Cybersecurity Awareness Month: 7 Steps to Create a Cybersecurity Plan

Quick look: October is Cybersecurity Awareness Month, and it’s a great time for small organizations to evaluate how they’re safeguarding their data. With nearly half of all breaches affecting SMBs, here’s how business leaders can develop a well-rounded cybersecurity plan—and how external resources, including a PEO, can help.

Cybersecurity is a concern for organizations of all sizes. Cyber incidents have become more common each year and happen on a larger scale. And when they occur, they can be extremely detrimental to an unprepared company.

Small businesses are no exception and must develop strategies to enhance their data security to protect their employees’ and customers’ data.

October is Cybersecurity Awareness Month

In 2004, the President of the United States and Congress declared each October to be Cybersecurity Awareness Month. According to the Cybersecurity & Infrastructure Security Agency (CISA), October is “a dedicated month for the public and private sectors, and tribal communities to work together to raise awareness about the importance of cybersecurity.”

In 2023, CISA has outlined four actions each American should do (year-round) to stay safe online:

• Use strong passwords and a password manager
• Turn on multifactor authentication (MFA)
• Recognize and report phishing
• Update software

SMB cyberattacks by the numbers

Unfortunately, being a small business doesn’t mean you’re immune to cyberattacks. In fact, quite the opposite tends to be true:

• 46% of all breaches impact businesses with fewer than 1,000 workers.
• In 2021, 61% of SMBs were the target of a cyberattack.
• That same year, 82% of ransomware attacks were against companies with fewer than 1,000 employees.
• Smaller companies experience 350% more social engineering attacks than larger organizations.
• For businesses with fewer than 500 employees, the average data breach cost is $2.98 million.

7 steps to create a cybersecurity plan

It’s critical for businesses to protect data, and failing to do so could have serious consequences for organizations. A small employer’s brand could be damaged if it does not handle data securely, which can devastate the business’s future.

Small business leaders can enact a supported and executable cybersecurity plan by following these seven steps.

1. Get support from leadership

To get started with a cybersecurity plan, it’s essential to educate company leaders and team managers on the seriousness of data security and why a strategy must implemented.

Cybersecurity IT infrastructure safeguards often require additional resources that could be costly but are well worth the investment in the long run.

It’s also important to ensure that company leaders take cybersecurity seriously and receive extensive training on what to look for, how to be prepared, what to do if a breach occurs, and how to teach their teams about data security.

In addition to creating a sound cybersecurity plan, there are a few other benefits a business can gain from having leaders and managers involved:

• Receiving input and ideas from different perspectives often leads to better strategic solutions.
• Collaboration can increase cybersecurity awareness throughout the organization, decreasing the likelihood of an incident.
• This synergy can help manage costs better while implementing and maintaining the plan and can lead to improved business efficiency.

As with any companywide initiative, failing to get leadership buy-in could put even the best cybersecurity plan at risk.

2. Build the right team

Most small employers don’t have an in-house Chief Information Officer or team to manage cybersecurity or other compliance-related tasks.

For this reason, leaders from multiple departments and/or various subject matter experts should be involved in strategy planning – and not just an internal or external IT resource.

If additional data security help is needed, small business leaders can look to add members to their current team or explore external solutions that specifically address data and cybersecurity.

Once the company cybersecurity team is in place, undergoing extensive training should be mandatory for all members. After the team is fully prepared, training should be extended to every employee in the company.

3. Set the scope of the cybersecurity assessment

The first project this new team should work on is a cybersecurity/data security risk assessment.

The assessment aims to identify data that is used and created, know how this data is distributed and maintained, understand the data security hazards that could affect the organization and/or its customers, and account for legal/contractual obligations regarding this information.

Most risk assessments will identify two distinct types of cybersecurity threats: internal and external. While many business leaders believe that external cyber threats are their biggest concern, it is often an internal actor that can have the most risk.

Some examples of internal threats include:

• Human error
• Malicious employees
• Untrained employees

Crafting a cybersecurity policy that understands internal threats and has tactics to minimize these risks is essential for employers of all sizes.

Small business leaders also need to identify external risks that can cause a data breach and how to prevent them from occurring. Some of the most common external threats are:

• IT systems and network threats
• Web application
• Social engineering
• Third-party partners

Another area the assessment should address is physical security. This includes putting safeguards in place that limit who can enter an organization’s facility, installing video surveillance systems, limiting authorization to any areas that contain data or servers, and maintaining access control records for a set amount of time.

4. Decide who will conduct the assessment

Once the cybersecurity team has developed the risk assessment, leadership must decide who will conduct it – cybersecurity team members or an external organization.

Numerous data security companies specialize in cybersecurity prevention that can help small employers conduct the assessment. A benefit to this approach is that not only do they have a vast amount of experience in identifying potential data security vulnerabilities, but they can offer a different perspective that might help highlight areas in need of work.

Partnering with an external cybersecurity company could be especially valuable for a small business whose initiatives are in their infancy, but even those with established strategies can benefit.

Continuous monitoring and improvement are critical for a modern cybersecurity plan, and third-party companies can routinely try new ways to identify potential risk areas.

5. Involve legal counsel to obtain attorney-client privilege

Business leaders should involve legal counsel wherever possible as they develop their cybersecurity prevention strategies. Not only will legal counsel be able to ensure all related documents meet legal standards, but small employers will also receive the protection of attorney-client privileges.

These privileges ensure that any details shared between the business and its attorneys remain confidential and help legal counsel provide the most accurate advice and representation.

Additionally, legal counsel can be vital in a data breach as they can assist with incident response and help employers navigate this delicate process.

It’s important to note that involving legal counsel is best done in the preventative stage of cybersecurity before an incident occurs. It’s also recommended that legal counsel be incorporated into an Incident Response Team (IRT).

6. Make the plan consistent with scope and timeframes

As leadership and cybersecurity teams begin their efforts, they must ensure that the overall strategy and plan remain consistent with the job’s scope and desired completion timeframes.

Creating a new cybersecurity plan is time-consuming and should be kept on schedule and completed within a specified period. That’s why leaders should confirm that the process continuously meets its deadlines and addresses all relevant areas of cybersecurity for the business.

It can be easy for a team to miss timeframes or lose scope of the project, which puts the company and its customers at risk. By creating and sticking to a plan, business leaders can be better prepared to keep their cybersecurity plan moving forward and on schedule for completion.

7. Document all steps and procedures

The last step for small employers to get started with cybersecurity is to document each plan step and procedure.

This documentation helps company leaders, cybersecurity team members, and other employees reference relevant information should a question or concern arise. This leads to less confusion in a situation where time is of the essence.

Additionally, having accurate documentation will help when looking to bring in external individuals (legal counsel, data security organizations, etc.) to assist with planning and assessments.

Another reason to document steps and procedures is so business leaders can look at current policies and identify ways to improve. The best cybersecurity plan is continuously monitored for ways to make enhancements and further decrease potential risks.

By having clear records that can be easily reviewed, small businesses can be better organized and prepared if a document is needed – especially in an emergency.

It’s also useful to have a list of external parties that would have to be notified in case of an incident and their contact information. These include insurance carriers, regulators, law enforcement, legal counsel, forensic investigators, crisis communications/PR firms, and/or response vendors.

Staying protected takes a village

Whether it has 10 employees or 10,000, every business has data that must constantly be secure. A data breach jeopardizes the company and the wellbeing of its employees and customers. A cyberattack also negatively impacts an organization’s brand image, no matter how positive it was before the incident.

For these reasons, small business leaders must build a sound cybersecurity plan that’s routinely reviewed and continuously improved as new needs arise. To do so, employers should leverage outside help through cybersecurity consultants, legal counsel, and more.

A professional employer organization (PEO) can also help SMBs stay current on compliance requirements. For example, ExtensisHR’s Information Protection Plan (a part of its Employer Protection Plan), ensures a company’s technology platform is monitored and updated with the latest enhancements to cybersecurity, data protection, incident response, operational risk management, controls assurance, client security management, workforce protection, business resilience, third-party management, security testing and analysis, critical incident response team, and awareness training.

Additionally, ExtensisHR offers cyber liability insurance, which covers expenses to defend against damages resulting from your liability to a third party or regulator from a failure in your security, data breach, or privacy violation. This coverage covers costs including but not limited to replacing permanently impacted computer systems, restoration of digital assets, breach response, cyber extortion, business interruption, and extra expenses.

A PEO partnership complements an SMB’s internal and external resources to cultivate a well-rounded cybersecurity plan. To learn more, contact ExtensisHR today.