According to Imperva, small sites had the highest percentage of bad bot traffic in 2020. Bad bot traffic (81.9%) on small sites significantly outnumbered good bot traffic (18.1%). Considering that small businesses own many such websites, this spells bad news for SMB owners. Thankfully, we have some cyber security tips for businesses that can help…
Cyber security has always been an issue for businesses. With the increase in cyber scams and the growing remote workforce, there is a greater need now than ever for effective SMB cyber security. This is where knowing some effective cyber security tips for your small business can be useful.
We recently published another article covering eight important reasons why small business cyber security is a must in this day and age. Now, in this article, we’ll cover eight cyber security tips for small businesses that you can use right away to protect your business.
8 Cyber Security Tips for Small Business You Can Put Into Action Right Away
Although there’s no way to protect your business against 100% of cyber threats, there are steps you can take to make yourself a tougher target. With this in mind, let’s explore our list of eight cyber security tips for small businesses.
1. Invest in Your Organization’s Cyber Security Hardware & Software Defenses
First on our list of cyber security tips for small businesses is the idea of investing in the resources that are necessary to make your business more secure. Investing the time, money, and labor resources in your organization’s cyber security is not only a smart move but, in fact, a necessary step.
Cyber security is one of the most crucial areas where your investment will pay off both in the short term and long run. Effective cyber security boils down to mitigating vulnerabilities and making your company a tougher target than others. (You don’t have to be the fastest runner to avoid an alligator — you just have to be faster than the guy running next to you!) As a small business, invest in tools that will help shore up your cyber defenses. This includes using the right hardware and software tools that aid you in:
- Securing your endpoint and network from unauthorized users. (Examples of tools that can help you do this include firewalls [software and hardware appliances], antivirus and anti-malware solutions, etc.)
- Setting up access controls to ensure that only authorized users can access sensitive data and systems. (In other words, only give access to those who need it to do their jobs.)
- Using encryption to secure your connections and data (such as digital certificates for encryption and authentication, certificate managers that give visibility of all the certificates on your network, etc.)
- Implementing regular updates and patches to keep systems current/up-to-date and fixing vulnerabilities.
- Securing email servers and setting up filters.
2. Have the Right People In Place to Guide Your Efforts
But investing in your cyber defenses means more than just having the right gadgets. You also need to have knowledgeable and skilled IT and security experts in place who know how to use those tools effectively.
Your IT security team is who you can count on for all of your organization’s tech and cybersecurity-related needs. They’ll be the ones who:
- Manage and monitor your endpoints and general network security,
- Handle all of your user access management needs,
- Ensure your endpoint devices and IT infrastructure are patched and up to date to mitigate vulnerabilities,
- Develop and implement your organization’s cyber security policies, processes and IT-related emergency plans,
- Manage your public key infrastructure (PKI) certificates, keys, and related components, and
- Serve as your cyber security “life raft” when things go wrong to minimize damages.
Speaking of policies and plans, this brings us to our cyber security tip…
3. Develop & Implement Formal Cybersecurity Policies, Procedures & Incident Response Plans
The third point on our list of cyber security tips for small businesses relates to cyber security policies, processes, and plans. Developing and implementing formal cybersecurity policies and procedures, as well as your incident response plan, creates transparency and accountability within your organization.
Documenting all your policies, processes and plans and making them available to your employees will help them to stay vigilant against ever-increasing cyber threats. It also helps your IT team ensure that they maintain certain cyber security standards when going about their duties.
Educating and training your employees about cyber security policies will also help your better fortify your organization’s IT environment because they know what they can and shouldn’t do. We’ll touch on this topic more a little later in this article.
Some important practices that your small business’s cybersecurity initiatives should include are:
- Maintaining regular and current data backups. Back up your data regularly. Turn on automatic data backups, if possible, to avoid any mishaps. The copies of all the important files should be stored offsite or on the cloud.
- Ensuring you have secure payment processing. Use trusted and validated tools and anti-fraud services for making payments. Use different computers for surfing and process payments.
- Implementing physical and digital access controls. Business computers must be kept private, and no outsider should be given access. Employees who have access to your network must protect those accounts with strong passwords (passphrases, ideally). And only authorized employees who need access to sensitive physical areas to do their jobs should have it. Access privileges to sensitive IT systems and data should be granted on a need-to-know basis. We’ll speak more to this momentarily.
- Developing and implementing incident response plans. Every person in the organization should be made aware of the plan to follow in case of any incident like a cyber attack or loss of data due to technicalities.
- Implementing and enforcing data and device-related policies. Develop, implement and enforce organization policies that will protect and secure your data and devices. Such policies (listed alphabetically) include:
- Acceptable use policy: There should be a policy that specifies how employees can and cannot use their company-used devices. In addition to potentially improving productivity, this rule helps protect computers from being affected by cybercrime by preventing employees from spending their free time perusing potentially malicious websites.
- Bring your own device (BYOD) policy. If you decide it’s OK for employees to use their personal devices for work-related purposes, that’s okay… so long as you have a stringent policy in place. A BYOD policy should be something you plan carefully and enforce to ensure that you and your employees are following it to the letter to reduce risks.
- Email use policy: What information should (or should not) be disclosed via email must be defined beforehand. All the sensitive information should be discussed privately instead of in emails — and if it’s necessary to send sensitive information via email, then specify the use of encryption.
- Encryption policy: While encryption may not stop a cybercriminal from getting their hands on your data, it does keep them from being able to see or use that data. That’s because a cybercriminal can’t decrypt encrypted data if they don’t have the necessary key.
- Password policy: Having a strong password policy is important.Passwords should be strong, unique, and hard for people (and computers) to guess. As such, your policy should provide useful guidelines and standards for employees to follow when creating their account secrets.
- Work from home (WFH) policy. Remote working has become accepted these days. Using an insecure network for work or public Wi-Fi could be risky and lead to cybercrime. Strong passwords should be used, and the device should have auto-lock if you are away from your screen.
4. Limit Access to Your Data Through Access Management
Alright, we’re now halfway through our list of cyber security tips for small business use cases and it’s time to talk about access. Data is among your business’s most valuable assets. As a result, your company might suffer significant damages if sensitive data is lost, leaked, stolen, or otherwise falls into the wrong hands.
This is where using access controls and properly managing access to your data and IT systems helps. But why is it so important to limit access?
- Varonis researchers found that an average employee working at a small financial services company has access to more than half a million files, including 20% of files containing sensitive employee and customer data. Furthermore, the number of exposed files increases as the size of the company increases. This data is according to Varonis’s 2021 Financial Data Risk Report.
- Verizon reports in their 2021 Data Breach Investigations Report (DBIR) that 44% of the data breaches involving small and medium-sized organizations involved internal threat actors. External threats represented 57%.
Now, comparing the data, you can discern that while employees have access to a considerable amount of data, they are not always responsible enough to protect it. Sometimes, intentionally and other times unintentionally, your employees can be your biggest cyber vulnerability or risk factor when it comes to data security. Hence, the way for better security of your data is to restrict access to it.
Some quick examples of access management methods include physical access controls (such as keys and smart cards) and digital access controls (such as setting up individual user profiles with specific permissions).
Also, be sure to only give access to select individuals. Only give permissions and user authentication capabilities to those employees who need access to specific types of data to carry out their daily responsibilities.
5. Require Employees and Other Authorized Users to Use Secure Connections
Many companies, including Google, Atlassian, and Reddit, are officially declaring themselves hybrid workplaces. As such, many employees often work from remote locations outside the office. However, while working remotely, employees must ensure that they are not connecting to insecure public wireless networks.
Going to your local Starbucks to work is a great option for many. However, using the free Wi-Fi network provided by the café without any encryption or other data security measures is an unhealthy practice. Criminals often use these open Wi-Fi connections to intercept employees’ data transmission. They can use this attack vector to steal passwords or even infect your employees’ devices with malware. Worse, they can use their newfound access to infiltrate your organization’s network.
But what about your organization’s network? Your company’s Wi-Fi should be a secure network that’s hidden or otherwise inaccessible to unauthorized users. No one except your authorized users — you, your employees, contractors, etc. — should have access to that network. Some practices are recommended for better cyber hygiene, including:
- Securing your network with a strong password.
- Setting up a separate wireless network for guest access on a separate device.
- Requiring users to use a virtual private network (VPN) when connecting remotely.
6 Provide Cyber Awareness Training to Your Employees
ProofPoint found that 90% of U.S. organizations required their users to work from home in 2020 due to the concerns surrounding the COVID-19 global pandemic. However, their data also shows that only 29% train their employees about best practices for remote working. Such employees might probably be the reason for the organizations’ data breaches.
Your employees’ level of cyber awareness plays a critical role in the security of your organization. They need to be aware of the threats that lurk online and what tactics cybercriminals may use to target them. With this in mind, you should provide regular cyber security awareness training to your employees and perform random checks to ensure that your organization’s cybersecurity policies are being followed.
Employees should also be trained to know what actions to take when they encounter something suspicious. They should also be familiar with regulatory requirements (such as GDPR, CCPA, and PCI DSS) — depending on your industry and their roles within your organization — to ensure compliance. Furthermore, your company’s policies should also be given to employees so that they can familiarize themselves with those requirements and follow them.
All users, regardless of whether they’re executives or part-timers, should be required to undergo training. Anyone with access to your company email, network, data, or other resources is a potential target for cybercriminals.
7. Implement Strong Password & Account Security Measures
Data from Keeper Security and the Ponemon Institute shows that more than half of companies that experienced cyber attacks during COVID-19 pandemic involved credential theft. Of those, 41% involved employees’ compromised passwords.
If your company doesn’t yet have a password policy, then you should put one together immediately. Not sure what to cover in it? Well, the FBI has issued guidelines about strong passwords. Both your organization’s management and its other employees should follow these guidelines closely.
Wherever required, encourage employees to enable multi-factor authentication (MFA). Otherwise, you can adopt a passwordless security approach (like using certificate-based authentication) for better account security that doesn’t require the use of any passwords at all.
8. Create Regular Backups (and Keep Multiple Copies of Your Data)
Even after taking all the necessary steps, we cannot be certain that the security of an enterprise is enough. There is a real chance that you will be a victim of cybercrime because cyber attacks are no longer a question of “if” but rather “when” they will occur.
However, we can reduce the effects of these attacks by having regular backups in place. By creating regular data backups, you can retrieve your data in case of a cyber attack. Backups are particularly useful in ransomware attacks where your data is held by the attacker and is encrypted.
According to the U.S. Computer Emergency Readiness Team (US-CERT), a good rule of thumb for small businesses to follow is known as the 3-2-1 backup rule. This policy says to maintain at least three separate copies of data on two different media storage types with at least one offsite (hence the name). The following figure illustrates the concept of the 3-2-1 backup rule:
Final Thoughts on These Cyber Security Tips for Small Business
Simply trying to protect your company against external threats isn’t enough. Cyber threats may exist both inside and outside of your business. IBM’s Cost of Insider Threats: Global Report 2020 data shows that insider threat-related incidents cost small businesses with fewer than 500 employees an average of more than $7 million. All of this is to say that it’s easy to see why small business cybersecurity needs to become a top priority.
We hope that you’ve found these cyber security tips for small business ventures useful. Many of these are processes and actions that you can put to use right away while others may take a bit of planning. But the big takeaway here is to start putting these tips into action now to help keep your small business safe from cybercriminals and other threat actors.