by Chuck Wilson, Executive Director of the National Systems Contractors Association, and Dhaval Jadav, alliantgroup CEO
Nov 30, 2017
Each year, 71% of all cyber-attacks target small to mid-sized businesses. Why you ask? A simple underinvest in cyber protection. With the advent of the Internet of Things (IoT), all business owners need to remember that every access point into a device has become a potential vulnerability point. Furthermore, by 2020, there will be more than 20 billion connected devices ranging from our smartphones to industrial machinery. While many business owners list cybersecurity as a growing burden, their companies still struggle to maintain proper cybersecurity measures.
With cybersecurity concerns only continuing to rise, alliantgroup held a Technology, Economic, Legislative and Policy Summit at its Houston headquarters this fall. First and former U.S. Secretary of Homeland Security Tom Ridge led an insightful keynote panel on cybersecurity with other technology experts. As the discussion went on, many business owners, CPAs and financial advisors were shocked to learn about the deficiencies of conventional security measures and how vulnerable their data and systems may be.
Our experts agreed that while no single solution would solve every potential threat, there are best practices for good “cyber hygiene.” Special guest, and Executive Director of the National Systems Contractors Association (NSCA), Chuck Wilson provided the checklist below to help businesses take the necessary steps to protect themselves. All this begs the question – is your business doing everything in its power to ward off cyber-attacks?
- Perform a cybersecurity technology audit; ensure this audit checks spam filters, malware protection, etc.
- Conduct internal process reviews every six months and bring in an outside security consultant at least once a year.
- Conduct internal risk audits and then have a third party assessment done of this audit; make sure your third-party assessor is following the standards set by the National Institute of Standards and Technology (NIST) standards.
- Have an up-to-date anti-virus software and use it to scan your systems regularly.
- Bring in an “ethical hacker” or computer security expert for an assessment of potentially vulnerable points (i.e. internal and external penetration testing).
- Include a detailed Cybersecurity Awareness Training in your employee on-boarding that covers topics such as data integrity, proper use of email, what looks suspicious, etc.
- Have monthly or annual “digital refreshers” to remind employees of cybersecurity protocols; these ongoing awareness trainings should be required for all employees and include on-site trainings, cybersecurity videos, phishing simulations or webinars.
- Have proper device audits of what each employee has been given; when employees leave having multiple checkpoints on their device or drive and taking regular inventory of any devices given out to them.
- Have zero tolerance for BYOD (Bring Your Own Device) or COPE (Company-Issued Personal Enabled) policies for any web-enabled device coming in or out of your building.
- Have at least one IT professional on staff educated in and adhering to NIST standards or UL 2900 standards practices.
- Add first-party and third-party cyber risk insurance to your business practice coverage.
- Read and evaluate all client contracts for liability stemming from breaches and possible business interruption damages caused by your engagement.
- Use outside expertise to verify your internal security practices. Don’t place enough trust in any single employee to the point where that employee knows everything that can go wrong; keep some segregation of duties to protect the organization.
- Limit your network vulnerabilities by patching and updating your systems regularly as needed—these updates include your computers, servers and IoT devices such as security cameras, A/V devices, etc.
- Find a source for any threat notifications (i.e. if DocuSign or Google Docs is breached, you need to be aware of where that breach came from).
- Have an incident response plan! If you do have a breach or are hit with ransomware, it is crucial to have a plan and know next steps to keep your business disruption limited.
- Cybersecurity has a physical side to it as well! Control visitor access, keep physical access to networks limited and controlled to protect against physical attacks.
About the Author
Chuck Wilson is the executive director of the National Systems Contractors (NSCA) and he has served in this capacity since 1996. Before being named executive director of NSCA, he served on the organization’s Board of Directors from 1988-1995. NSCA is a not-for-profit association representing the commercial low-voltage electronic systems industry, including systems contractors/integrators, product manufacturers, consultants, sales representatives, architects, specifying engineers and other allied professionals.
Dhaval Jadav is Chief Executive Officer of alliantgroup, America’s leading provider of credits and incentives to businesses of every size. Dhaval co-founded alliantgroup in 2002; since its inception, his passion to help and serve U.S. businesses (and their CPA firms) has resulted in alliantgroup assisting thousands of businesses claim powerful cash-generating credits and incentives.