Cyber-securing your small business

Develop a written cybersecurity program

If you don’t already have a written cybersecurity program, start by identifying your business objectives and organizational priorities. This will include reviewing the information technology systems that your business uses and the types of information processed and stored.

For instance, do you store personal information, financial account information or email addresses? Once you know what systems you use and what information you process and store, then determine the regulatory rules that apply your particular situation.

All states have data breach notification laws that govern giving notice and reporting breaches of personal information of their residents. Many states require certain types of businesses that store or process personal information to have a written cybersecurity program. Knowing what information you have and its location is the first step in expediting and lowering the cost of responding to cyber-attacks and data breaches.

To assist in developing your cybersecurity program, the Federal Communications Commission website has a free cybersecurity program planner that you can tailor to your needs.

In addition to written policies, your cybersecurity program will require the selection and implementation of physical and behavioral controls.

Physical controls

Patch and update regularly

The most damaging and prolific cyber-attacks exploit known vulnerabilities. Installing patches and software updates is the most effective physical protection you can employ.

Deploy cybersecurity software

Make sure that you are using a firewall and that it’s properly configured. Use at least one antivirus program and configure it to scan systems regularly. If you have remote employees or allow remote access, use a VPN (virtual private network) to secure access.

Employ multiple redundancies for backups

Backing your data up to the cloud is good, but backing it up to air-gapped storage, a storage device that is not connected to the Internet or other networks, is better. Recent ransomware attacks have encrypted networks as well as cloud backups. To ensure that your business can recover quickly and reduce remediation costs after an attack, employ multiple backups.

Control physical access to your computers and data

Create individual user profiles so that only authorized users can access your systems and data. Consider multi-factor authentication for sensitive systems and data. Restrict administrative access to only those users who require it. Establish rules that mandate strong passwords that are at least eight characters long and contain a combination of randomly selected letters or phrase and a six-digit pin.[1]

Secure Wi-Fi networks

Set a strong password for your router. Do not use the default password. If you allow guests to access your Wi-Fi, consider setting up a separate router and password for their use.

Employ best practices for payment cards

If your business accepts payment cards, work with your processing provider to ensure that your business is Payment Card Industry Data Security Standard compliant.

Vet vendors’ cybersecurity

Employing a vendor, such as a cloud storage or security provider, doesn’t eliminate your exposure in the event of a cyber attack or breach. Nearly every state requires the data owner, not the vendor, to notify affected individuals, and in some cases law enforcement, in the event the vendor suffers a breach of the owner’s data. HSB’s eRiskHub® has an updated vendor due diligence questionnaire to assist in evaluating vendors’ cybersecurity practices.

Behavioral controls

Train employees

Cybersecurity professionals routinely warn that employees pose the greatest threat to even the most rigorous cybersecurity program.  Training is the most effective measure you can take to bolster your policies and program. It’s not sufficient to distribute your policies and ask employees to sign off. In addition to formal training, consider posting security posters, encouraging employees to attend free cybersecurity webinars, and regularly educating them about current threats. Consider exercises such as phishing your own employees to reinforce the best security practices.

Address unauthorized devices and shadow IT

Implement a realistic mobile device policy and reinforce your policy with physical controls and employee training. Control shadow IT, the use of unauthorized devices, software or apps, by employing an approval process for software and hardware purchase and use.

Visit here to create a free customized Cyber Security Planning guide for your small business and visit here to download resources on cybersecurity awareness for your business. The HSB eRisk Hub, a free service to our insureds, contains many resources to assist in developing your cybersecurity program and educating your employees about cyber risks and security best practices.


Want more information like this delivered straight to your inbox? Click the “Follow” button on the bottom right, and enter your email address.

© 2018 The Hartford Steam Boiler Inspection and Insurance Company. All rights reserved. This article is intended for information purposes only. All recommendations are general guidelines and are not intended to be exhaustive or complete, nor are they designed to replace information or instructions from the manufacturer of your equipment. Contact your equipment service representative or manufacturer with specific questions

[1] Find the latest NIST guidance for passwords here.

Monique Ferraro

Monique is counsel in Munich Re’s US Cyber Practice at HSB. Previously, she was principal at a digital forensics, e-discovery and information security consulting firm and owner of a law firm. Ms. Ferraro is a Certified Information Systems Security Professional.

One comment

  • Thank you for these guidelines, I’ve been researching online data security and saw lots of recommendations to use a VPN. I’ve tried one out called Surfshark, never used a VPN before and was afraid it might be a bit difficult, but it was the other way around. There was a problem because it had to be set up manually on my MacBook, but it wasn’t hard following the tutorials, everything else is one click away. I was told the speed might drop significantly, but the speed drop was barely visible, no discomfort whatsoever. They’re offering a public “columbusday” coupon atm for a discount, amounting to just 30 euros/year, I’m considering buying it.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.