Cyber incidents have surged among small businesses that often do not have the resources to defend against devastating attacks like ransomware. As a small business owner, you have likely come across security advice that is out of date or  does not help prevent the most common compromises.

For example, odds are that you have heard advice to never shop online using a coffee shop’s Wi-Fi connection. While there was some truth to this fear a decade ago, that’s not how people and organizations are compromised today. The security landscape has changed, and our advice needs to evolve with it.

Cybersecurity is about culture as much as it is about technology. Most organizations fall into the trap of thinking the IT team alone is responsible for security. As a result, they make common mistakes that increase the odds of a compromise. There are several things companies can do to provide security from cyber-attacks.

1. Establish a culture of security. Make it a point to talk about cybersecurity to direct reports and to the entire organization. Security must be an everyday activity, not an occasional one.
2. Select and support a Security Program Manager. This person doesn’t need to be a security expert or even an IT professional. The Security Program Manager ensures your organization implements all the key elements of a strong cybersecurity program.

3. All staff must be formally trained to understand the organization’s commitment to security, what tasks they need to perform and how to escalate suspicious activity.

1. Write and maintain an Incident Response Plan. The IRP will spell out what the organization needs to do before, during and after an actual or potential security incident. It will include roles and responsibilities for all major activities, and an address book for use should the network be down during an incident.
2. Host quarterly tabletop exercises (TTXs). A TTX is a role-playing game where the organizer presents a series of scenarios to the team to see how they would respond. A common scenario involves one employee discovering their laptop is blocked by ransomware. Symphonies and sports teams practice regularly, and your organization should, too.

For more information, go to www.cisa.gov.

U.S. Cybersecurity & Infrastructure Security Agency