Although the public typically only hears about cyberattacks against high-profile companies, banks and government websites, small businesses make prime targets for cybercriminals, competitors, and disgruntled parties. Yet, due to their lack of resources, small businesses have the least-protected websites, accounts, and network systems, making cyberattacks an easy job.
It is easy to think that because you have a small business, cybercriminals will pass over attacking your company. The “not much to steal” mindset is common with small business owners regarding cybersecurity, but it is also completely incorrect and uncoordinated with today’s cybersecurity best practices.
The U.S. Congressional Small Business Committee found that 71 percent of cyber-attacks happened at businesses with less than 100 employees. Even more concerning, the 2016 State of SMB CyberSecurity Report by Ponemon and @Keeper found that 50 percent of SMBs have had a security breach in the past year.
How can your business avoid being a victim of a cyber-attack? Here are 10 cybersecurity best practices for business you can begin to implement today.
Hear is our list:
1. Backup data
This is one of the simplest and most important things you can do. Make sure all your data is backed up on a regular basis to a secure location. This way, if the worst should happen and your network is compromised by a cyberattack, your data is not lost.
There are two ways you can back up data: on a physical drive (such as a portable SSD/HDD or USB stick) or through a cloud storage solution. For regular use, having both is not a bad idea.
2. Inventory & control both hardware/software assets
Most of the time when we get called into a cybersecurity emergency by a breach victim, we spend a lot of effort just trying to understand the environment and determining things like:
which computer does what;
what kind of operating systems are in use;
what applications and what versions are being used;
what the network topology looks like;
what sort of Cloud connectivity exists;
what sort of user access control system exists and how it is tied to any external (e.g. Cloud-based) systems.
Having an asset discovery and inventory system that can track assets by hardware, operating system, applications, and versions is invaluable when it comes to keeping computers and users secure. This is not as painful or time-consuming as it used to be, thanks to several free open-source as well as commercially available systems and management-friendly configurations on physical devices.
Maintaining a central repository of knowledge (Knowledge Base) where inventories, configurations, and other valuable information about an information technology environment is stored, is essential. This makes accessing the knowledge in a crisis much easier.
3. Update your software regularly
Never ignore the pop-up messages on your screen which remind you about upgrading your software. Allowing software updates is one of the most important things you can do with your computer security. If you do not, your computer is vulnerable to malware and hacking. Most software updates are patching newly discovered code vulnerabilities and are automatically installed over the existing code for that software.
Besides regularly updating your software, always choose a high-quality and reliable vendor for security products.
4. Use two-step authentication
You know when you must sign into a secure website and after you have entered your password, you still need to enter a special code that gets sent to your mobile or email? This is what two-step authentication is, and it is an effortless way to further protect your network from hackers.
The benefits of two-step authentication are that it makes it harder for hackers to impersonate a user and gain access to a device or network. Even if they manage to access your password, they will also need access to your email or mobile phone to get past the second layer of defense.
5. Enforce safe password practices
It can be hard keeping track of all your different passwords, so it can be tempting to use the same password repeatedly. The unwelcome news is, if a hacker gets hold of the login details for one of your accounts, then it means they also have access to all your other accounts! Make sure you also produce a password that is difficult to break. Using the word “password” for your password is just asking for trouble. This also fits in with the point mentioned above. If you have two-step authentication in place, your security will be severely weakened if a hacker has access to your email because you have used the same password.
6. Use multi-layered approach
The best way to defend your small or mid-size business from cyber threats is to take a multi-layer approach. This should include the right mix of tools, processes, and people to operate them. Some of the basic cybersecurity tools include endpoint and network firewalls and antivirus solutions. However, you need to go beyond the basics and implement security measures like:
DNS- and IP-based web filtering,
Email filtering, penetration testing,
Intrusion detection systems (IDS),
Unified threat management (antivirus, content filtering, email and web filtering, anti-spam, and more.)
Leverage patch management tools
7. Document your cybersecurity policies
While small businesses often operate by word of mouth and institutional knowledge, cybersecurity is one area where it is essential to document your protocols. The Small Business Administration (SBA)’s Cybersecurity portal provides online training, checklists, and information specific to protect online businesses. The FCC’s Cyberplanner 2.0 provides a starting point for your security document. Consider also participating in the C3 Voluntary Program for Small Businesses, which contains a detailed toolkit for determining and documenting cybersecurity best practices and cybersecurity policies.
8. Educate all employees
Employees often wear many hats at small and midsize businesses, making it essential that all employees accessing the network be trained on your company’s network cybersecurity best practices and security policies.
Since the policies are evolving as cybercriminals become savvier, it is essential to have regular updates on new protocols. To hold employees accountable, have each employee sign a document stating that they have been informed of the policies and understand that actions may be taken if they do not follow security policies.
9. Have plans and people in place to respond when things go wrong
When in an emergency, who are you going to call? I assure you that the Ghostbusters are not going to be of any assistance to you. Only you can save yourself, which means that you need to have preparedness plans in place that can be put into action at a moment’s notice. Key components of this type of planning include:
An incident response (IR) plan
A business continuity (BC) plan
A disaster recovery (DR) plan
A team roster with a breakdown of roles and responsibilities
An outline of post-incident investigations and activities
Run through exercises with your team to ensure that everyone understands their roles. Be sure to use different scenarios. This way, they know what they are responsible for doing in a variety of emergency situations.
10. Consider cyber insurance (But do not substitute it for good cybersecurity practices)
Cybersecurity insurance can be a great investment for many businesses. Considering that SMBs are the primary target of most cyberattacks, it never hurts to have that extra layer of protection. (Hence why it is on our list of cybersecurity tips.) However, buying good insurance should not be the only protection that businesses have.
Final thoughts
SMBs have a lot going for them — their smaller sizes make them more agile and adaptable to making changes than larger enterprises. They can choose to operate fully online or in a face-to-face setting. But where they are lacking compared to their corporate giant counterparts is in terms of budgets and resources for managing risks.
Bill Palifka sums up this challenge succinctly: “When it comes to operational decisions, security implications aren’t considered, and the IT risks are underestimated. That makes SMBs easy targets for cybercriminals.” Therefore, implementing these cybersecurity tips and best practices sooner rather than later is key to keeping your small or midsize business safe.
The knowledge, actions, and behaviors of your employees’ matter, and they can either be your organization’s greatest cybersecurity risks or assets. Your willingness to invest both in the necessary tools and your employees can be the difference between your business being an easy or a tough nut for cybercriminals to crack.
If these our any other cybersecurity issues are concerning you and you would like to talk further, please feel free to reach out to us by filling out our contact us form.