breach.” —Robert Williams, Owner, Williams Web Solutions

“We strive to practice a Zero Trust model, meaning we have strict identity and authentication policies. This ensures that only authorized users have access to sensitive data, and these users need to prove who they are every time they access the data. When a login attempt from an unusual geography or at an unusual time comes in, our system requires additional authentication (or blocks the request altogether.) We also have more traditional security measures in place such as firewalls and endpoint security.” —Shayne Caffrey, Marketing Director, LeeShanok Network Solutions

“We rely on Role-Based Access Control strategies, only giving team members access to specific data systems necessary to do their work. Also, we set rules for managing and protecting customer info.” —David Murphy, Founder, Nvent Marketing

“Encryption is the most effective way to protect your data from unauthorized access. So, to ensure strong security, using a password manager helps. It is usually available cross-platform, and you will have to remember just one master password instead of several complex passwords. In addition to secure passwords, you should enable Two-Factor Authentication (2FA) wherever available.” —Karis Tam, IT Manager, EB Solution

Do You Have A Safety Plan In Place In The Event There’s A Cybersecurity Breach?

Cybersecurity attacks resulting in a breach of data or a ransomware lockdown of a business’s data can be just as damaging to a company’s bottom line as a natural disaster and oftentimes is accompanied by a hit to the brand’s reputation. The reputation hit can be even worse if it turns out that your cybersecurity strategy doesn’t include a response plan designed to mitigate the damage in the aftermath of the attack. 

But it’s not only about the financial bottom line or a company’s reputation. There are an increasing number of regulatory requirements around data protection and network security that must be adhered to. If it’s discovered that a company didn’t have the proper preventive measures and rules in place and a data breach occurs, the company can be subject to fines and other penalties. 

The UpCity community of experts shared details on what it takes to craft a robust response plan that will help your business properly navigate the fallout from a cybersecurity incident, should one occur. 

“Plan for the best and prepare for the worst. Write a clear, step-by-step guide for your employees to follow in the event of a data breach.” —Henri Cheung, Marketing Director, LRDG Toronto Marketing Agency

“We have a communication plan in place and have an IT company to immediately jump in and resolve the problem.” —Victoria Samways, Marketing & Brand Manager, Major Tom

“We have a security IT team on retainer that monitors all of our customer and internal data. They have a disaster recovery plan that can be executed in minutes in case of a breach. Every business should have either a plan of their own or a service provider on retainer who can design and execute a disaster recovery plan.” —Robb Fahrion, Partner and Co-Founder, Flying V Group

“The safety plan depends on the type of information that was compromised, how the breach happened, and the severity of the breach. Our organization would implement a data breach response strategy if that were to happen. We have a plan that outlines specific actions that can be taken in response to any breach scenario. Some of these actions include retrieving data quickly, notifying affected customers, and identifying employee incompetence or malicious intent.” —Tomas Henkenhaf, Chief Marketing Officer, Yesterday Design Co. Ltd.

“We recommend that business owners check with their cyber liability carrier and review any Federal or State breach notification requirements before creating a disaster recovery or cyber incident response plan in order to ensure you are in compliance with those requirements. The plan should assume that the network is not available and include alternative methods of communication for the team. It should also prioritize systems and recovery steps for each. Customer facing systems should be prioritized first, then others based on how critical they are to run the business. Once the plan is completed, schedule walk-throughs and review each step with the team so that everyone knows their role in the event a breach does happen.” —Jeff Chandler, CEO, Z-JAK Technologies

Cybersecurity Tips And Best Practices For Small Businesses

Data hasn’t been the only focus of cybercriminals from the start of the pandemic. The cybersecurity community noted a spike in attacks on critical infrastructure, supply chains, and other systems when hostilities escalated in Ukraine in 2022.

Security teams and managed service providers are having to do all they can to increase security awareness through education and initiatives with the goal of securing and properly configuring digital assets. The following tips and best practices from our expert community will help your security team identify where your current cybersecurity strategy is lacking. 

“Enlist the help of a managed security services provider and check their reference. They will be able to guide you through the long list of tools available to get your company cyber secure. They can also scan your network to identify possible threats that your company might not be aware of.” —Scott Gene Carr II, Owner, Farmhouse Networking

“Taking a defense-in-depth approach by implementing multiple layers of security is one of the strongest approaches your company can take to protect your data. One layer of security that is crucial for drastically reducing your risk is to implement Application Control and Whitelisting. Another is to apply security patches to software and your operating system as soon as they become available. Implementing additional levels of security measures requires your team to establish best-practice settings to harden your computers like disabling Microsoft Office Macros by default and changing the default web browser settings, restricting who has administrator access to computers, implementing 2-factor authentication, and setting up and testing strong backups, including offsite backups.” —Christopher Sale, Managing Director, Enee

“Work with a reputable hosting company and web developer to ensure your company is protected from cybersecurity breaches. Ensure everything possible has 2FA turned on, and use strong passwords.” —Jessy Savage, Marketing Strategist and Agency Owner, Jessy Savage

“First of all, get cyber insurance, and then review your cyber insurance policy to ensure it’s robust enough to cover you appropriately. The cyber risk to business is typically far more than you anticipate. In almost every major breach I am aware of, the cost of prevention was so much less than the losses when calculating financial loss, business disruption, and damage to reputation.” —Dan Rubianes, CEO, Cloudience

“Be proactive with security. The best way to protect your business from cyber-attacks is to stay one step ahead of the hackers. Invest in a cyber security training program for your staff and use up-to-date anti-virus and malware software to protect your system. Make sure you regularly scan for any potential threats, and that you’re aware of any new scams or exploits that hackers may be using. With the right measures in place, your company can significantly reduce the chances of a cyberattack happening in the first place.” —Matthew Dorrington, Managing Director, Blue Moxie

“The most common cybersecurity mistake in small businesses occurs when someone uses an insecure password, responds to a phishing request, or any kind of human-error. These are the easiest to avoid and the number one point of failure for most companies.” —Christopher LCP Mendes, CEO, 2Leaf Web Development

“Cyber-attacks happen to all sizes of businesses. Things like DDoS attacks, ransomware, and phishing schemes weren’t a concern for companies in the past, but now represent daily threats. Awareness and preparation are crucial to mitigate the impact an attack might have. First, ensure antivirus software with a firewall is installed on all your devices. Always use strong passwords and don’t share them among users. Keep software up-to-date and keep track of update patches for known security holes. Create a word document containing all domain, DNS, email and website, and other online assets, as well as any related information and store a digital copy safely. For example, you can use Google Drive Folder to protect your files with a Safe folder. Do not only trust your web admin, IT person, or IT provider to own this. The business owner or a member of leadership should have direct access to this information, including the ability to change or update as required. Enable two-factor authentication to all your accounts and ensure that any critical data, whether locally or online, is backed up regularly.” —Nim Joshi, CEO, DesignsTouch

Keep Up With Cybersecurity Trends In 2023

The cybersecurity threat landscape is rapidly evolving and ever-changing, and the tactics your IT security professionals leverage must evolve just as quickly. However, with the level of technology in the hands of threat actors, and the sheer volume of attacks being perpetrated, the fact is that businesses shouldn’t be wondering if they will be the victim of a successful cyberattack, but rather how long it will take attackers to navigate and compromise well-structured defenses.

The mindset of modern CISOs and security teams has understandably shifted from total prevention to risk mitigation and limiting the damage in the wake of inevitable breaches. If your team needs the guidance of a security professional or if you need to bring on the services of a managed cybersecurity solutions provider, you can use the UpCity marketplace to identify a provider with the experience and skills to help your team prepare. 

About the author

David J. Brin

David is the Managing Partner for the Code Ninjas franchise responsible for the Baton Rouge, LA market, where he facilitates the education of youth in programming, game design, and STEM education fundamentals. A lifelong learner, David combines a passion for strong business practices and solid marketing strategies honed throughout his 20-year career in the food and beverage industry with his desire to share those best practices with other business owners as a contracted copywriter for Gartner. When he's not helping his daughter build her digital art-focused social media brand, he's creating content focused on digital marketing trends, B2B best practices, and IT and cybersecurity managed services.