10 Steps for Solo and Small Firm Cyber-Safety

If you’re a solo or small firm, you’re a prime target for a cyber-attack – in fact you might have already been hit and don’t know it.

Close to two-thirds of cyber-attacks specifically target small businesses, according to the Verizon 2018 Data Breach Report. Hackers know small firms are easier prey than big banks and large corporations. They have less protection, weaker defenses and fewer IT resources.

Sometimes the bad guys make their dirty work obvious. In a ransomware attack, for example, they hijack your system and demand money to free it. Other times, they work in the shadows. They steal data from you and your clients, then plunder it for further exploitation or sell it on the dark web – and you may never know what happened.

And while big companies may be able to survive an attack, smaller shops might not. A study from the Cyber Security Alliance found that 60 percent of small businesses (not just law firms) are forced to close their doors within six months of a cyberattack.

10 Steps to Cyber-Safety

1. Be aware of your risk. Acknowledging your exposure is priority number one. Don’t become complacent. Make sure your entire team is educated, on guard and vigilant.
2. Train your staff. Human beings make mistakes. We click on lethal email links. We leave our laptop screens exposed to strangers passing by. We use unsecure passwords. Minimize your risk by holding regular staff meetings to talk about best practices and office vulnerabilities. Encourage people to report suspicious activity. Bring in an outside consultant for cyber-training.
3. Don’t get phished. Email phishing is the most common way hackers break into small office systems. Here are some of the most frequent scams.
4. Have a cyber-security plan. “Implementa password policy and a security monitoring policy, perform firewall updates, conduct regular penetration testing and create an incident response plan,” advises Jon Schramm in this article in Entrepreneur. “Nothing will protect you completely, but you can institute some practical measures. If you can show customers you were actively taking measures to protect them, they will be far more understanding in the event of a breach.”
5. Outsource cyber-safety. Only about 20 percent of businesses believe their internal defenses are capable of managing IT threats, according to a Webroot survey. One solution is to contract with a cyber consultant to audit your system, conduct penetration testing, and recommend new fixes. It may cost less than you think. And it will free up your own IT personnel to focus on daily operations and workflow.
6. Learn how to use your systems. Even if you aren’t personally responsible for running TrustBooks, your phone system or cloud storage, you should have a working knowledge of how these platforms work. That way you’ll know when a system needs to be replaced, repaired or reinforced.
7. Put technology in your name. “You probably have other employees listed as owner or administrator of your technology,” writes business consultant Rhonda Abrams in USA Today. “Stop that! Now! Employees come and go. Even long-time, trusted employees come and go, and certainly the tech contractor will go. When they go, they may control your technology or even take it hostage.”
8. Upgrade from a free online service to a paid version. “For relatively unimportant services, go ahead and use the free versions,” Abrams advises. “But for your critical infrastructure services – such as your payroll, website hosting, document storage – you’re going to find the free versions are not only limited, but you won’t get any kind of tech support and those free services may disappear or change suddenly. For the greatest protection and quality, pay for an appropriate level of service.”
9. Use secure passwords and keep them safe. Sure, you’re sick of hearing this. But the reason you keep hearing it is because it’s so important. Learn how to create safe and strong passwords. Discover the best password manager programs for 2019.
10. Backup vital info. Do this even if it’s stored with a top-level cloud company. You can never be too careful with your client data, financial information and personal information.

What tips would you add to the list?