Despite the fact that SMBs are often targets of different forms of cyber attacks, they usually lack the budget, manpower, and technological capabilities that businesses have to combat such attacks. That’s why, for the year 2020, we’ve compiled a list of the best cyber security tips for small businesses.
As a result of the COVID-19 pandemic, workplaces are evolving, and even small business workers are now working from home. As a result, in addition to the “ordinary” threats that SMBs face on a regular basis, they now have to deal with new threats posed by remote work environments.
If you want to think of these ideas as 10 measures to improved cyber protection or something else entirely, the idea is that this list of IT and cyber security tips is something that small and midsize companies like yours can do to make themselves a less attractive target for cybercriminals. 14 IT and cybersecurity experts from around the world contributed to this list.
10 Steps to Cyber Security: The Best Cyber Security Tips That You Can Implement Now
When you search for cyber and IT protection tips for small companies, you’re probably searching for low-cost solutions and processes that you can introduce without hiring an entire IT team (and without breaking the bank). This is most likely due to the fact that, unlike corporations and other large organisations, you do not have a large budget. Is this, indeed, a lost cause?
Obviously not. There are a range of ways to get the most out of your cybersecurity budget while reducing tension for your IT workers. Here are ten cyber security measures you can take right now to make your small or medium-sized company more secure:
Tip #1: Secure Your Data and Communications
Protecting your data at all costs is one of the most valuable cyber security tips we can offer. Your data consists of everything from personally identifiable information (PII) and financial information to proprietary information such as intellectual property and product pricing. You know, the kind of information you’d never want your rivals or cybercriminals to get their hands on.
Dr. Al Marcella is the president of Business Automation Consultants, LLC, and a cybersecurity, risk management, and risk reduction specialist with 38 years of experience. Small companies, he argues, must use cryptographic techniques and protocols:
“Implement and consistently use strong encryption protocols on all organization sensitive, critical and essential data as well as associated, operational infrastructure. This includes desktops, laptops, tablets, smartphones, removable drives, backup tapes, and cloud storage solutions.”
— Dr. Al Marcella, president of Business Automation Consultants, LLC
In a nutshell, data encryption protects the data both at rest (on a server) and in transit (as it travels between two endpoints):
- Stable in-transit data sent to your website with the HTTPS protocol. Since data is transmitted in plaintext between a user’s browser (client) and your website (server) — meaning it can be read by everyone who knows how to look — you must secure the transmission channel. Installing an SSL/TLS certificate on your web server helps secure data transfers between your website and your web client. It accomplishes this by establishing a stable, encrypted channel between the two devices, preventing cybercriminals from “reading” or otherwise gaining access to the data.
- Encrypt at-rest data when it’s on your server to keep it secure. It’s important to encrypt data before sending or uploading it, whether it’s on your email server or in cloud storage. Without a digital key, if a bad guy gains access to your accounts and steals your files, they won’t be able to read or access the data.
You may be shocked to discover that encryption isn’t as difficult as it seems. You don’t need to run any complicated calculations or processes; all you have to do is add some digital certificates (either on your web server or in your email client), make a few choices, and you’re done. The rest is taken care of by the digital certificates.
Tip #2: Make Remote Access as Secure (and Easy) as Possible for Users
Some of these cyber security tips, as you’ll see, are particularly useful during the ongoing Coronavirus pandemic. According to a survey conducted by Willis Towers Watson, more than half of employers’ full-time workers (53 percent) are operating remotely as a result of COVID-19. The need for safe remote access has never been greater. Good network protection and authentication mechanisms will really shine in this situation.
This means you must take action to minimise risks and remove any remote link vulnerabilities in order to keep your company and its data secure. The tricky part is doing it without overcomplicating things for your users. Users would be reluctant to use security processes or tools if you find them too difficult or painful to use.
Reminding your employees to update their personal Wi-Fi passwords is a good place to start. People also use their internet service providers’ (ISPs) default passwords, which provides cybercriminals with a simple entry point. The number of users who have access to the remote desktop should be restricted. Make sure their computers and systems are up to date, and don’t let someone link to your network directly without using a VPN.
There are many other ways to make remote connections more secure, according to Jacob Ansari, Senior Manager of Schellman & Company, LLC, a global independent protection and privacy enforcement assessor:
Tip #3: Use Authentication Tools to Prove Your Identity
Let’s start with the third tip on our list of IT and cyber security advice: consider how critical a small business’s identity and credibility are to its success. When the company’s identity is compromised, it can be devastating, much as when your personal identity is stolen. If a criminal conducts business under your name and consumers’ confidence in your company is betrayed, you’ll face a long road to recovery. (That is, assuming the company recovers at all.)
To trick users into providing personal information, cybercriminals can build fake websites that look exactly like yours. They can also trick users by sending phishing emails that appear to come from you or your business. This is why it’s important that you safeguard your personal information.
But how can you put a stop to it? This cyber security tip explains how to use a variety of authentication methods to assert your identity in various ways and show that you are who you think you are:
Personal Authentication Certificates Should Be Installed for The Employees
This certificate, also known as a client certificate or a S/MIME certificate, is used to verify the identity of a single person. This form of certificate can be used for a variety of purposes, including email correspondence and website access, depending on how you use it.
- It helps you to use a digital signature to digitally sign your addresses. This shows your recipient that you are who you say you are and that the confidential contents of your message have not been tampered with since you signed it.
- It also helps you to encrypt your emails and attachments while using email. This ensures that your message is corrupted and unreadable to everyone but the intended recipient before you even press “send” on an email.
- This form of digital certificate can also be used to grant access to restricted areas of your website for website protection. Let’s say you want to limit access to a portal or portion of your website to unique users. The server will be able to authenticate them and grant them access if they have this form of certificate enabled.
Sign All Software Using a Code Signing Certificate
Software developers and manufacturers may use a code signing certificate to verify their identities. If your programme isn’t signed, Windows displays an error message indicating that it came from an unidentified publisher. When you use a code signing certificate to sign your programme, you’re confirming your identity with a trusted third party (a commercial certificate authority) who can testify to the fact that you are who you say you are.
On your web server, instal a Website Security Certificate (also known as an SSL/TLS Certificate).
This form of certificate was stated in our first cyber security tip. It’s useful for securing data when it’s in transit, or between two endpoints (typically, a user’s web browser and your web server).
Tip #4: Authenticate All Users and Restrict Access
When it comes to granting access to any of your systems, including your network, you must be able to confirm that the person communicating is who they claim to be. Multi factor authentication is one form of tool that many of the experts we spoke with praised (MFA). This technology, which verifies a user’s identity using two or more types of data, may include the following:
- Something you know (such as a password or PIN),\s
- Something you have (such as an HSM, token, or mobile app), and\s
- Something you are (a biometric such as a fingerprint, facial scan or retinal scan).
Alex Vovk, CEO and co-founder of Action1 Corporation, is one of the experts who believes that two-factor authentication (2FA), a form of multi-factor authentication, and protected passwords go together well. One of his cyber security recommendations is as follows:
“Two-factor authentication is an obvious yet tremendously effective way to secure company assets. In many small and midsize companies, 2FA is neglected since the work environment is friendly and informal. That often results in identity theft — an external intruder steals user credentials and gains access to company data and resources. Enforce two-factor authentication and password complexity & expiration policies to avoid credentials abuse. Don’t leave the door wide open for attackers and rogue users!”
— Alex Vovk, CEO and co-founder of Action1 Corporation
Tip #5: Use a Multi-Layered Approach to Cyber Security
The following cyber security advice is next on our list: A multi-layered strategy is the best way to protect your small or mid-size company from cyber threats. This should include the appropriate equipment, procedures, and people to run them. Endpoint and network firewalls, as well as antivirus solutions, are some of the most common cyber security tools. You should, however, go beyond the basics and enforce security measures such as:
- DNS- and IP-based web filtering,
- Email filtering, penetration testing,
- Intrusion detection systems (IDS),
- Unified threat management (UTM) tools,
- Automation solutions like PKI certificate managers and patch management tools, and
- Regular data backups.
SMBs can also use behavior-based identification methods, according to Marty Puranik, president and CEO of atlantic.net, a web hosting solution:
“These tools are more advanced than your traditional antivirus solutions. Things like endpoint detection and response can actually narrow down threats in real-time, prior to your information being compromised.”
— Marty Puranik, president and CEO of Atlantic.net
But that sounds like it can be a bit pricey — and depending on the tool you choose, it can be. So, what’s a more cost-effective approach for SMBs who have big security aspirations but not a big budget to match them?
“Organizations should look to investing in a user-friendly unified security platform to easily manage all their security efforts. Complete visibility is a must for SMBs that can’t afford to use SIEM solutions. In order to respond in real-time, they have to adopt a solution that detects anomalous in the network and monitors their user’s activity.”
— Sivan Tehila, Director of Solution Architecture of Perimeter 81
But cybersecurity tools aren’t an end-all-be-all solution. Greg Scott, a long-time cybersecurity professional and published author says that there’s one more important thing for your cyber toolkit that can’t be purchased.
“Tech tools count, but vigilance counts more. Firewalls, antivirus, web and spam filtering, and other technology are helpful, but attackers are clever and no substitute will ever exist for old-fashioned human vigilance.”
— Greg Scott, cybersecurity professional and author
Tip #6: Keep Your Software, Hardware and Firmware Current
It’s important to keep the devices patched, according to Stacy Clements, a former Air Force cyber operations officer and owner of Milepost 42.
“Cyber criminals are constantly finding new vulnerabilities in software, so keeping systems patched is critically important. Most cyber breaches are on systems which have known vulnerabilities, and just haven’t been patched. Keep software up to date on servers, computers, and mobile devices.”
— Stacy Clements, owner of Milepost 42
In his cyber security tips, Puranik also says that while having the right tools in place is important, they’re virtually useless if you don’t keep them patched and up to date via manufacturer updates:
“Begin by making sure any software your employees use is up to date. A lot of software creators provide security updates for when vulnerabilities are discovered. If you’re using outdated software, you run the risk of opening the door for threats.”
— Marty Puranik, president and CEO of Atlantic.net
Tip #7: Prepare for the Worst, Hope for the Best
One of the most common mistakes small businesses make when it comes to cybersecurity is focusing solely on the technological side of things, forgetting about the bigger picture: What are you going to need to keep your company running?
Perform Regular Vulnerability and Risk Assessments
It’s priceless to know where the company stands in terms of security weaknesses and threats. Daily vulnerability assessments may aid in the detection of vulnerabilities and the protection of your network against popular security breaches. Risk assessments assist you in identifying and mitigating any possible risks associated with a particular operation or procedure.
Maintain Current Data Backups
Sure, you’ll need cybersecurity apps and resources to help you stay one step ahead of (or at least keep up with) cybercriminals. Your data, however, is one of the most important things you’ll need: your intellectual property, consumer information, and other confidential information.
“Backups are crucial to restoring business operations in the event of a successful breach. Use the backup rule of three — have at least three copies of essential data, on two different media, and at least one copy offsite. Also, be sure to test your backups regularly — a backup does you no good if it’s been corrupted.”
— Stacy Clements, owner of Milepost 42
Develop, Execute and Enforce Cybersecurity Strategies and Policies
Having (and enforcing) great policies are a core element of any strong cybersecurity strategy. Part of this entails having strong cyber policies like BYOD and computer use policies, as well as a policy of least privilege.
“While no single strategy fits all, practicing basic cyber hygiene would address or mitigate a vast majority of security breaches. Being prepared if an intrusion occurs is also critical and having a communications method for response, actively monitoring centralized host and networks, and including an enhanced monitoring to detect known security events is a must. With a well-oiled cyber policy, you can mitigate outsiders significantly.”
— Braden Perry, a litigation, regulatory, and government investigations attorney with Kennyhertz Perry, LLC
Have Plans and People in Place to Respond When Things Go Wrong
Who are you going to call when the proverbial shit hits the fan? I can guarantee you that the Ghostbusters will not be of any use to you. Only you can save yourself, which means you must have emergency preparedness measures in place that can be implemented at any time. The following are some of the most important aspects of this method of planning:
- An incident response (IR) plan
- A business continuity (BC) plan
- A disaster recovery (DR) plan
- A team roster with a breakdown of roles and responsibilities
- An outline of post-incident investigations and activities
Exercises should be run with the team to ensure that everyone knows their responsibilities. Be sure to use a variety of examples. This way, they’ll know exactly what to do in a number of emergency situations.
When it comes to responding to and mitigating cyber threats, Braden Perry, a litigation, administrative, and government investigations attorney with Kennyhertz Perry, LLC, says that being vigilant makes all the difference.
“In the event of a malicious attack, a company should have systems in place to keep operational or at least backups where the company is not affected or very slightly affected. In the event of a total disruption of the business, it is too late to mitigate and you will likely see dramatic costs to the business. Being proactive rather than reactive is the key.”
— Braden Perry, a litigation, regulatory, and government investigations attorney with Kennyhertz Perry, LLC
Collin Varner, senior associate at Schellman & Company, LLC, says that when it comes to protecting your organization, repetition is key to helping your team build essential habits.
“An incident response plan can address issues related to cyber attacks, data loss, and other events that bode risk to all organizations. Ensure responsibilities are defined and designated to the roles tasked with detecting and responding to security events. Frequent testing of a variety of scenarios can be carried out, allowing the individuals to be more knowledgeable in how to react when an incident occurs.”
— Collin Varner, senior associate at Schellman & Company, LLC
Consider Cyber Insurance (But Don’t Substitute It for Good Cyber Security Practices)
For many companies, cyber protection insurance can be an excellent investment. Given that small and medium-sized businesses are the primary targets of most cyber threats, it never hurts to provide an extra layer of protection. (This is why it’s included in our cyber security advice.) However, good insurance should not be a company’s only form of defence.
Cyber insurance is a fantastic investment, according to Steve Durbin, managing director of the Information Security Forum in London, but SMBs should take the time to familiarise themselves with the specifics of each contract.
“Data breach liabilities are spreading quickly. As a result, I’m seeing more SMBs respond by purchasing cyber insurance, which has become a practical choice for a growing range of organizations and industry sectors. However, it is no replacement for sound cyber security and cyber resilience practices. On the contrary, well-resourced and industry and standards compliant practices can oftentimes positively reduce the associated premiums for cyber insurance.
Secondly, SMBs should certainly look cautiously at the small print. With each class action lawsuit prompted by data breach damages, case law precedents change and insurance companies adjust policies accordingly.”
— Steve Durbin, managing director of the Information Security Forum
Tip #8: Assess and Know Your Third-Party Risks
Risk assessments are popular in the cybersecurity industry, but what if the threats are coming from outside sources, such as third-party vendors? One of the best cyber security tips Collin Varner can offer is about third parties, according to him. Understanding the outsourced service provider dependencies is essential to running a successful cybersecurity programme:
“The attacker’s game is to exploit weak links in the operation, which may sit outside the organization’s control; therefore, remember to ensure protection of assets that are accessible by suppliers. Perform frequent security reviews in how your data is being managed and maintain an agreed level of information security standards within your agreements. It’s common practice to require your suppliers to undergo third party assessments of security performance, such as the obtainment of a SOC 2 or ISO 27001 certification.”
— Collin Varner, senior associate at Schellman & Company, LLC
Even if you don’t think granting third parties access to your network or other systems is dangerous, reconsider. Do you recall the 2013 Target data breach? When the retail giant’s POS system was hacked using a third-party vendor’s stolen credentials, the personal and credit card data of 40 million customer accounts was revealed. To gain access to Target’s network, the attacker used the login information of an HVAC vendor.
The bottom line is to make sure that any vendors with whom you work and to whom you grant access take protection seriously.
Tip #9: Train Employees to Recognize Threats
Education is probably one of the most critical (and recommended) cyber security tips we were given. Your staff can learn how to identify a range of cybersecurity threats as well as how to work safely online through cyber awareness training. But, for small companies, what does that kind of training entail?
“Your company should plan a training program that helps the employees to understand the mechanism of spam, phishing, ransomware, malware, and many other forms of cyberattacks. One such attack is triggered then the knowledge in their day-to-day job will help them to resolve. Educating new employees and continuing to educate all employees about the Cybersecurity with educational videos, infographics, about recent breaches, etc. can help to understand it better.”
— Shagun Chauhan, Business Consultant, iFour Technolab Pvt Ltd
Showing how phishing emails aren’t just poorly written, typo-filled ramblings should be part of this preparation. Using social engineering strategies, cybercriminals construct easy but powerful phishing emails that appear legitimate. They take modern approaches to old practises, basically changing the colour of a pig’s lipstick.
According to Cindy Murphy, president of Tetra Defense’s digital forensics division, cybercriminals’ messaging is evolving more than their attack methods:
“Scammers are still predominantly using email to deceive their victims. What’s new in this era is the fraudulent messaging within the emails: the CDC asks for donations in Bitcoin. Your COVID-19 Tax Relief Documents are available on this (fake) website. A doctor from the World Health Organization has ‘drug advice’ if you click here. This is social engineering at its worst — and unfortunately, it’s more likely to work in these uncertain times.
People haven’t become more gullible in the past three and a half months; they’ve become used to big changes in small messages. When the next news headlines could be a matter of safety or sickness, it’s much easier to believe information that appears right in your inbox.”
— Cindy Murphy, president of digital forensics at Tetra Defense
But, in terms of cyber awareness training, what are the key obstacles that SMBs face? It’s helping workers link the dots with what they learn and how it relates to their everyday work lives, according to Alan Duric, co-founder and CTO of Wire.
“There is a common disparity between perceived security and actual security in day-to-day business interactions. This is often due to a knowledge gap for non security professionals — in fact a survey found that 70% of business professionals said it was normal to discuss company confidential information on calls, despite the fact that many popular solutions don’t offer end-to-end encryption by default.”
— Alan Duric, co-founder and CTO of Wire
Tip #10: Invest in Your IT Team
Choosing whether to outsource your cybersecurity needs or employ someone in-house is a very particular decision based on your company’s needs. Some experts may argue in their cyber security advice that outsourcing the IT and cybersecurity needs to a third-party vendor is the best choice for small businesses because you pay less for more. However, there is much controversy within the industry about whether such large generalisations can be made.
Chelsea Brown, a technology expert and ethical hacker, offers a recommendation in the final of our ten measures to improve cyber security. Brown, the CEO and founder of Digital Mom Talk, is quick to point out that outsourcing the IT team can do more harm than good in the long run:
“Despite what any business thinks, outsourcing your entire IT department over the long haul is not good. A better option is to take the IT employees you currently have and help them get the training they need to better protect your growing enterprise. By investing in your current employees, many become loyal to you and you can see a bigger return on your investment over time. Help these employees become more valuable to your organization by giving them the training they need to better protect your business from the cyber threats.”
— Chelsea Brown, CEO and founder of Digital Mom Talk
Brown also cites a number of excellent certifications that can help the team’s security expertise and skills, including:
- Open Source Intelligence (OSINT),
- Offensive Security Certified Professional (OSCP),
- Cyber Security Analyst (CySA+), and
- Security+.
Final Thoughts on These IT and Cyber Security Tips for Small Businesses
SMBs have a lot going for them, including the fact that their smaller scale allows them to be more resilient and adaptable to change than larger corporations. They have the option of operating entirely online or in person. However, they fall short of their corporate giant peers in terms of risk management budgets and personnel.
“When it comes to tactical decisions, security consequences aren’t taken into account, and IT risks are underestimated,” Alex Vovk says succinctly. As a result, cybercriminals find SMBs to be easy targets.” This is why putting these cyber security tips and best practises in place as soon as possible is critical to keeping your small or midsize business secure.
Your employees’ skills, attitudes, and activities matter, and they can either be your company’s greatest cybersecurity threats or assets. Your ability to invest in both the required resources and your employees will mean the difference between a cybercriminal’s simple or difficult target.