Blog
National Small Business Week: 10 Best Practices for Small Business Cybersecurity
A recent survey conducted by CNBC and Momentive found that 56% of small business owners are not concerned about being the victim of a cyberattack in the next year and that only 28% of them have a response plan in place in case of a cyberattack. This does not bode well for their longevity, as other industry data shows that 60% of small businesses that suffer a data breach will be out of business within six months. The high cost of remediation and the potential for reputational damage can be more than most small businesses can withstand.
Many times, the issue is sheer size and staffing. Small businesses rarely have the capacity to hire a full-time cybersecurity professional, and the basic blocking and tackling of securing an organization can be overlooked, resulting in weak defenses that are vulnerable to even the less sophisticated or targeted cyberattacks.
In honor of National Small Business Week , we’ve compiled a list of tips for small businesses to better secure their organizations from some of the more common threats they face.
Below are 10 best practices organizations should be employing to better position themselves and their customers for cyber safety.
- Endpoint security – mobile device management (MDM) policies, antivirus (AV) solutions, URL filtering and blocking are all considered good cyber hygiene to block the most basic cyber threats.
- Proper access management – restricting administrative rights for “least privilege access” so only the right IT team member/s has the power to add new application access for users. Turning off this kind of access when employees leave or no longer need it can shut down potential avenues for attack.
- Patching – routine updates pushed by vendors to their software can help to remove bugs from your IT infrastructure that could otherwise be exploited by cyber attackers. Installing these patches in a timely fashion is important in limiting points of vulnerability.
- Application management – now more than ever, employees are working remotely and figuring out workarounds to subvert corporate security policies to be more efficient. The use of non-approved applications, known as ‘shadow IT’ can introduce dangerous points of vulnerability, but good application management practices can ensure that only approved programs are being used with proper oversight from a security professional.
- Use of a VPN – virtual private networks (VPN) create a secure connection to other networks over the internet. They can both encrypt data and hide an IP address by using a secure chain to shield network activity. In a remote work environment, this is a key tool for small businesses to use when communicating with their employees and partners.
- Backup and recovery – according to FEMA , 40% of small businesses never reopen after a disaster. This isn’t just things like fire and floods, but catastrophic IT events such as data loss and cyberattacks. For a smaller business with limited IT capabilities, conducting regular and all-encompassing backups of all systems will provide a simple but very effective defense against a variety of threats and risks. These include hardware failure, data breaches and defacement of data, ransomware and other malware outbreaks. In the event of a cyber incident, small businesses that frequently back up their data have the option to simply roll back to the last good (and uninfected) backup for a given system, limiting the loss of data and the time, cost and expertise needed to recover.
- Secure wireless networks – if you have a Wi-Fi network in your workplace, ensure it is secure, encrypted, and hidden. To hide your Wi-Fi network, set up your wireless access point or router so it does not broadcast the network name, known as the Service Set Identifier (SSID). Many smaller businesses are still operating with remote workers because of the pandemic, these individuals will be using consumer-grade internet connections and consumer-grade routers. At the most basic level, it’s critical to change default passwords on routers at home and in the workplace. Independent testing has shown that one in 16 home Wi-Fi routers still use the manufacturer’s default admin password, making them extremely vulnerable to hacking.
- Educate employees – cybersecurity is everyone’s responsibility, not just dedicated cybersecurity practitioners. Although headline-grabbing breaches happen to larger organizations, small businesses are often targeted because they have access to data such as passwords and personally identifiable information that could be a gateway for attacks targeting large enterprises and governments. No matter the size, all businesses need to spend some time and resources on educating, training and testing staff on basic security practices and policies, such as requiring strong passwords, how to handle and protect customer information and other vital data, along with setting parameters for acceptable internet use on company equipment and company connections. Training can be done in-house or through external providers, using options such as on-demand video courses on key issues and interactive quizzes to challenge and monitor awareness. Policies also need to detail the implications of non-compliance as well as the actions required to comply. These policies and staff expectations must be clearly communicated to everyone in the organization.
- Take action on phishing – according to the FBI , phishing was the top cybercrime in 2020, with the number of incidents doubling over the previous year. In a typical phishing attack, scammers send fake emails, often including current personal information garnered from past data breaches to add to the appearance of authenticity. Some phishing emails appear to come from high-ranking executives within the organization requesting action, but not from their company email address. Establish clear policies on acceptable email use and train staff to report anything that might be phishing, avoiding clicking on links within the email.
- Beware passwords – passwords remain the weakest link for most organizations. For the sake of convenience, it is tempting to reuse passwords, share passwords between users and even document them in one place such as a sticky note. However, to avoid falling victim to an avoidable cyberattack, it is imperative that all passwords are unique, complex and kept private. Make use of password management tools for all staff – many of which are free to download or utilize – to store and recall passwords securely. Always use complex passwords that mix lower and upper-case characters, numbers and symbols. Turn on two-factor or multi-factor authentication for login as an option whenever possible. Educate staff about the most common and insecure passwords , with guidance that their use is not permitted and would be a breach of security policy.