Start Free Trial
← Back to Blog

All About Cybersecurity in Under 10 Minutes for Non IT Executives

Your vision is solid cybersecurity and no ransomware problems but you are not an IT executive.

You would have your business for the long term and you have planned for basic risks, but a surprise halt to operations and a $312,000 ransomware bill is not part of that. Let’s say you are on top of competitors, costs, efficiencies, all of the typical things you’ve been taught to monitor through experience and education, however, there is one area that you may put off; cybersecurity. You may have several reasons from thinking it’s not something you need to worry about to a lack of knowledge to being completely overwhelmed at the thought and perceived expense.

This article is not meant to turn you into an expert, as that takes a long time, but to give you the key terms, the right questions to ask, and general direction to get the process started in protecting your business. By knowing these things, you can reasonably speak with a vendor or expert on the topic and have a general idea of what is going on. There are several links throughout so that you may get technical details on various topics.

I have somewhat recently put more time into learning about this topic as it’s been applicable, and I was new to the field. This is the information I had to know more about so I thought I would share.

What does cybersecurity mean?

According to the Cybersecurity & Infrastructure Security Agency (CISA), cybersecurity is defined as ‘the art of protecting networks, devices, and data from unlawful access or criminal use and the practice of guaranteeing Confidentiality, Integrity, and Availability of information.” That's called the CIA triad.

What are the types of cybersecurity?

  1. Information security: User authentication and cryptography are examples, the goal is to protect user individual information.
  2. Network security: This includes endpoint security and firewalls. Examples of endpoints are antivirus and antispyware and the goal is to protect the network and data shared.
  3. Application security: This includes application design, programming language installation environment. This protects against the vulnerabilities that happen because of flaws in application design, installation, etc.

Who needs to be involved in cybersecurity?

All employees. Training your employees is your last line of defense. Cybersecurity needs to be treated as a top-down direction and part of the company culture to be effective. It’s recommended that this be a subset of your IT department as it affects all areas of the business and you will need cooperation from others for this to be successful. It’s not just having software in place and it’s not just for the IT department to handle. The best way to think about this is to think of it in terms of layers and the more layers you have, the better off you are.

Who can be affected by cybersecurity threats?

If you have a computer, phone, or any other device and it is connected to the internet, there is a risk. It doesn’t matter if you are a small 3 employee business, a large hospital, or the government itself.

Why should you focus on cybersecurity?

Here are some quick stats that put things in perspective if you think “It won’t happen to me or us.”

  1. CISA states that in 2021, there are ransomware attacks every 11 seconds compared to every 39 seconds in 2019.
  2. 43% of the attacks go after small businesses, and according to Coalition, it’s as high as 58% to small to midsize.
  3. According to AON, the average payout per ransomware in 2021 is $312,000
  4. Blackfog notes that in 2015, the cost of cybercrime globally was $3 trillion in 2015 and $6 trillion in 2021- that’s $190,000 per second!
  5. Insurance companies no longer cover this as part of the standard insurance and most companies won't qualify to be insured due to a lack of best practices being in place.

Key terms you should be aware of before taking the next step

The types of cyber threats

Malware: Think of this as software or programs designed to enter and destruct your computer without you knowing. This could be threats like viruses, spyware, worms, trojans, rootkits, etc.

Ransomware: This is a type of malware that infects a computer and takes away the ability to access it until an amount of money or ransom is paid to unlock it. Bitcoin is often the required form of payment.

Ransomware can cause you to lose proprietary information, stop business operations for a period of time, financial loss due to time to restore systems, and your business or brand may be harmed in the eyes of your customer causing you to lose business even if you get back up and running.

A bot is a software or script that allows for a task to be done on command so the cybercriminal can take control at any moment.

To report ransomware, follow this link.

Phishing: Attackers send emails that appear to be from someone you know, or something relevant to you and in reality, they use those to gain information about you, access to accounts, so make sure you watch the actual address of the email coming to you. If you click on the address in an email, you can see the actual address rather than just the display name. You may also see this referred to as social engineering.

Advanced Persistent Threat (APT): This type of attack is on integrity, and is a cybercriminal getting into a network and staying there for a period of time while stealing data. This could be in finance, national defense or any other high-value industry.

Denial of Service: Attacks on the network that prevent services from being operational. An example is if your public website is taken down and cannot be accessed by users or customers. A further explanation is putting 30,000 cows in the middle of the expressway; it prevents a regular driver from getting through.

Cybersecurity terms to be aware of when you talk with a vendor

  1. SIEM: This is a central place to collect events and alerts in order to analyze the data and catch abnormal behavior and potential attacks. Think of this as being used in forensics. If you have an attack, this is what will allow you to go back and find information for prosecution. This can be expensive.
  2. Cyber insurance: Almost every insurance company is going to require you to have certain types of controls in place before they will consider offering you eligibility. The goal with having this is in the event of an attack, you are somewhat covered for the financial loss and if you set up disaster recovery through them, you will have assistance in getting your business back up and running.
  3. Firewall: This is a network security device that monitors the traffic coming in and going out. It allows or blocks depending on the security rules you have in place. The goal is to protect against hackers, viruses, and cybercriminals.
  4. Cryptography: The science of protecting information by turning it into a secure format where letters are replaced with other characters. In order to get the password, for example, you would need a grid to table to define the pattern.
  5. Encryption: This is an application of cryptography and is the process of encoding a message using an algorithm.
  6. Virtual Private Network or VPN: This creates a private network from a public internet connection. The VPN hides your IP address so you can’t be traced. An example of when this is used is connecting from somewhere like a coffee shop or at home to your computer in an office.
  7. Breach: Once a cybercriminal has access to your information or device this is a breach.
  8. Multi-Factor Authentication (MFA): An example is having your debit card and having a pin to use it. You need two different pieces to be granted access. Most common is your phone with an MFA application and the password.

What are some things you can start doing?

Develop your cyber incident response plan.

NIST or National Institute of Standards and Technology, and SANS have guidelines you can follow, however, your actual plan needs to designate who will be doing what. You need to be prepared, coordinated, find the gaps, know the best practices, test it, repeat it, and document it all.

Create a training plan for employees on cybersecurity awareness.

Employees need to be aware to not open emails and click links if they don’t know the sender and how they should be reporting these.

Password management

You need protection on passwords and if you have a password manager, this system will keep and encrypt them while not allowing access without two-factor or multi-factor authentication. Your employees know the master password and that’s it and then likely it's their phone for the second piece.

Turn on automatic updates for the operating system

Commonly, employees won’t remember to check for updates but it’s key that these are happening regularly because the updates continually remove vulnerabilities from the older version.

Use company devices to connect securely

Make sure employees aren’t using their own devices to connect or on a public network. This is where a VPN comes in useful. When visiting websites, part of the training should be to watch to make sure there is an S in HTTPS or the lock icon.

Use a three separate copy backup plan

This is how employees will be able to get data quickly in the event they have to go back to their last save point. One copy should be immutable, or cannot be overwritten. Each should be in a separate location.

Use endpoint protection software and make sure it’s up to date

This isn’t a guarantee in protection, however, making sure it’s always up to date is your best chance at it being most effective. Antivirus falls under this as one part of the endpoint.

Don’t have more network administrators than needed

There should be an approved list of IT department employees who may change network details and install applications. No one else should be doing this.

Use the auto-lock function on all company devices

You don’t want devices active if the user isn’t watching it. Ideally, the screen would lock after 3 to 5 minutes.

Throw out equipment and data in a secure manner

The hard drive should be formatted to get rid of all data and physically destroyed. If that doesn’t happen, a SATA cable can bring the data back.

Use an email or messaging server that is encrypted

You want to make sure that emails can’t be intercepted by a cybercriminal. You can cut down significantly on phishing attacks by using spam filtering.

Assess your cybersecurity plan routinely

Changes and updates are always happening so make sure you are auditing to catch new risks.

Use penetration and vulnerability testing services from third parties

If these testing services can get into your systems, you can be confident a cybercriminal can as well. You may also hear this called pen-testing. When testing, you will know access is happening to your system because you hire a tester and this is a White Hat breach, whereas, if you hear Black Hat, it’s because the owner was unaware, no consent was given, and is illegal.

Cybersecurity vendors to check out

These are listed to help you start to gather information, however, if you want the most basic place to start, your insurance company is a single place that should be able to provide information in all these areas. Your accounting or financial auditing company is likely to have a wealth of information as well.

Cyber Insurance

SIEM and SOC

Multi-factor authentication

Backup Solutions

Network Security

In summary, you should have more awareness as to the importance of cybersecurity, a list of things you can start doing, the key terms to know, and a few vendors you could contact to get more information on this topic. This is a more in-depth checklist of things you can do to minimize your risk.

Written by Nicole Hullihen, November 20th, 2021

Reviewed by Jesse Hullihen, IT Director Infrastructure and Security, November 20th, 2021

Recommended references to learn more about cyber security

https://www.cisa.gov/sites/default/files/publications/Cybersecurity%20Awareness%20Month%202021%20-%20Why%20is%20Cybersecurity%20Important.pdf

https://www.bullguard.com/bullguard-security-center/pc-security/computer-threats/malware-definition,-history-and-classification.aspx

https://security.berkeley.edu/faq/ransomware/

https://www.cisa.gov/stopransomware/report-ransomware-0

https://www.cisa.gov/stopransomware/resources

https://www.phishing.org/what-is-phishing

https://hartmanadvisors.com/the-ultimate-cybersecurity-checklist/

https://us.norton.com/internetsecurity-malware-what-is-cybersecurity-what-you-need-to-know.html

https://itmunch.com/everything-need-know-cybersecurity/

https://www.varonis.com/blog/what-is-siem/

https://www.greywolfsec.com/

https://www.coalitioninc.com/

https://www.forcepoint.com/cyber-edu/firewall

https://www.nist.gov/cyberframework

https://www.sans.org/

https://www.nmhc.org/globalassets/knowledge-library/topics/technology-and-telecommunications/data-security-and-privacy/cybersecurity-checklist-190228.pdf

https://us.norton.com/internetsecurity-privacy-what-is-a-vpn.html

https://www.cybintsolutions.com/20-cyber-security-terms-that-you-should-know/

📁 Get All Templates Free →

Opens in Google Drive — view and download for free

Ready to try Updoot free?

GPS time tracking, scheduling, HR, payroll, CRM, and more in one platform built for small business.

Start Free Today