On December 18, 2013, cybersecurity journalist Brian Krebs was the first to report a massive data breach at Target affecting tens of millions of people across the U.S.
According to The New York Times, a cyber attack on a small HVAC vendor hired by Target allowed hackers to access Target’s systems. This resulted in a data breach compromising more than 40 million customers’ personal information, prompting Target’s CEO at the time to resign, and costing Target over $200 million in legal fees. Ouch.
While this event brought a lot of attention to cybersecurity, similar breaches went on to affect other retailers like The Home Depot and T.J.Maxx. Even today, businesses of all sizes use unsafe digital practices, putting them at risk of having customer data stolen, being sued, and likely going out of business.
Investing in security software is no doubt a good idea, but there are many other measures businesses and individuals can take to defend themselves against hackers before spending money. To learn more about how businesses can protect themselves, I talked to Jeremy Long, an information systems engineer at Eventbrite in Nashville and a cybersecurity expert with over six years of experience in the IT field. Here are the biggest takeaways from our conversation.
1. Even if you aren’t a big business, you should take cybersecurity seriously.
The data breach I talked about at the beginning of this article focused on a major retailer, but the way their systems were hacked in the first place started with security weaknesses at a small business.
It’s easy to forget about the spark that sets off a wildfire, and the story is no different with cybersecurity. Jeremy says individuals and smaller companies like this are “low hanging fruit” for hackers. These businesses are often unprepared for an attack, so there’s a better success rate when hackers target them.
> Main Takeaway: “Cybersecurity affects everyone, whether you’re a big business, a mom and pop shop, or just an end consumer,” Jeremy says.
2. Get everyone on board.
In order to best prepare your company for a cyber attack, you need to make sure everyone at your company is on the same page. If you don’t have a security training program in place, it’s time to make one. If you only conduct security training once a year, it’s time to rethink that, too.
“Threats, tactics, and social engineering scams are constantly evolving,” Jeremy says. “A healthy sense of cyber-alertness should be on the forefront of every employee’s thinking.”
Here are some specific steps you can take:
- Never write passwords down or store them in unsecure places on devices
- At a minimum, turn on two-factor authentication (2FA) for every account possible. Ideally, use multi-factor authentication (MFA).
- Require multiple parties for different levels of access to sensitive data
- Know your co-workers so you don’t fall for impersonation scams
Security needs will vary depending on company size and internal processes, but this list is a good starting point for businesses of any size to improve their security practices.
> Main Takeaway: At the end of the day, the more people who know cybersecurity best practices at your company, the better.
3. Companies should advise both vendors and employees on cybersecurity.
It may be harder to approach educating vendors about cybersecurity than it is to educate employees, but if Target’s security breach can teach us anything, it’s that vendors can pose huge cybersecurity risks.
While plenty of businesses large and small do have good security practices, Jeremy says it’s never safe to assume that everyone does. This doesn’t mean you have to require HVAC workers or painters to attend a cybersecurity training before you’ll work with them (hey, I won’t try to stop you), but it does mean you should communicate some basic, reasonable expectation to them that they will use safe practices when handling any kind of sensitive data tied to your company.
Require vendors to sign a waiver acknowledging cybersecurity awareness and the consequences for them if they cause a data breach for your company. Or institute a company policy stating you will only work with certain vendors who are cybersecurity certified from an accredited training program.
Whatever approach you take, remember it’s not just your business data that’s at stake, it’s your customers’ data as well.
> Main Takeaway: Jeremy says, “You have to consider what services, platforms, and vendors outside your immediate employees have access to your data and how. You must put controls in place for that.”
4. If you’ve been hacked, remain calm.
This is easy to say but hard to do. Cyber attacks can be terrifying, as you probably don’t know who is attacking you and from where. Hackers move fast, but you can mitigate a lot of damage simply by keeping your head.
“The most important thing is not to panic,” Jeremy says. “Stop, take a breath, and calmly assess the situation. What information did you just give away? Login credentials? Bank account information? Your game plan is determined by the answer to those questions.”
If you think your login credentials were compromised, immediately change your password. This is especially crucial if your primary email password was stolen. You can quickly get locked out of multiple different accounts if a hacker can access your email inbox, as many sites simply require an email address to reset your password.
If it looks like you accidentally downloaded malware, Jeremy advises shutting your computer off immediately and seeking help from a professional.
> Main Takeaway: If you think you’ve been hacked, don’t panic. Calmy retrace your steps and develop an action plan.
Cybersecurity can seem confusing at first, but by putting forth even a minimal effort to use safer practices, you can avoid a catastrophic data breach that puts your customers and your business at risk.
As Jeremy said, hackers are always adapting their techniques, so it’s crucial for you to continue educating yourself on this topic. The tips outlined in this article are a good place to start, but for a more in-depth guide on the best practices for safeguarding your business, download our free white paper guide to cybersecurity below.