Cybersecurity is the practice of techniques that protect your computer network and data from unauthorized access. Symantec reports that it can cost companies up to $225 for each lost or stolen personal and financial information. Therefore, cybersecurity is a cause for major concern even for small businesses. Consider these expert tips to help minimize your company’s risk to cyberattack.
Here are 25 tips on small business cybersecurity from the pros.
1. Create a Cybersecurity Culture and Practice Cyber Hygiene
Varun Chadha, AVP: Sales & Business Strategy, Techjockey
Small businesses are more prone to cyber threats, mostly because of human errors, such as employees clicking on unreliable links, setting weak passwords such as name_123, and adopting an unconcerned attitude towards sensitive data. Small businesses often do not train their employees in the basic security practices owing to the misconception that nobody will attack their smaller setup.
On the contrary, small businesses witness a cyberattack as frequently as any bigger organization. They often lack a robust cybersecurity infrastructure and become the natural targets for cyber predators. Along with creating a cybersecurity culture where employees are aware of their responsibilities towards keeping the sensitive data secure, small business owners also need to adopt cyber hygiene practices. They should invest in technologies such as antivirus software, two-factor authentication, and firewalls for advanced data leakage prevention. If cybersecurity becomes the priority, small businesses can stay forearmed against potential threats.
2. Secure Your Network and Equipment
Emily Andrews, Marketing Communications Specialist, RecordsFinder.com
The most crucial cybersecurity tip for small business is securing your network and computer equipment. An internet connection is an open door for hackers, and any avenues for breach must be sealed with proper security protocols to avoid brute force attacks and intrusion. Some of this can be solved just by using non-default ports for applications. Wi-Fi connections present some serious vulnerabilities that can quickly be resolved by using strong encryption when transmitting data between offices, computers and other companies. With the release of WP3, wireless security is now easier and much more secure using built-in encryption for all wireless communication. Administration management of network protocols and devices is also vastly improved.
3. Take Advantage of All the Security Tools at Your Disposal
Monica Eaton-Cardone, Co-Founder and COO, Chargebacks911®
Businesses lose billions of dollars a year to data breaches and fraud, and no vertical is immune to the problem. New threats are developed every day, which is why you need to embrace a multi-layered approach to address as many potential sources as possible. For example, firewalls and secured Wi-Fi can prevent some attacks, while dynamic passcodes may be more effective to intercept other criminal tactics. There’s also a wide range of tools to prevent criminal pre-transaction fraud, and chargeback management to fight back against post-transactional fraud. By leveraging all these complementary tools as part of a cohesive strategy, you can position yourself to stop most attacks.
4. Accept That It’s Only a Matter of Time Until Your Business Becomes the Target
Nathan Sykes, Founder, Finding an Outlet
I would have to say the number one rule for small businesses when it comes to cybersecurity is to remember that it’s a “when, not if” situation. Once companies have that mindset, I think they’re able to be proactive in the fight against hackers, and being proactive is the best tip I can give. The technological world we live in is full of breaches and hacks, and instead of expecting those to stop, businesses need to put in the work on the front end. Make sure your employees are using the same equipment that is being managed by the same person. Cybersecurity training needs to become part of onboard training. The easiest way to win the fight is to already be swinging when problems arise.
5. “Think Before You Click”
Austin Norby, Software Engineer, Blue Star Software
Be very careful what links you click on! This is one of the easiest ways to have your computer compromised. If you receive a suspicious email or a suspicious link from someone you trust, make sure to contact them in a different way (if you got an email, call them, if you got a text message, email them, etc.) to confirm that they really meant to send it to you. This is on top of the very common, yet important, advice to always update your software and run updated antivirus software on your computer. These methods will not protect against nation-state actors but will prevent inadvertent compromise by hackers looking for people who don’t know any better or make silly mistakes.
6. Manage Internet of Things (IoT) Devices in Your Office
Ofer Amitai, CEO and Co-Founder, Portnox
Small businesses need to be aware of security threats posed by IoT devices coming onto the corporate network. IoT devices like smartphones, tablets, wearables and even the smart coffee pot or TV in the office often go unnoticed and therefore unsecured. No IoT device is off the table for hackers, considering the massive set of DDoS attacks that utilized compromised surveillance IP cameras to generate a huge amount of traffic that crippled many websites, threatening that your Samsung TV could be spying on you. Small businesses may not have the security structure in place to constantly monitor these devices for vulnerability or attack, and so should implement onboarding processes of new devices to ensure passwords are strong and patches are up-to-date.
7. Use a Password Management App
Stephan Roussan, President, ICVM Group
As a small business owner, you are sure to have dozens of online accounts (or more) for everything from online banking to ordering supplies to email. In the interest of efficiency, you invariably use the same usernames and passwords over and over. Since most online accounts now use your email address for the username—which for most people is easy to find—that leaves a hacker with only the password to figure out. If they do, they’re in… not just to one account, but potentially many. The remedy? Fully commit to a password management app (like Keeper, KeePass, or any of the hundreds of other options) to store and manage your passwords, and then use long, alphanumeric nonsense passwords that you would never be able to remember. Many password apps now install themselves into your browser, so you can just auto-populate the password from a simple pull-down menu. If you only do one thing this year to improve you cybersecurity defenses, this is the one most likely to head off a disaster for your business.
8. Choose Your Cybersecurity Software Wisely
David Geer, Principal, Geer Communications
Today, the best anti-malware program in my opinion is Zemana AntiMalware. Based on my empirical data, the best newcomers rise to the top and stay there for about six months to a couple of years. Then they start to slide or stagnate, and some even begin to introduce inappropriate capabilities, such as identifying competing security software as viruses. Check at least every six months to make sure your security software is the best one available; if it isn’t, it could be time for a change. Outdated software won’t find everything that the best product will.
9. Train Your Employees in Cybersecurity
Steven J.J. Weisman, Esq., Lawyer and Professor, White Collar Crime, Scamicide
There are many quite doable and affordable steps that small businesses can take, but perhaps the most important is to train your employees in proper security practices and limit access to sensitive data to only those employees who need to have such access. A major source of data breaches—in large and small companies alike—still occurs when employees unwittingly download keystroke logging programs that can read and steal all of the information on a business’ computers.
Often these keystroke logging malware programs are unwittingly downloaded by employees surfing the internet for pornography or video games. In fact, 40 percent of all free pornography is viewed at work on company computers; identity thieves are aware of and exploit this fact. Training your employees to recognize and avoid spear-phishing emails tailored to lure them into clicking on malware containing links is the most important thing any small company can do.
10. Empower Management to Get Involved in Cybersecurity Measures
Kurt Hunt, Team Leader for Cyber Security and Privacy Group, Dinsmore & Shohl LLP
Set clear expectations about management’s duty to develop a comprehensive, realistic strategy for every level of the organization. With those expectations established, set management up for success by providing concrete support in the form of an appropriate budget and staff. With its big picture outlook, an informed senior leadership team is in the best position to determine how to respond to certain categories of cyber risk. Create specific plans for each risk category.
11. Use Only a Single Cloud Security Platform
Dror Liwer, Founder and CISO, Coronet
Cyberattackers now regularly target small businesses with ransomware, cloud attacks and other social engineering techniques because such organizations lack the security safeguards inherent to Fortune1000s—which currently spend up to $1 billion per organization on cybersecurity annually. Unfortunately, the attacks on SMBs have proven devastating. Today, 60 percent of small businesses that fall victim to a cyberattack do not recover, and permanently shut down within six months. The greatest risk for SMBs derives from the cloud-based business applications (e.g., G Suite, MS Office 365, Dropbox, etc.) that so many companies rely so heavily on.
To mitigate the risks, smaller companies with no IT support can adopt a single cloud security platform that controls user, device and network access in order to detect and mitigate threats in real-time. The idea of a full, enterprise-grade cybersecurity doesn’t belong only to the top-tier companies, and can be introduced and adopted by SMBs if they keep an open mind to the new wave of solutions emerging.
12. Know a Technology’s Actual Value Before Adopting It
Mike Armistead, Co-Founder, Respond Software
Various technologies can help you mitigate your risk exposure and threats to your environment, and help you deal with the sheer volume of data needing to be analyzed. However, be careful adopting technologies even if they purport to reduce time, data or effort—which are all good benefits for small, resource-constrained security teams. Demand proof that it reduces the impact on all resources. Many technologies promise reduction in one area, but in reality demand a level of expertise, skills, or just additional people in another area to fully realize that promise.
SIEM, UEBA and even newer technologies such as Security Orchestration tools are all fundamentally platforms that are powerful, but demand lots of care and feeding to get them started and maintain their value over time. Look for technologies that take that burden off you—then you’ll have a true force-multiplier. Overall: Make sure you understand the hidden costs of going tech. It may not benefit you as much as you want.
13. Get an SSL Certificate for Your Website
Jarom Manwaring, Owner, Manwaring Web Solutions, Inc
One of the most important cybersecurity tips for small businesses is to get an SSL certificate on their website. An SSL certificate allows you to securely send and receive sensitive information, like credit card numbers and passwords, by encrypting it. Without this certificate, any computer between you and the server that is receiving the information can get access to your sensitive information.
As of July 2018, Google will flag any website containing password and credit card input fields as not secure if it does not have an SSL certificate. Having an SSL certificate allows your website to be secure for its users and the business, while not having one could be risking traffic loss (and potentially a security breach) for your website. If you’re not sure if your website has this certificate, talk to your web developer, or check the URL to see if it has “HTTPS” instead of “HTTP.”
14. Keep All Your Internet Devices Updated with Security Patches
Brent Stackhouse, Director of Security, WP Engine
One item that is easy to lose track of is keeping wireless routers and/or other internet-facing devices up-to-date for security patches. There are now cases of malware infecting unpatched routers, and the malware persists even after device reboots. Instead of having to reset your device to factory defaults, it’s easier to set a calendar reminder to check for new firmware or other updates on a monthly basis. If your device doesn’t provide security updates on a regular basis, it’s worth moving to one that does.
15. Outsource to a Managed Security Service Provider
Cameron Williams, Co-Founder and CTO, OverWatchID
Small businesses should outsource their IT function to a Managed Security Service Provider. This is a great, cost-effective strategy for bringing a high level of security expertise without struggling to find full-time security professionals. The MSSP typically logs into your servers and systems to manage them for you. One big risk is that if your MSSP is phished, a hacker can steal the MSSP’s credentials to log into your systems, steal your data, or encrypt your drives for ransom. We strongly recommend auditing your MSSP to ensure that the people, processes and technology will be protected from losing high value credentials. A system like Privileged Access Management ensures credentials stay secure and are used appropriately, eliminating the threat of bad actors gaining access to your systems via your MSSP.
16. Make Sure Your Staff Knows How to Spot Suspicious Emails
Vernon Irvin, President of Local Government, Medium and Small Business, CenturyLink
Small businesses can take an active role in protecting their data. The first step is realizing where the attacks are coming from. The most common attack is “phishing” (a malicious email that appears to be legitimate). Using these emails, a hacker is trying to get access to your business’ private data (customer, employee, financial, etc.) A simple solution is to make all employees aware that this is a vulnerability. They should check emails for spelling mistakes, the email address of the sender, and hover over URLs to see where they’re directing before clicking them. If they’re still unsure, calling the sender to verify where the email came from is the best bet.
This might seem like a lot of work, but when you consider the possibility of having your data stolen or your information compromised, it is better to be thorough then sorry. By having employees as active participants in protecting the business, small businesses stand a better chance in navigating the evolving cyber threat landscape.
17. Maintain Cloud Backups
Robert Douglas, Owner and President, PlanetMagpie IT Consulting
Back up all user workstations and company servers to a cloud server in a different geographical region. The average cost of cloud storage is now about $1 per GB per month. This could add $500 to $2,000 to monthly expenses, but literally save the company’s life in the event of ransomware, a phishing attack, or a natural disaster—any of which can happen at any moment.
18. Secure Your Vendors’ Access
Sam Elliott, Director of Security Product Management, Bomgar
Most SMBs must grant vendors and other external groups access to the network to conduct maintenance or other business continuity matters. While a common practice, using a virtual private network to facilitate this access is not a suitable solution. If the vendor happens to be breached, cybercriminals can quickly abuse this VPN access and move around the network avoiding further detection. By implementing a modern, secure remote access solution, organizations can monitor who has access to the company’s network and how they’re using it.
19. Virtualize Your IT
Vadim Vladimirskiy, CEO, Nerdio
One of the easiest and most efficient ways for small businesses to tackle their cybersecurity needs is to virtualize their IT. Doing so means that all of your company’s critical documents and applications are 100 percent stored in the cloud, and can be securely streamed to desktops and other devices without any data ever leaving the server. This allows you to work from virtually any device, anywhere—or define certain access times and locations, if you prefer—and never worry about any important data being stored locally. So even if your employee’s laptop is lost or stolen, you won’t lose any valuable information.
20. Implement HTTP Authentication for Web Admin Panels
Dmitry Garbar, Partner and Department Head, Belitsoft
Common CMS’ (WordPress, Joomla!, Drupal, etc.) have common vulnerabilities. Having HTTP authentication in place helps add another layer of security that hackers have to defeat if they want to attack the website itself. And it can be implemented in less than a day. Yes, it gives your website admin another set of credentials to enter, but the safety of your data is worth it.
21. Ensure Your MSP Puts a Focus on Security
Julian Anjorin, Business Development Manager, Sedara Security
If you outsource your IT to an MSP, make sure it puts a focus on security. A lot of MSPs are starting to focus more on security because of the attention it is getting in the media and, ultimately, from their existing customers. The problem is, a lot of them do not know how to properly implement security as it is a different ballgame than IT. Assuming you already have a firewall, ask your MSP if they are using more than a traditional, signature-based antivirus—these are outdated and leave you vulnerable to many attacks, yet people still use them. Ask them what they are doing to protect you from ransomware.
Does your MSP properly vet and test security solutions to ensure they cover what is needed by your organization? Ask your MSP these questions; if they aren’t confident in their answers, it might be time to outsource that portion to an MSSP that actually focuses on security. In many cases, they can work side by side.
22. Avoid Having a “Shadow IT” in Your Office
Tom DeSot, EVP and CIO, Digital Defense, Inc.
Do not allow the existence of shadow IT within the workplace; it is one of the worst habits that we see in organizations today. As an example, when IT departments cannot justify user requests for cloud storage or the equivalent, employees take it upon themselves to set up their own cloud accounts (e.g., Dropbox, Box, Egnyte, etc.). These cloud services are then being used to share confidential data, and IT cannot gain access to manage any future security risks. All too often, we see IT departments turning a blind eye to the use of these services, and all of them are placing the organization at risk.
23. Ensure You Have Endpoint Security Software on All Your Computers
Don Lewis, Senior Marketing Manager, EdgeWave
This is especially for POS terminals and systems that store sensitive customer information (like payment cards and email addresses). Ideally, you want to reduce the number of places you store sensitive information. Security software can block malicious system access, but if compromised, hackers can resell payment card information or use if for their own criminal purposes. With email addresses, they can retarget fresh attacks directly to the stolen email addresses, putting your employees and customers at risk too.
24. Understand the Basic Terminology and Concepts of Cybersecurity
Chris Muszynski, Security Solutions Architect, PCM, Inc.
I think the best thing to do before talking with any security consultants or considering the purchase of any security products (or any infrastructure changes, for that matter) is to read up and understand the basic terminology and concepts for cybersecurity. Security should be built into your business. There are a lot of good articles, white papers and other publications about cybersecurity in general, and there is a lot of good advice, but one of my favorite sources is SANS. There is a reading room available on their site with a number of good articles and case studies geared toward small business. There is also the Center for Internet Security, which publishes a list of 20 critical controls.
25. Implement a Layered Solution to Your Cybersecurity Protocol
Will Durkee, CISSP, ITPM, Director of Security Solutions, TSC Advantage
Small businesses need to know there’s no “one and done” technical solution to cybersecurity. They must take a layered approach that includes many basics, such as knowing what data they need to protect and where it’s stored, putting firewalls in place, encrypting data, communicating company-wide policies for securing data, training employees on what not to click, and developing and practicing an incident response plan. There are affordable assessments and managed security service providers that can make in-depth cybersecurity possible even for a company with a small budget and little expertise.
Bonus Tip: Invest in Cybersecurity Courses
Eric Lopez, Vice President of EC-Council
Small businesses struggle with having enough budget for a dedicated security team, but most businesses have all the pieces they need to secure their companies. With the right training, your existing IT staff can gain the necessary cybersecurity skills to deal with the technical aspects of cybersecurity. Encourage your staff to take courses in disciplines like network defense, computer forensics, pen-testing and incident handling and response.
End-user awareness training can help to create a culture of security, by educating your end-users so that they are aware that they are your front line against threats. Investing in training is the most cost-effective way to keep your company’s assets secure, as outsourcing your security to third parties is often more expensive and can be over complicated for a small operation.
Over to You
The internet has raised the potential of every small business to grow exponentially with the right management in place, but with this opportunity also comes the risk of leaving important information accessible to unscrupulous individuals. Follow our list of cybersecurity tips to make sure your company’s valuable information stays safe and protected.
Have more small business cybersecurity tips to share? Let us know in the comments.