If you’re a small business owner who thinks that you don’t need to worry about about cyber security, think again. The Ponemon Institute’s 2016 State of SMB Cybersecurity report surveyed 600 small businesses, finding not only that “no business is immune to a cyber attack or data breach,” but that a surprisingly high number of small businesses suffered cyber attacks in 2016. According to Ponemon:

  • 50% of SMBs were breached in 2016.
  • The most prevalent attacks against SMBs were web-based and phishing/social engineering.
  • 59% of SMBs have no visibility into employee password practices and hygiene.
  • 65% of SMBs that have a password policy do not strictly enforce it.

Adding to the problem is that fact that even though attacks on small businesses are up, concern surrounding the topic is low. A separate poll found that a vast majority of small business owners — 87 percent, according to Manta Media Inc. — do not feel their business is at risk of experiencing a data breach.

SMBs need to wake up and realize that they are sitting ducks — especially if they’re unprepared and of the opinion that they’re in no danger at all; an unprepared target is a perfect target. Protection against cyber attack is of the utmost importance, and preparation is key to survival in a digital world. Here are five ways that small businesses can improve their cybersecurity.

1. Run a Cyber Security Risk Assessment

Every business, big and small, should run a cyber security risk assessment. Maryville University’s Cyber Security Resources list the core concepts and principles of proper risk assessment:

  • Take stock of the system: its size, number of hardware- and cloud-based access points, partner organizations and vendors, what information is stored and shared and its sensitivity.
  • Look at potential threats: According to Sage Data Security, in addition to hacker intrusions or data breaches executed by disgruntled employees, one must also consider breaches resulting from human error, be it poor data backup, insufficient encryption and data traveling through unsecured channels.
  • Analyze the environment: This step involves the examination of controls governing factors like administrator access, user authentication and provisioning, infrastructure data protection, continuity of operations and others. How vulnerable are these individual controls to the threats an organization is most likely to face?
  • Likelihood: Consider the probability of each breach type and its point of origin. This can, depending on organizational or network complexity, involve dozens of breach/source pairings.
  • Final risk assessment: Multiply the likelihood of breach against its resultant damage to determine a risk rating. For example, if an organization is likely to experience breach attempts due to the valuable information its handling and the results of such a breach would be catastrophic, the business has an extremely high risk rating.

2. Create a Document Management Plan

A majority of today’s breaches occur because of simple human mistakes — documents sent to the wrong inbox or to a phishing email, or even physical documents discarded in the wrong bin. A document management plan keeps a vigilant watch over status of all company documents, meaning that these errors are caught before they occur. Record Nations mentions that common components of a document management plan will typically include:

  • Conducting a complete inventory of all currently-existing records
  • Designating a single employee or manager with responsibility for the record management process
  • Developing a record retention and destruction schedule—typically with varying retention guidelines by state
  • Evaluating and determining the best method(s) for storing and managing records
  • Creating, documenting, and establishing proper company procedures for record storage and disposal
  • Implementing your policy, training employees, and ensuring constant communication throughout the company on any procedural changes
  • Creating a backup disaster recovery plan in the event of a breach or other emergency to immediately minimize damage
  • Maintaining, auditing, and optimizing prevention and recovery plans to maximize efficiency and effectiveness

3. Educate Your Employees

As mentioned in the components of a document management plan, employee education after implementation is key for it to work. In reality, employees need to be educated on more than document management. In XMedius’s post, “3 Major Data Security Risks Every Business Should Know About”, the first point made is that employees don’t know how to protect data. They write:

“It’s safe to assume that unless we work for a company specializing in IT security, the average worker goes about their day handling and sending sensitive data without thinking about hackers or data loss. It’s actually the lack of security awareness and skills that makes organizations an easier target for hackers or disgruntled employees who have access to networks and admin accounts.”

The solution here is mandatory compliance training for employees working with either protected health information (PHI) or personally identifiable information (PII), as well as mandatory training sessions that teach password and workstation security best practices.

4. Have a Recovery Plan

…because chances are you’re going to suffer a cyber attack. This isn’t something most small businesses want to hear, but it’s the truth. To minimize how effective these attacks are on your business, Eva Velasquez, writing for Intuit’s Firm of the Future blog, recommends consistently changing passwords, watching out for phishing emails, and monitoring company financial accounts. Of course, prevention is only half the battle.

If you are hit by malware — specifically ransomware, which encrypts the drives on your computers and demands ransom for decryption — the only thing you can really do is a complete system restore. Unfortunately, if you don’t have a proper backup strategy, you’ll either be reverting to outdated restore images or unable to restore at all. Make sure you’re backing up everything in case of such an instance.

Beyond a backup plan, recovery plans include solutions so that your customers aren’t left in the dark waiting for products and services while you get your systems back online. Downtime reduction in recovery is huge, so make sure you’re investing in it.

If businesses heed these four simple rules, their cyber security will improve tremendously. Don’t get caught with your pants down, and make sure that you’re constantly sizing up your cyber security measures — bet your bottom dollar, cyber criminals already are.