Basic Steps for Improving Cybersecurity at Your Shop

Jan. 9, 2018

Here is the ultimate primer on how to keep your business’s data secure.

You’ve probably heard the warnings and the statistics over and over and over—but Hala Furst still believes these facts about cybersecurity attacks bear repeating:

  • One in five small and mid-sized businesses were hit between 2014 and 2016.
  • On average, $32,000 is stolen or lost in an attack.
  • There are 430 million types of malware online—up 40 percent from just three years ago.

But this last statistic is where Furst, cybersecurity liaison for the U.S. Department of Homeland Security (DHS), hopes small businesses will realize the importance of cybersecurity: Roughly 54 percent of security breaches are caused by human error.

“A lot of people think they’re too small to matter,” said Furst as she kicked off the 2017 Cyber Security Summit in Minneapolis this past October. “But small business partners are carrying more of the risks for breaches when working with larger companies.”

If human error is the main symptom for data breaches, then Yan Kravchenko says you should have no reason for his IT service providing company, Atomic Data. As chief information security officer for Atomic, Kravchenko observes business owner after business owner failing to take simple, incremental steps toward securing their companies’ networks.

Protecting your data, your customers’ information, and your business partners’ data is no joke, and at the Cyber Security Summit, both Furst and Kravchenko laid out some tips for ensuring top-notch cybersecurity at small businesses.

Your Resources

Furst dedicated her hour-long presentation to the three main cybersecurity resources available to each and every small business in the country:

National Vulnerability Database

First, you’ll want to understand and address common vulnerabilities. The National Vulnerability Database provides several guiding documents and processes for assessing your network’s security.

In particular, SAMATE (Software Assurance Metrics and Tool Evaluation) provides a process for ensuring your network is free from vulnerabilities, which can be either intentionally designed into software or accidentally inserted at any time.

Information Sharing and Analysis Organization

Furst also believes it is in your business’s best interest to join an Information Sharing and Analysis Organization (ISAO), in which businesses share and respond to cyber risks in real time.

“Organizations that share information about cybersecurity incidents play an invaluable role in the collective cybersecurity of small businesses,” she says.

Through public, open engagements, the ISAO Standards Organization develops best practices to align with the needs of any industry group.

U.S. Department of Homeland Security

Of course, Furst would like to highlight the DHS, which provides myriad programs and resources for small businesses. She says several documents available online provide great starting points for assessing a business’s cybersecurity.

In particular, the Critical Infrastructure Cyber Community (aka C³) Voluntary Program assists the enhancement of critical infrastructure cybersecurity. Members of the community are provided a “C³ toolkit” that outlines the cyber threat landscape, the C³ Voluntary Program Outreach and Messaging Kit, and a hands-on resources guide for ensuring daily cyber protection.

Through these resources, Furst says you can put your business can develop a plan your employees will buy into and by which they feel protected.

“Cybersecurity is another hat you have to wear on top of everything,” she says. “You need simple steps that are digestible by staff. It needs to be consumable so it doesn’t overwhelm them.”

In fact, Kravchenko dedicated his speech to ensuring small business owners can pull that off.

The DIY Cybersecurity Assessment

Kravchenko wasn’t kidding when he said you have absolutely no reason to utilize his IT service providing company, Atomic Data—especially when you consider that an assessment from a third party, on average, totals $30,000.

“It’s much cheaper to use common sense and look inward,” he says. “You should [enhance your business’s cybersecurity] yourself with some straightforward steps.”

To encourage just that, Kravchenko developed the Atomic Data DIY Toolkit, which includes additional step-by-step information for the tips listed below. To provide a glimpse into all the offerings of that toolkit, Kravchenko broke down a DIY cybersecurity assessment to three easy steps.

Talk About Security

Cybersecurity is not just an administrative issue—everybody on staff should understand the importance and who’s at risk when cybersecurity is weak.

“Talk about security with employees,” Kravchenko says. “It should be out in the open and discussed at meetings. Employees know how much you care by how much you tell them.”

And one of the easiest ways to ensure cybersecurity is top of mind is developing a security policy that contains concrete guidelines and rules the company must follow.

Form Security Policies

Kravchenko encourages establishing regularly scheduled meetings with IT companies to understand what vulnerabilities are making the news. Then perform ongoing risk management and be aware of potential security breaches.

While the policy should be comprehensive and cover your bases, it should also be brief and to the point so it’s easily consumed by employees. For a sample of a security policy item, see the sidebar provided by Kravchenko.

Sample Security Policy

Policy Item

Email usage.


This policy describes the appropriate usage of email.

Applies to

All employees.


Email has become ubiquitous. We require it to conduct our day-to-day business. The company provides email facilities to the employee with the primary intention of conducting company affairs. Although using it for personal purpose is not prohibited, the company will not be held responsible for any repercussions caused by the personal usage of email. Any data maintained on the company's email server remains company property and can be viewed by any authorized company government officiant.

Implementation guideline

  • You must sign the email data confidentiality agreement
  • You must not attach any executable file with the email
  • The attachments must not be encrypted

Escalation point of contact

In case you need any clarification, or if you feel you’ve violated the email policy, contact the immediate supervisor.

Violation repercussions

Any violation to this policy may result in liabilities, including employment termination, fine, or criminal litigation.

Improve IT

Nine times out of 10, security breaches can be traced back to poorly kept IT.

“Without IT hygeine, there’s little you can do about security,” Kravchenko says.

He says companies (especially small businesses) will rarely spend large amounts of money on IT security—fortunately, you don’t have to. Here are a few basic steps to clean up your business’s IT:

Document your network. Documentation is key for a solid backup and disaster recovery plan. From private wikis to Excel spreadsheets, it’s important to develop an organized system of recovery.

Improve password management. This is a habit Kravchenko believes everyone should adopt in their personal lives as well as for their small businesses. Be sure to regularly update your passwords and increase the length and complexity of the passwords. He even recommends considering a password manager that locks and stores passwords.

Identify where sensitive data lives. You should always identify where sensitive data is stored, from your customer database to banking information to business partner data. Document where all of this information is stored and develop a “data flow map” that will depict sensitive information in all of its forms, origins, paths and exit points.

Sponsored Recommendations

Best Body Shop and the 360-Degree-Concept

Spanesi ‘360-Degree-Concept’ Enables Kansas Body Shop to Complete High-Quality Repairs

How Fender Bender Operator of the Year, Morrow Collision Center, Achieves Their Spot-On Measurements

Learn how Fender Bender Operator of the Year, Morrison Collision Center, equipped their new collision facility with “sleek and modern” equipment and tools from Spanesi Americas...

ADAS Applications: What They Are & What They Do

Learn how ADAS utilizes sensors such as radar, sonar, lidar and cameras to perceive the world around the vehicle, and either provide critical information to the driver or take...

Banking on Bigger Profits with a Heavy-Duty Truck Paint Booth

The addition of a heavy-duty paint booth for oversized trucks & vehicles can open the door to new or expanded service opportunities.