From small business cybersecurity aspect, it’s important than ever to be aware of your unknowns. SMBs (Small and medium businesses) are a target due to their lack of preparedness in terms of people, process and technology. This excuse “my computer has no top-secret data” doesn’t work anymore. Gone are the days when only a handful of systems used to hold sensitive data in a separate environment. Our experience with SMBs helped us to come up with top ten practical and pragmatic tips that would boost cyber security for SMBs. All this with more thought, less chaos of big spend products.
Data breach scope for Small businesses
Interpol reports show an alarming rate in cyber attacks demonstrating COVID-19 impact on small and medium sized business category. Cybercriminals exploit the fear and uncertainty factors caused by the unstable economic situation due to the pandemic. This goes without saying that we shall see more sophisticated and newer ways of cyber attacks.
Top 10 Cyber security tips for small businesses
Our aim with this cyber security checklist for small businesses is to help organisations without big spend product approach. Although not all the following tips would be a breeze, a strategic plan with carefully selected actions would make tangible differences in the medium to long term timescales.
Learn our top tips on how to secure your small business and prevent the most common cyber attacks.
0. Less is More
Start small. Assess the most critical assets to your business, review their current situation and leverage the current tools at hand. These include cloud services, free/inbuilt host firewall, anti-virus solutions and maximise the use of active directory (assuming it’s present).
More products = more chaos!
Utilise independent security experts such as Cyphere to review of the current tech stack to leverage the already present never utilised features. After this phase, you can set up a strategic plan to introduce new products/solutions as necessary for business.
1. Endpoint Protection
Endpoint refers to end-user systems or devices such as laptops, desktops/workstations and mobile devices. These endpoints serve as an entry point to an organisation. For example, a threat actor successfully establishing a connection with a staff computer due to phishing attack (or another form of attack) is due to malicious code bypassing the endpoint controls. Therefore, the security of entry points is important by utilising antivirus or anti-malware solutions that detect suspicious activity and deter such attempts. Additionally, after implementation, it is important to ensure full system-wide scans are performed periodically along with regular vendor updates.
2. Network Segmentation
It is the most underrated control in the network security domain. Just like a submarine structure, you need to ensure there are different compartments within your organisations. In case a cyber attack has led to the compromise of a system or segment of the network, an attacker will not have immediate access to the entire organisation. This may lead to limited impact, containment or detection of intrusion activity based on the incident scope.
3. Principle of Least Privilege
Apply the rule of least privilege. This concept relates to the implementation of privileges on the need to know basis. In case of a system compromise, threat actors shall face increased resistance to escalate their privileges. Any requirements related to compliance, framework or standards would be a breeze. There are several tools and tactics:
- Privilege Access Management
- Network segmentation
- Separation of Privilege
- Systems Hardening
See this Microsoft guide to implementing Least-Privilege Administrative Models across Windows systems.
4. Secure Internet Access
Internet is the backbone of any business. Since the rise of remote working during and post Covid-19, this is even more important in our lives.
- Ensure that a restricted internet use policy for employees is served via emails, meetings and contracts (where needed).
- If there is a web proxy, filter or internet traffic access solution in place, order an immediate review to ensure it is serving the intended purpose. If there is no such software in place, deploy internet filtering solutions.
Change default passwords on all equipment such as network devices, printers, scanners, security devices.
If possible, implement and mandate the use of password manager for small business. This, although may require users to acknowledge the new software usage, shall offer multiple benefits in the long run such as:
- Cultural shift towards importance of cyber security
- Offering an easier alternative for hard to remember, randomly generated non-dictionary long and complex passwords
- Allowing users to select different passwords for different services
- Separating their personal information (the football team or dogs’ name that they may be used as password otherwise) from office.
6. Multi-factor Authentication
Implement multi-factor authentication on all your devices and internet-facing portals. At times, small business owners or employees’ credentials could be compromised without any cyber attack activity linked to your organisation. This technique, known as credential stuffing, is a type of cyber attack where stolen account credentials from one service are used to gain unauthorised access to other accounts on the internet.
7. Secure Configuration
Secure configuration is important for all systems used within or outside the organisation. This includes mobile device management solution to control mobile devices, operating system hardened images used as a secure operating system base and secure hardening based network equipment configurations. CIS benchmarks are a great start to prepare internal checklists that cover patch management, system hardening, services configuration and many other areas. In case of your mission-critical assets such as revenue-generating website, opt for a penetration test at the least once a year or after any major changes. This would pick up on the various cyber attacks that target retail or your business-specific websites, infrastructure.
8. Secure and Regular Backups
Backups are an essential part of your cyber security strategy. In case of a cyberattack, data could be either compromised or deleted. Given the SMB businesses lacking strict processes and procedures, there is a large amount of data on staff laptops and mobile devices (tablets, phones). Ensure that a secure and regular backup policy is in place. This includes utilising a backup solution that allows automatic ability to schedule backups.
Use the cloud. Modern devices and services offer easy cloud-based backups. This offers multiple benefits such as backup schedule configuration, secure storage and easy restores accessible from anywhere.
Your employees could be your strongest or weakest link in cybersecurity, it all depends upon your cybersecurity strategy.
- Regular thorough training must be an investment to deliver a baseline of knowledge for all employees. This would mark a shift in company culture with time, ensuring an overall boost for a proactive approach towards cybersecurity.
- Ensure that staff don’t browse the web or check emails from servers or using administrative privileges. This will reduce the impact of attacks in the event user details are stolen.
10. Secure Wireless Networks
- If your business uses wireless network, corporate or staff network must be segregated from guest (visitor) network or vice versa. It is important to ensure this segregation is strictly implemented on both the networks to keep trusted and untrusted users separate.
- For corporate wireless networks, certificate-based authentication is the recommended authentication mechanism. This ensures user and connecting device identities are validated and cannot be spoofed.
- Implement a captive portal to manage guest network access for visitors.
Logging and monitoring, secure communications, in-depth active directory security are further areas that should be considered by a business in the long run. Just before you decide to go on a shopping spree…
Make informed choices before buying security products
After implementing the above-mentioned measures, an organisation should opt for a cyber health check (or IT security health check) to assess their risk (and improvement). This independent exercise should detail gaps around people, processes and technology in use.
Good to knows
- Don’t buy a product you heard about from another peer or at an event. Every network is different.
- Don’t rely on your IT/managed service provider to solve all your security troubles.
- Don’t select a single security vendor who says they will do it all for you.
- Review the usability and security balance regularly to ensure security is an enabler for growth.