Anti-Corruption & Compliance Blog

Cybersecurity is the goliath of tech-related concerns for companies of all sizes, not just large corporations. The Cybersecurity & Infrastructure Security Agency (“CISA”) encourages small and midsize businesses to focus on their risk management policies and procedures to mitigate risks associated with their information and communications systems. While many small businesses do not consider themselves a target for cyber-attacks, CISA states that cyber-criminals are likely to target small businesses.

A few concerns for targeted cyber-attacks include a cyber-criminal’s access to the business’ employee and customer records, access to the business’ finances and bank accounts, and attempts to use smaller businesses to target larger networks.

As we noted in the Porter Hedges Anti-Corruption & Compliance June blog post, the SEC’s new disclosure requirements will also require regular disclosure about a company’s risk management practices. Because smaller businesses may have fewer resources designated for cybersecurity, CISA developed a guide for small business leaders to create an action plan for the best cybersecurity practices, among other resources. Managing cyber risks requires cyber awareness and readiness.

According to CISA, small business leaders should consider the following six essential elements to maintain a “culture of cyber readiness:”

• Business leaders should learn about their organization’s operations and develop a strategy to protect the business from cyber threats. CISA advises leaders to consult with their IT departments and lead the implementation of cybersecurity policies.
• Business staff should develop awareness through training programs that encourage safe practices and expose the staff to cybersecurity trends. The organization should develop a culture of awareness and vigilance.
• Business systems are essential and require protection. The organization should maintain an inventory of hardware and software assets. CISA further advises business leaders to collaborate with their IT departments to utilize automatic updates; remove and defend against unauthorized hardware and software; and strengthen security settings for hardware, software, and email.
• Business surroundings should be secure, and the organization’s digital network should not be easily accessible: keep a record of user accounts, vendors, and business partners. CISA suggests multi-factor authentication for all network users. Furthermore, limited access and administrative permissions to use the business’ network should be granted according to a need-based use.
• Business data is the business’ foundation. Businesses should develop and maintain data protection to prevent the loss of critical or sensitive information. Data protection can involve network monitoring, malware shielding, and data backups to shield businesses from cyber-attacks.
• Business crisis response demands a strategy that responds to any potential cyber-compromise and aids in an efficient recovery plan. Business leaders and their IT departments should delegate duties for crisis response to trusted response teams, along with drills that test the business’ action plan. A crisis response plan will help to limit the impact that cyber intrusions may have when they happen.

Your business, regardless of the size, should develop and continue to maintain updated cybersecurity risk management policies and procedures. Each of the six elements listed above will help small and midsize businesses manage cybersecurity risks. In the coming month, our team will address additional specific actions that can be taken to avoid cyber-attacks.