We have all heard that cybersecurity is important for all companies - whatever their size. But small companies, with their limited personnel and financial resources, may be more vulnerable to cyberattacks. And if they are hit, it can be more painful - and possibly catastrophic.
Small company owners could be a one-person team in charge of all important aspects of day-to-day operations. It is easy for them to get preoccupied with customers and revenue that other functions - like cybersecurity - may be neglected. Until they are victims of a cyberattack, that is.
Every hour of lost operation for small companies could also mean a big chunk of lost revenue. And because small companies may not have the safety net available to bigger companies - sophisticated data back-ups, a team of IT personnel, professionals to manage irked customers and lawyers to handle potential regulatory matters - all these problems may fall into the hands of the owner.
So, what can a small business owner do? Since October is Cybersecurity Awareness Month, here are some tips:
Know your priorities
Is that list of customer phone numbers in a rolodex or a file in a computer? Or in the cloud that can be accessed from multiple computers when needed? Is that software used to run the production machines stored on a local computer or the network?
It's the owner's responsibility to know the most valuable data, equipment or services the company needs to operate.
Make cybersecurity everyone's concern
Let the entire company - whether five or 500 personnel - know that preventing and recovering from a cybersecurity incident is everyone's responsibility. All personnel need to be reminded that it is not a matter of if, but when and how often cyberattacks occur. So, it is worth asking each employee: if the network goes down, what can we do? What will they do?
"An ounce of prevention is better than pound of cure"
Once you have everybody in the company on board, start developing habits of good cyber-hygiene. Let everyone know that simple habits like avoiding clicking links on emails and websites may prevent malware from entering the company's network. If anyone is in doubt whether an electronic message actually came from a trusted source, try to verify via phone or other means. And nowadays in a world of working from home, let everyone recognize that the company's network could only be as secure as everyone's home network security.
Have a plan, just in case ...
Before a cyber incident even occurs, make preparations so the company can continue doing its most important functions. Give each employee access to those backed-up files, or boot up those older but malware-free devices, unlock those filing cabinets where paper copies of important electronic documents are stored, and dust off that good-old rolodex - whatever it takes to keep the company going while the IT guys sort things out.
Scan the horizon
Every industry is evolving in the face of cybersecurity - and many already have regulations to protect both companies and their customers. It is particularly important to know and prepare for the ever-evolving regulations and certifications needed for small companies to keep doing business.
For example, Hampton Roads has an ecosystem of Department of Defense contractors. Last year, the DoD started rolling out a Cybersecurity Maturity Model Certification, which will be required for all contracts by fiscal year 2026. It's not too early to start looking at what it takes to get certified.
For small companies, cybersecurity may initially seem like another pebble-in-the-shoe on its daily operation - until they get hit with a ransomware, a DDoS or some other cyber incident. Or face a new regulatory requirement just to keep doing business.
Need more assistance with your cybersecurity plans? The Old Dominion University Cybersecurity Bootcamp is offering free, online events that span a wide range of introductory-level cybersecurity topics.
Ariel Pinto is an associate professor of engineering management and systems engineering in the Batten College of Engineering and Technology