Misconception: [We’re just a small business,] my data (or the data I have access to) isn’t valuable.
Act: Do an assessment of the data you create, collect, store, access, transmit and then classify all the data by level of sensitivity so you can take steps to protect it appropriately. All data is valuable.
Misconception: Cybersecurity is a technology issue.
Act: Educate every employee on their responsibility for protecting sensitive information. Cybersecurity is best approached with a mix of employee training; clear, accepted policies and procedures and implementation of current technologies.
Misconception: Cybersecurity requires a huge financial investment.
Act: Create and institute cybersecurity policies and procedures, restrict administrative and access privileges, enable multi-factor authentication, and train employees to spot malicious emails. Many efforts to protect your data require little or no financial investment.
Misconception: Outsourcing to a vendor absolves our liability during a cyber incident.
Act: Put data sharing agreements in place with vendors and have a trusted lawyer review. You have a legal and ethical responsibility to protect sensitive data.
Misconception: Cyber breaches are covered by general liability insurance.
Act: Speak with your insurance representative to understand your coverage and what type of policy would best fit your organization’s needs. Many standard insurance policies do not cover cyber incidents or data breaches.
Misconception: Cyberattacks always come from external actors.
Act: Identify potential cybersecurity incidents that can come from within the organization and develop strategies to minimize those threats. Succinctly put, cyberattacks do not always come from external actors.
Misconception: Younger people are better at cybersecurity than others.
Act: Before giving someone responsibility to manage your social media, website and network, etc., train them on your expectations of use and cybersecurity best practices. Age is not directly correlated to better cybersecurity practices.
Misconception: Compliance with industry standards is enough for a security strategy.
Act: Use a robust framework, such as the NIST Cybersecurity Framework, to manage cybersecurity risk.
Misconception: Digital and physical security are separate things altogether.
Act: Develop strategies and policies to prevent unauthorized physical access to sensitive information and assets (e.g., control who can access certain areas of the office.)
Misconception: New software and devices are secure when I buy them.
Act: Ensure devices are operating with the most current software, change the manufacturer’s default password to a unique, secure passphrase and configure privacy settings prior to use.