What parts of your business cyber attackers are most likely to attack?
What parts of your business are most important to your daily operations?
If your phone was stolen and your business email was compromised, what would you do next?
We created the SPAR System to answer these questions.
We designed SPAR to be a simple system designed from the ground up to help small business owners understand and implement cybersecurity.
As a quick and easy process, it takes out the guesswork.
Spot, Protect, Act, and Recover reflects the core of the SPAR System and demystifies the complexities of cybersecurity and gives you, as the owner, a framework for protecting your business and recovering from an attack.
Many small business owners are scared into inaction. Enter SPAR Secure.
Identify which pieces of your business are most vulnerable (your "business assets") are most vulnerable.
Identify which business assets are the most important to the continuity of your business (your "crown jewels").
Safeguard those business assets from attackers.
Learn and understand the signs of what a cyber attack looks like and take action to stop them.
Repair the damage from the cyber attack and prevent it from happening again.
SPAR Step 1
In this step, we'll help you identify the most important parts of your business (your business assets).
Let's figure out what business assets your business has.
Every business is made of business assets and they are what owners use to run their small business each day. They form your business infrastructure. They are also what cyber criminals target.
Your business assets are a mix of Devices, Software, Data, and People.
The way to think about it is that every business uses Devices that have Software that store Data and are used by People.
These are the Core Four business assets:
These are your or your employees' phones, laptops, desktops, tablets, and other physical hardware used for your business.
Consider: Which devices do you use and rely on daily for contacting clients or handling finances or accessing email. What would happen to your business if they were lost, stolen, or became unusable?
These are applications like Google Drive, iCloud Mail, Salesforce that you use to run your business. Even your website falls into this category.
Consider: The software that is essential for running your business. Which applications do you typically have open while working? If you suddenly lost access to this software, how would it impact your business?
There are typically three data types that your business is responsible for protecting:
Financial Data: Taxes, credit card numbers, bank routing number, etc.
Customer Data: Customer emails, names, addresses, etc.
Employee Data: Employee or contractor emails, names, and addresses, etc.
Consider: The information that you or your employees create or gather to run your business. What software do you keep it on (Dropbox, GDrive, your desktop)? Which devices do you store or access it (your laptop, tablet, or phone)?
These are the human beings you rely on to get work done in and for your business. They are often employees, but can also be contractors or vendors who have access to your internal company systems and data. Basically anyone who has access to your Devices, Software, or Data falls into this category.
Consider: Who has access to your company data or devices? Maybe a virtual assistant has access to your customer mailing addresses? Or a contractor has unlimited access to your Google Drive? Are they protecting your data and devices the way you would? Do you know?
While this might feel overwhelming, you may notice in the examples given that many small businesses tend to have a lot of similar types of Devices, Software, Data, and People.
Things like phones or laptops, show up a lot.
Your Critical Assets
Think about the business assets that are the most important to your daily business operations.
The ones that, if stolen or you became unable to use, would completely derail your business. For most businesses these are things like their phone, bank account, email, and payment services like Stripe or PayPal.
These assets are the most important items in your business to protect from cyber attacks.
Once you have thought about what your most critical business assets are, we recommend writing down your business assets somewhere.
If you would like to capture your own so you can recover quickly after an attack, get your downloadable worksheet.
The reason to write them down, is it gives you a clear picture of what pieces of your business cyber criminals are most likely to attack. And if they do attack, how badly would losing access to those items hurt your ability to do business.
Once you understand those items, you can then take the next step and protect them.
SPAR Step 2
Once we understand what is crucial for your business' survival we can then protect them from cyber attacks by following the steps in the Survival Guides.
If you haven't already gotten your Survival Guides, click the button below.
You’ve pinpointed which Devices, Software, Data, and People are the most important to your business or would have the biggest impact on your operations if lost or compromised.
This is a huge first step that most small business owners never take. Understanding what is at stake is half the battle. The next half is taking action to Protect them.
For in-depth, step-by-step instructions reference your Survival Guides. In them, we show you how to protect your Devices and safeguard the Software and Data that lives on them. If you are concerned about what happens when you're hacked, there is also a Recovery Survival Guide that answers the questions, "I've been hacked, now what??"
If you don't already have your Survival Guides, below are a few security tips that every business owner should follow to protect their business today.
If you don't have the Survival Guides, below are a five tips that you can implement today to greatly improve your business' security.
Five simple things you and your employees can start doing today to better protect your business.
Chances are that you have many different software and apps to operate your business. And all of them have different logins requiring a password.
If you’re like most business owners, you are probably doing one of two things:
Using the same password across multiple accounts with minor changes (“Password1!”, anyone?). This makes it ridiculously easy for cyber criminals to break in.
Using multiple passwords that are either too weak or too hard to remember.
Both of the above options leave your business incredibly vulnerable to cyber criminals.
A password manager fixes both these problems.
Password managers are centralized, online repositories where you can store all of your logins and passwords (and even credit cards and passport numbers, if you'd like).
It’s by far the easiest (and safest) way to maintain multiple strong passwords across dozens of sites and apps.
The best part is you only need to remember one strong master passwords to access the rest of the passwords stored in your repository.
We recommend writing down your master password and storing it somewhere safe. We store ours in a firesafe right next to social security cards and birth certificates.
As of this writing these are the password managers that we trust (this isn't a specific endorsement and we don't get paid if you use it, but we use 1Password in our both professional and personal lives).
If your business depends on devices like your phone or tablet, then a 4-digit PIN is way too easy to guess.
If your devices are crucial for your business, we strongly recommend using a password or passphrase instead of a PIN.
If that’s too inconvenient or the device isn’t as critical, an 8-digit PIN may be enough.
Most modern phones allow you to create longer PINs by going to settings. Searching for a term like "passcode" will generally get you there regardless of device.
You may already be using 2-factor authentication (2FA), also called multi-factor authentication (MFA), on many of your software accounts. Typically, 2FA combines a password you created with a randomized code sent to your email or phone to login.
Most software defaults to 2FA, but unfortunately many still don't. We recommend setting it up as your default setting everywhere. Especially for email accounts, including backup email accounts. Emails are often used to recover other logins, so using 2FA on them should be a priority.
For example, if your primary Outlook email uses a Gmail account as a recovery option, set up 2FA on both.
You can also use high-quality app-based 2FA solutions like Google Authenticator, Authy, or Microsoft Authenticator in place of text or email 2FA.
Authenticators are downloadable apps that generate time-based codes that help you log into online services. You can connect them to most modern services, like Gmail or Squarespace, by adding the authenticator within that service's settings. These apps are available for download from most app stores.
Authenticators are more secure than text or email messages (they're harder to fake). However, text and email messages are still much better than having no 2FA at all.
You’ve probably heard this advice before, but you would be surprised how many people click random links or open attachments they got in a text or email message.
That being said, saying "never click any links or open any attachments" is simply not practical advise.
So instead we recommend you implement a policy of asking yourself two questions before clicking on anything:
Question 1: Does the message convey a sense of urgency?
Look out for phrases like “your immediate response is required."
Scammers will often use this tactic to pressure you into clicking. They benefit from you taking immediate action.
Question 2: Were you expecting that link or attachment?
If a link is from a service, such as a vendor, you know sends invoices via email links (or even text links), you might need to click on it.
However, if a service you are familiar with suddenly switches to sending links without any prior warning, then it is time take a second look. Is it actually from that service?
When in doubt, visit their website or app directly to check the message center. If it is a service without a message center, reach out to them directly via chat on their website or call them to confirm it came from them.
If you ever have trouble deciding what to do when you see a suspicious message, the Survival Guides include helpful flowcharts to help you determine if you might be dealing with a scam.
If you haven't already, consider getting Survival Guides for your business.
Protecting your business doesn’t need to be complicated or take a lot of your time. The Survival Guides show you, step-by-step, how to secure your business.
They are designed for non-techie business owners, these guides can be implemented in as little time as a single afternoon.
There’s no need to wait for so-called security experts to sell you expensive software. You can start protecting your business today. No matter what your business assets are, there is a Survival Guide that will fit your needs.
SPAR Step 3
Even with the best security, cyber attacks can still happen. In this step, we learn the signs to detect cyber attacks sooner to minimize their damage, then fix the problem so it doesn't happen again.
Here's a dirty little secret most cybersecurity professionals won’t tell you: Even with the best security measures in place, cyber attacks can still happen.
Protecting your business assets is still incredibly important, as it significantly reduces the risk of being hacked. However, cybercriminals are constantly attempting to break your defenses, so the possibility always still exists.
The goal of good security, in that case, is twofold:
Decrease the chances of a cyber breaking your business defenses (we do this in Spot & Protect)
Increase your ability to recognize and stop attacks if they happen, then recover from them and get back to doing business as quickly as possible (Act & Recover).
If your business is being attacked, you must first notice that it is happening before you can take action to stop it.
You do this by recognizing when something feels "wrong" or "out-of-place" in your daily operations.
We cover how to do this in-depth in the Survival Guides, but here are some best practices to help you spot when your business might be under attack.
In the daily operations of your business, you likely interact with the same Devices and Software in the same way. Your phone usage is probably similar day-to-day, you probably use the same apps, and you probably have come to expect them to behave a certain way.
So the things to watch out for are when something out of the norm starts happening.
That means, be wary of notifications, alerts, text messages, and emails that are unexpected or out of your normal routine. These should catch your attention. Often, they indicate you should investigate. They could be clues that a cyber attack is taking place.
To help with this, we recommend implementing a policy of asking and answering these seven questions when you or your employees receive an unexpected or suspicious alert, text, or email.
Did you go through this list and realize that you may be under attack? Here are some quick do's and don'ts to follow if you are.
You received a weird text claiming to be from your bank?
Don’t click any of the links or open attachments.
Do log into the official app or website and check the notification center for any issues. If there’s no official document or notice, ignore/block the message - it’s likely spam.
You installed a free app from an unknown company and now you’re getting strange messages or alerts?
Don't click any of the message links or attachments.
Do remove it from your device right away.
You received a 2FA login code for an account, like PayPal, but you weren’t trying to log in?
Don’t ignore it. Someone has your username and password and is trying to login.
Do go log into your account directly and change your password right away.
You received a suspicious-looking email that you weren't expecting?
Don’t see a notification in the official website or app? Ignore that email and block the sender.
Do go directly to the official app/website to check for notifications. Consider changing your password.
SPAR Step 4
After noticing and stopping a cyber attack, follow this step to assess and repair any damage and prevent future ones.
The most important thing you can do to recover your business as quickly as possible after a cyber attack happens before one takes place.
We recommend building your own Recovery Cheat Sheet using this (FREE) downloadable workbook.
A Recovery Cheat Sheet is a simple, one-page document that has critical information about your business listed on it. That way, if you lose access to important devices (phones) or software (email) you’re not scrambling to find the information you’ll need to recover them.
Below are the 8 things you'll need to create your Recovery Cheat Sheet:
Write down your business and personal phone numbers (they are likely the same). You might know them by heart, but stressful situations can challenge even the best memories (ask us how we know).
Write down the names and phone numbers of essential contacts including your key employees, customers, and vendors.
Anyone you would want to get in touch with quickly if your business was compromised. Keep this list accessible in a format other than your phone. Putting it into your Recovery Cheat Sheet and printing it out is recommended.
2FA authenticators like Google Authenticator and Authy have backup codes in the event you lose your phone. Write down these codes. You can also store them in your password manager, once you set it up.
Once set up, your password manager you may receive what's called a "recovery kit" or "emergency kit". Typically it comes with a unique code that allows you to set up your password manager on new devices, plus it will have a place to write down your master password. We recommend both storing this digitally and printing and storing in a locked box with your Recovery Cheat Sheet.
Write down the serial numbers for critical physical devices (phones, tablets, etc.). For your phone, include the IMEI number (found in settings). This information is often the first thing that customer support will ask for if you lose access to your phone.
Have the IDs for your critical accounts written down. This includes things like your Google or Apple IDs. If you have your password manager set up, these should be stored in there.
Note the customer service numbers for any apps or services you use to send or receive payments. If they offer a chat assistant, write down the web address. You will want to call/message both the bank and payment service providers to let them know you have been compromised. This will put them on the lookout for any fraudulent charges.