Cybersecurity is the goliath of tech-related concerns for companies of all sizes, not just large corporations. The Cybersecurity & Infrastructure Security Agency (“CISA”) encourages small and midsize businesses to focus on their risk management policies and procedures to mitigate risks associated with their information and communications systems. While many small businesses do not consider themselves a target for cyber-attacks, CISA states that cyber-criminals are likely to target small businesses.
A few concerns for targeted cyber-attacks include a cyber-criminal’s access to the business’ employee and customer records, access to the business’ finances and bank accounts, and attempts to use smaller businesses to target larger networks.
As we noted in the Porter Hedges Anti-Corruption & Compliance June blog post, the SEC’s new disclosure requirements will also require regular disclosure about a company’s risk management practices. Because smaller businesses may have fewer resources designated for cybersecurity, CISA developed a guide for small business leaders to create an action plan for the best cybersecurity practices, among other resources. Managing cyber risks requires cyber awareness and readiness.
According to CISA, small business leaders should consider the following six essential elements to maintain a “culture of cyber readiness:”
- Business leaders should learn about their organization’s operations and develop a strategy to protect the business from cyber threats. CISA advises leaders to consult with their IT departments and lead the implementation of cybersecurity policies.
- Business staff should develop awareness through training programs that encourage safe practices and expose the staff to cybersecurity trends. The organization should develop a culture of awareness and vigilance.
- Business systems are essential and require protection. The organization should maintain an inventory of hardware and software assets. CISA further advises business leaders to collaborate with their IT departments to utilize automatic updates; remove and defend against unauthorized hardware and software; and strengthen security settings for hardware, software, and email.
- Business surroundings should be secure, and the organization’s digital network should not be easily accessible: keep a record of user accounts, vendors, and business partners. CISA suggests multi-factor authentication for all network users. Furthermore, limited access and administrative permissions to use the business’ network should be granted according to a need-based use.
- Business data is the business’ foundation. Businesses should develop and maintain data protection to prevent the loss of critical or sensitive information. Data protection can involve network monitoring, malware shielding, and data backups to shield businesses from cyber-attacks.
- Business crisis response demands a strategy that responds to any potential cyber-compromise and aids in an efficient recovery plan. Business leaders and their IT departments should delegate duties for crisis response to trusted response teams, along with drills that test the business’ action plan. A crisis response plan will help to limit the impact that cyber intrusions may have when they happen.
Your business, regardless of the size, should develop and continue to maintain updated cybersecurity risk management policies and procedures. Each of the six elements listed above will help small and midsize businesses manage cybersecurity risks. In the coming month, our team will address additional specific actions that can be taken to avoid cyber-attacks.
Heather Hatfield represents clients in corporate investigations, white-collar crime investigations and defense involving the Foreign Corrupt Practices Act (FCPA), complex contract disputes, oil and gas litigation ...
Blake Runions assists clients with broad range of business disputes and investigatory matters, including partnership disputes, internal investigations, and commercial litigation.
Prior to joining the Firm, Blake worked in the ...
Jamie Godsey represents public and private corporations, partnerships, and small companies on a broad range of complex business and commercial litigation. Her experience includes a wide variety of matters such as contractual ...
- Cybersecurity Best Practices: Disclosure Requirements for Risk Management, Strategy, and Governance
- Cybersecurity Risk Management Practices for Small and Midsize Businesses
- Overview of New Cybersecurity Disclosure Rules for Public Companies
- Increased Focus on Cybersecurity Warrants Review of Policies and Procedures
- DOJ Issues Expedited FCPA Opinion Procedure
- Companies Must Review Compliance Policies Following New Sanctions of Russian Financial Institutions and Individuals
- Anti-Corruption Enforcement: 2021 Year-In-Review
- Credit Suisse Settlement Carries Broader Lessons about Reputational Risk
- World’s Largest Advertising Group Settles with SEC for $19.2 Million After Ignoring Red Flags
- SEC Announces More Than $16 Million in Whistleblower Awards in August 2021
- August 2022
- July 2022
- June 2022
- May 2022
- April 2022
- March 2022
- February 2022
- November 2021
- October 2021
- September 2021
- August 2021
- July 2021
- June 2021
- May 2021
- April 2021
- March 2021
- February 2021
- January 2021
- November 2020
- October 2020
- September 2020
- August 2020
- July 2020
- June 2020
- May 2020
- April 2020
- March 2020
- February 2020
- January 2020
- November 2019
- October 2019
- September 2019
- August 2019
- July 2019
- June 2019
- May 2019
- April 2019
- March 2019
- February 2019
- January 2019