Long gone are the days when only enterprises and large organizations were the prime target for cyber attacks. Today, no target is too small for cyber criminals. If your business uses technology, it’s likely you are vulnerable. Cybersecurity for small businesses is no longer an option, it is a must have.
You might think that your small business doesn’t hold any data or assets that are valuable to attackers. But statistics aren’t on your side: 43% of cyber attacks are in fact targeted towards small businesses.
Just think about it — successfully attacking a large enterprise is highly profitable to cyber criminals, but it’s much harder due to their mature security programs and hardened defenses. Small businesses are enticing as they often have weak network defenses making them an easier target. They can also be a part of a supply chain that helps attackers get to their larger, prime target.
Combine that with the fact that the average cost of a data breach for a small business is anywhere from $36,000 to $50,000 and we can begin to see how cybersecurity isn’t something to take lightly for any businesses, no matter the size or industry.
Financial losses aren’t the only thing that suffers: attacks on your IT infrastructure can cause operational disruptions and not to mention that if customer data was compromised, your reputation can be damaged.
But not everything is so grim. There are some foundational steps to take in order to protect your small business, data, customers and reputation. We have highlighted the 10 best cybersecurity practices and with following them you will be able to achieve resilience in the face of rising cyber threats.
Invest in cybersecurity awareness training
When investing in cybersecurity organizations often rush to get equipped with the latest technology, often forgetting the human side of cybersecurity. Human error is, after all, the leading cause for over 90% of all data breaches. A common scenario for a cyber attack starts with a phishing email sent to your employees, making them your first line of defense. Naturally, this is where a big part of your investment in cybersecurity should be.
For effective employee cybersecurity training you should spend time raising awareness about possible cyber risks and creating cybersecurity procedures that will flow easily with their daily work routines. One common fault with cybersecurity training is that it consists of a few videos demonstrating cybersecurity dangers followed by a multiple choice test at the end. That will do little to effectively prepare and inform your employees.
Make it fun! Create engaging and interactive training with real-life examples, showcasing how their role is important in keeping the integrity of your small business. Demonstrate what behaviors are desirable when handling sensitive data and performing their daily activities. And make it ongoing. Instead of pushing for a full week of cybersecurity training once or twice a year, create monthly interactive learning sessions that will make your employees want to help your business on the road to proper cybersecurity.
Enforce strong password policies
Did you know that 80% of data breaches occur due to weak passwords? And it goes hand in hand with human error — we are the ones responsible for creating secure passwords. If we continue with the scenario of a cyber attack beginning with a phishing email, even if your employees fell for it and attackers managed to obtain their credentials to one account it still wouldn’t be that disastrous if those credentials are used for only that one account. But it often isn’t the case.
Reusing passwords, and easy to guess passwords at that, makes the job for cyber attackers that much easier. That is why creating and enforcing a strong password policy is a must. A strong password policy would entail enforcing a needed complexity of passwords: using a mix of lower and upper case letters, numbers and symbols. Additionally there should be a rule of “one password per account” and having the passwords changed periodically — 60 to 90 days being the recommended norm. To make it easy for your employees to follow the password policy, consider employing a password manager that will allow them to store all passwords safely, without the added danger of writing them down on sticky notes.
Use multi-factor authentication
Tying in directly with the use of secure and complex passwords we have multi-factor authentication — MFA. Even if you enforce a strong password policy it still won’t guarantee security from cyber attacks. This is why additional layers of protection are needed and they come in the form of requirements that the user trying to access an account needs to fulfil in order to be granted access.
For the additional authentication that goes beyond the email and password you can have a one-time password sent as an SMS, a security token, biometrics such as a fingerprint or even a location check that is done through the users’ MAC address. Choose the type of authentication that will work best with your businesses and that is offered by the solution you use to manage accounts on your network.
While proactive protection against cyber attacks is one of the most important things you can do in terms of cybersecurity for your small business, it’s equally as important to be prepared for when an attack does happen. If a cyber attack does occur and the attacker gets a hold of your data, it can get altered, stolen or deleted.
Performing regular backups of all software, firmware, databases, customer information, accounts and business-critical data is crucial in order to be able to get back on your feet in the case of suffering a data breach.
Secure the WiFi network
Most workplaces by now have their own WiFi network. Whether it’s to access email accounts, process payments or the like, WiFi plays a critical role in business operations for many companies. But insecure WiFi networks open up an entry point for attackers to gain access to your network, eavesdrop on your traffic and steal sensitive information. Fortunately, there are some quick tips for securing your WiFi network.
Firstly, remove the default username or password that is often left on routers and can easily be found on the internet (think “admin” as a username). Also consider disabling remote access to the router’s administration features. Another default that should be changed is the service set identifier (SSID) which is basically the name of the network that is broadcasted to users so they can find it. The default SSID shows the model of the router making it easier for attackers to know how to attack. Next, you should enable WPA2 for encryption in your network settings and disable WPS which makes pairing a device with an encrypted network too easy.
Employ a firewall and an anti-malware solution
Malware, viruses, worms, spyware, ransomware, oh my! There are so many types of cyber threats out there that it can seem hard to keep track of them all. But you don’t need to keep track of them if you use an anti-malware solution. Anti-malware solutions scan, spot and inhibit any suspicious files and software from getting into your network and system, keeping it secure.
Taking it one step further, a perfect combination for your small business’s network defense is adding a firewall in addition to an anti-malware solution. Firewalls protect your assets from cyber threats by acting as a barrier between the internet and your network. They monitor inbound and outbound traffic from devices on your network as well as suspicious packets leaving and entering the network. There are many popular, effective and even free anti-malware solutions and firewalls to choose from so it will be easy to find those just right for your small business.
Keep software and firmware updated
Security vulnerabilities can be found on your network, web servers, application and software programs. Patches for those vulnerabilities are issued by vendors that usually come with software and firmware updates. We can all agree that when we get that pop-up about a new update, we often ignore or delay it. And it shows: one in three breaches are caused by unpatched vulnerabilities.
To ensure there are no vulnerabilities across your IT infrastructure, all of your software and firmware should be updated to the latest version. This can be easily achieved with automatic updates when available and an update schedule for when they are required to be done manually.
Only install new programs with a permission
You offer your employees specific programs and applications that they use in their work. Nevertheless, your employees might think that there is a different, more effective app that will allow them to work faster and more efficiently and they wouldn’t think twice about downloading them. But who can guarantee that those programs aren’t malicious and that they don’t have malware that can spread to your entire network if downloaded to an employee’s device?
Having a list of permissible applications, clearly communicating them with your employees and enforcing them through a cybersecurity policy will go far in order to not have your network infected with malware without you knowing. Here, employing an anti-malware solution that will scan the entire network for any newly downloaded malicious software is also of great help.
Create and enforce a company cybersecurity policy
We talked about all of the best cybersecurity practices and measures for your small business. Now it’s the time to document them. A cybersecurity policy will outline all of your guidelines and provision for keeping your data and IT infrastructure secure. Some elements of your cybersecurity policy are measures to protect sensitive data (like all of the above mentioned ones), all devices on your network, email security procedures, password management, and all other activities your employees should undertake in order to avoid a cyber attack such as avoiding accessing suspicious websites, reporting of suspicious emails, reporting stolen devices, etc. There are companies and teams that can help you go step by step to ensure no procedure and measure is left undocumented.
Plan a breach response strategy
When it comes to cybersecurity, it doesn’t pay off to be too optimistic. Preparing for the worst-case scenario — a data breach — will mean the difference between a minor data leak and costly breach. Your breach response plan should include disconnecting any affected devices and programs, notifying all affected parties and concluding with a full investigation into who, where and how.
Cybersecurity is a big concern for businesses of all sizes, across all industries. However complex and far reaching it may seem, there are still simple best practices your small business can take in order to achieve resilience. After all, you, your employees and your customers deserve to be secure.