The internet has become a ubiquitous part of our lives. People can do anything from learning to shopping to networking online. This is great for small businesses and individuals who want to reach a larger audience with their products or services. The downside is that cybercriminals are becoming more sophisticated. They target small business owners specifically to steal their data and compromise the integrity of their company’s systems. This article will discuss cyber security tips for small businesses that will help safeguard your data and keep you safer on the web!
Cyber security for small businesses
From a small business cyber security aspect, it is more important than ever to be aware of your unknowns. SMBs (Small and medium businesses) are a target due to their lack of preparedness regarding people, process and technology. This excuse, “my computer has no top-secret data,” doesn’t work anymore. Gone are the days when only a handful of systems hold sensitive data in a separate environment. Our experience with SMBs helped us come up with the top ten practical and pragmatic tips that would boost cyber security for SMBs. All this with more thought, less chaos of big spend products.
Feel free to watch this video containing a condensed version of the article.
Do small businesses need cyber security?
Yes, they do. One of the most common mistakes is that small business owners believe their company to be too small for a cyber attack. The truth is your organization may not have been targeted yet, but you can’t afford to take any chances; it’s vital that you protect yourself with strong security measures before something unfortunate occurs–whether it’s an insider or external threat.
Interpol reports show an alarming rate of cyber attacks demonstrating COVID-19 impact on small and medium-sized business categories. Cybercriminals exploit the fear and uncertainty factors caused by the unstable economic situation due to the pandemic. This goes without saying that we shall see more sophisticated and newer ways of cyber attacks.
Why SME web protection is the need of the hour?
Small business owners are faced with many online threats when they have to deal with cybersecurity. Some of these include:
- Spear phishing
- Advanced Persistent Threats (APTs)
Threats like APTS can be hard for businesses because they don’t have the resources that larger companies would, and it isn’t easy to know what you’re up against. However, there are some things small businesses should do to do an easier job defending themselves from cyber security risks. This article covers a list of the top ten cyber security tips for small businesses.
How can I make my business cyber secure?
Our aim with this small business IT security checklist is to help organisations without a ‘big spend product approach’. Although not all the following tips for a small business would be a breeze, a strategic plan with carefully selected actions would make tangible differences in the medium to long term timescales.
There are many things one should consider when looking at how best to secure their small business.
The kinds of data you handle: Think about whether your business handles sensitive customer information and other things that could put people in harms way. If so, protecting this data should be a priority.
How much are you willing to spend? It’s important to budget for cybersecurity as part of the overall IT investment because it is now one of the most critical aspects of any company’s infrastructure. Consider how much equipment protection will cost and what kind of service plan would work best for your company needs.
Top 10 cyber security tips for small businesses
Cyber security is a very complex and constantly evolving field. It can be difficult to understand all of the different ways cybercriminals target businesses to break it down into ten simple, practical steps. Learn our top tips on strengthening small business cyber security and preventing the most common cyber attacks.
0. Less is More
Start small. Assess the most critical assets to your business, review their current situation and leverage the current tools at hand. These include cloud services, free/inbuilt host firewall, anti-virus solutions and maximise the use of active directory (assuming it’s present). This responsibility starts from the top, with cultural change around business information security knowledge and education amongst the stakeholders as a starting point. Questions, discussions and more brainstorming follows the answers needed by the business to acknowledge and improve the cyber security for small business.
More products = more chaos!
Utilise independent cyber security experts such as Cyphere to review the current tech stack to leverage the already present never utilised features. After this phase, you can set up a strategic plan to introduce new products/solutions necessary for business.
1. Endpoint Protection
Endpoint refers to end-user systems or devices such as laptops, desktops/workstations and mobile devices. These endpoints serve as an entry point to an organisation. For example, a threat actor successfully establishing a connection with a staff computer due to a phishing attack (or another form of attack) is due to malicious code bypassing the endpoint controls. Therefore, the security of entry points is important by utilising antivirus or anti-malware solutions that detect suspicious activity and deter such attempts. Additionally, it is important to ensure full system-wide scans are performed periodically and regular vendor updates after implementation.
2. Network Segmentation
It is the most underrated control in the IT security domain. Just like a submarine structure, you need to ensure there are different compartments within your organisations. If a cyber attack has led to the compromise of a system or segment of the network, an attacker will not have immediate access to the entire organisation due to such network security measures. This may lead to limited impact, containment or detection of intrusion activity based on the incident scope.
3. Principle of Least Privilege
Apply the rule of least privilege. This concept relates to the implementation of privileges on the need to know basis. In case of a system compromise, threat actors shall face increased resistance to escalate their privileges. Any requirements related to compliance, framework or standards would be a breeze. There are several tools and tactics:
- Privileged Access Management
- Network segmentation
- Separation of Privilege
- Systems Hardening
See this Microsoft guide to implementing Least-Privilege Administrative Models across Windows systems.
4. Secure Internet Access
Internet is the backbone of any business. Since the rise of remote working during and post Covid-19, this is even more important in our lives.
- Ensure that a restricted internet use policy for employees is served via emails, meetings and contracts (where needed).
- If a web proxy, filter or internet traffic access solution is in place, order an immediate review to ensure it serves the intended purpose. If there is no such software in place, deploy Internet filtering solutions.
Change default passwords on all equipment such as network devices, printers, scanners, security devices.
If possible, implement and mandate the use of a password manager for small business. This, although it may require users to acknowledge the new software usage, shall offer multiple benefits in the long run, such as:
- Cultural shift towards the importance of cyber security for small businesses
- Offering an easier alternative for hard to remember, randomly generated non-dictionary long and complex passwords
- Allowing users to select different passwords for different services
- Separating their personal information (the football team or dogs’ name that they may be used as password otherwise) from office.
6. Multi-factor Authentication
Implement multi-factor authentication on all your devices and internet-facing portals. At times, small business owners or employees’ credentials could be compromised without any cyber attack activity linked to your organisation. This technique, known as credential stuffing, is a type of cyber attack where stolen account credentials from one service are used to gain unauthorised access to other accounts on the internet.
7. Secure Configuration
Secure configuration is important for all systems used within or outside the organisation. This includes a mobile device management solution to control mobile devices. Operating system hardened images used as a secure operating system base and secure hardening based network equipment configurations. CIS benchmarks are a great start to prepare internal checklists covering patch management, system hardening, services configuration and many other areas. If your mission-critical assets, such as a revenue-generating website, opt for a penetration test at least once a year or after any major changes. This would pick up on the various cyber attacks that target retail or your business-specific websites, infrastructure. In the case of website security of a business, website hardening measures along with anti-DDoS and WAF services at the front should be deployed. If you need free advice around this, please get in touch to understand how we help strengthen small business website security without product spends.
8. Secure and Regular Backups
Backups are an essential part of your cyber security strategy. In the case of a cyberattack, data could be either compromised or deleted. Given the SMB businesses lacking strict processes and procedures, there is a large amount of data on staff laptops and mobile devices (tablets, phones). Ensure that a secure and regular backup policy is in place. This includes utilising a backup solution that allows the automatic ability to schedule backups.
Use the cloud. Modern devices and services offer easy cloud-based backups. This offers multiple benefits such as backup schedule configuration, secure storage and easy restores accessible from anywhere.
Your employees could be your strongest or weakest link in cyber security. It all depends upon your cyber security strategy.
- Regular, thorough training must be an investment to deliver a baseline of knowledge for all employees. This would mark a shift in company culture with time, ensuring an overall boost for a proactive approach towards cyber security.
- Ensure that staff don’t browse the web or check emails from servers, or using administrative privileges. This will reduce the impact of attacks in the event user details are stolen.
10. Secure Wireless Networks
- If your business uses a wireless network, corporate or staff network must be segregated from the guest (visitor) network or vice versa. It is important to ensure this segregation is strictly implemented on both the networks to keep trusted and untrusted users separate.
- For corporate wireless networks, certificate-based authentication is the recommended authentication mechanism. This ensures user and connecting device identities are validated and cannot be spoofed.
- Implement a captive portal to manage guest network access for visitors.
Logging and monitoring, secure communications, in-depth active directory security are further areas that a business should consider in the long run to protect your small business. Just before you decide to go on a shopping spree…
How do small businesses create effective security policies?
Apart from technical controls, it is important to have cyber security processes and policies to protect your business. Developing a security policy is an important step in cybersecurity. A company needs to determine:
- Who has access?
- Where is the sensitive data stored, and what kind of protection should they have?
- What data flows from one system or network to another, and how can it be protected?
- How does management keep up with new risks that might emerge as technology evolves? This may include outsourcing some functions like antivirus updates or upgrading devices.
Small businesses need to develop appropriate policies based on their specific information systems before embarking on any other strategy.
Make informed choices before buying security products.
After implementing the above-mentioned measures, an organisation should opt for a cyber health check (or IT security health check) to assess their cyber threats (and improvement). This independent exercise should detail gaps around people, processes and technology in use.
Good to knows
- Don’t buy a product you heard about from another peer or at an event. Every network is different.
- Don’t rely on your IT/managed service provider to solve all your cyber security troubles.
- Don’t select a single security vendor who says they will do it all for you.
- Review the usability and security balance regularly to ensure cyber security is an enabler for growth.
The internet has made it easier for hackers to break into a small business’s data and steal valuable information. As cybercriminals increase their efforts, so should you in protecting your company against them. These ten top tips are the best way to keep your business safe from hackers, scammers, malware or any other threat lurking on the web. Whether you have an IT staff member with cybersecurity knowledge or not, these security measures will help you protect against the most common cyber attacks. If there is one thing that we hope this blog post has helped you learn about securing a small-business network, it is this: don’t wait until it’s too late! It would help if you had protection now more than ever before; act today.
Get in touch to discuss your security concerns.