You’re just as good as your weakest link when it comes to small business cyber security (and a whole lot of other things)! You should rest easy (or not) knowing that hackers can find a way to break into your network’s protection by following the path of least resistance. Not to scare you, but if you’re still using your grandmother’s maiden name as a password, you should expect a hacker to find it out.
Security experts have encouraged users to use good passwords and warned them about phishing attacks so many times that it’s almost become a cliché!
Also for small companies, cybersecurity should be a top priority, if statistics are to be believed. According to Score, SMBs are the focus of 43% of cyber attacks. According to another Juniper Research survey, SMBs account for just 13% of the total cyber security market in terms of security product expenditures. Data breaches are expected to triple per year over the next five years, according to security experts, with an estimated annual rise of 9% in budget allocation for cyber security.
There is a general apathy toward cybercrime, as well as a false belief that if you are a small business, you will avoid being targeted by cybercriminals. Of course, this is a myth we want to believe — according to SiteLock, a website is targeted on average more than 50 times per day. As a result, it’s no surprise that SMBs, especially those without a security plan, are attractive targets for cybercriminals.
Let’s take a look at some of the most serious security risks that small businesses face before exploring cyber security strategies for them:
- Ransomware Attacks
- Phishing Attacks
- Privilege Escalation Attacks
- Fraudulent Apps
- Weak Passwords
- DDoS Attacks
- Social Engineering Attacks
We’ve assembled a list of tips focused on small business cyber security needs that will assist you in achieving your security objectives.
Small Business Cyber Security Solutions
If cybersecurity is high on your priority list for your small company, keep reading to learn how to protect your confidential data and secure your network.
1. Conduct Cyber Awareness Training for Employees
Every employee in your small business should be responsible for your company’s cyber security efforts. Humans are often the weakest link, especially when it comes to social engineering attacks. Employees can acquire the awareness they need to build a security-conscious mentality with frequent, repeated training on best practises and security pitfalls to avoid.
2. Streamline Your Patch Management Process
Cybercriminals are well aware that not all businesses instal updates as soon as they become available to avoid a new attack. That is why it is important to keep the systems current. Update your software (including your operating system) on all of your devices on a regular basis, and allow automatic updates where possible. This involves patching and upgrading the applications and plugins on your website.
3. Back Up Your Critical Business Data
Data redundancy is one of the most foolproof ways to plan the protections against ransomware attacks. Having multiple copies off-site or on-premises helps to minimise the effect on your business and operations if your data is taken hostage.
4. Use Firewalls, WAFs, IDS, IPS or a Unified Threat Management System
As part of your small business cyber security protection steps, you should have some sort of traffic monitoring and filtering tool set up, depending on your network design and architecture. This allows you to track traffic to and from your trusted internal network and the public internet.
5. Secure Remote Access to Prevent Unauthorized Use
Make sure that unauthorised users can’t reach your computers remotely, in addition to using firewalls and monitoring server logs for suspicious behaviour. To avoid unauthorised access to the business network, use access control lists to restrict functionality, use a virtual private network (VPN) for encrypted communication, and enforce multi-factor authentication (MFA).
6. Run Regular Antivirus and Anti-Malware Scans
Invest in a well-known antivirus programme. It’s important to have the most recent update enabled on all network devices and to conduct regular scans. If you’re familiar with command-line interfaces, you can also use free open source software like ClamAV.
7. Invest in an Anti-Ransomware Software
According to data from Beazley Breach Response (BBR) Services, small businesses were the victim of 71% of ransomware attacks in 2018. One of the most common attack vectors is Remote Desktop Protocol (RDP), which is why it is important to protect it. Some of the countermeasures that can be implemented include using anti-ransomware, making and maintaining backups in different locations, and using good judgement to avoid falling victim to social engineering attacks.
Some free alternatives on the market include Avast Free Ransomware Decryption Software and Trend Micro Ransomware File Decryptor. You may also go to nomoreransom.org to look at the decryption keys repository.
8. Use VPN When Connecting to Your Business Network
When third-party suppliers or employees need to link to your business network remotely, require them to use a VPN. Due to eavesdropping, man-in-the-middle attacks, and “evil twin” phishing attacks, connecting to the internet through untrusted connections like public Wi-Fi is inherently dangerous. If you must use public Wi-Fi, use a VPN so that an intruder on the network cannot read your traffic.
9. Use Email Filtering to Block Malicious Files
Consider blocking file types that your company would never use. To prevent malicious scripts from being executed on your devices by mistake, block any attachment with executable content.
10. Use Web Filtering Tools to Prevent Ads from Executing
Block web pages or parts of it that contains scripts, advertisements, viruses, etc. Websense Web Filter solutions or OpenDNS may be used to achieve this.
11. Use DNS Filtering to Block Sites With Malware
Block access to sites believed to be infected with malware or viruses using DNS filtering solutions. You may use Quad9 as an example of a free solution.
12. Don’t Grant Admin Privileges to Employees
To grant access based on pre-defined needs, use identity and access management (IAM) software like CyberArk, OpenIAM, or WSO2. Using device whitelisting to prevent programmes from running that aren’t on the list of approved applications. Employee accounts should be set up as normal users, with the ability to instal software but not run unapproved programmes. Just offer trusted and restricted personnel administration rights if there is a business case for it.
13. Limit Permissions to Thwart Privilege Escalation Attempts
Using an access control list (ACL) to restrict resource access to only those who need to know. An ACL determines a user’s permissions or privileges to access device objects like files and folders. Study and decommission old user accounts on a regular basis.
14. Implement a Strong Password Policy
Implement a strong password policy that specifies minimum complexity requirements, includes multi-factor authentication, prohibits the use of old passwords, and manages account lockouts, among other things. To manage passwords across several accounts, use a password manager like Dashlane or LastPass.
You can also do a fast search for software that check to see if your accounts have been hacked. Haveibeenpwned.com, for example, tests if your email address has been compromised as a result of a security breach.
15. Formulate a Security Incident Response Plan
Spend some time finding out how the company would react to a security breach if one happens. Define a method, including escalation points, recovery strategies, and roles and responsibilities, among other things.
16. Invest in Cyber Insurance
Consider buying insurance to cover the company from any unanticipated damages caused by a cyber assault. Cyber insurance can help with a wide range of expenditures, including:
Third-party data theft, losses due to extortion threats, incident management costs, third-party penalties such as website defacement, and infringement of intellectual property rights.
17. Establish Security Policies and Practices to Be Followed at an Organizational Level
At the time of the appointment, have the staff sign a document stating that they will follow the company’s security policies. Clearly describe data classification rules, confidential document disposal after use, and a clean desk policy, among other items. Also, have your learning and development team set up mandatory security awareness training to ensure that all of the staff are aware of the policies.
18. Restrict Unauthorized Physical Access to Computers and Network Devices
Employees should be discouraged from assisting in tailgating. Laptops can never be left unattended unless they are secured to the desk.
19. Create a BYOD or Mobile Device Action Plan
Restrict the information that can be accessed via mobile devices unless they are company-issued and can be wiped remotely, as they can be left lying around or stolen. They pose serious security risks, especially if they have access to the corporate network. Block accessing client details or any other sensitive documents, apart from emails sent over encrypted networks.
20. Secure Your Networks
Aside from blocking unused ports, firewalls, and VPNs, it’s critical to configure your Wi-Fi and use the right configurations when it comes to small business network security. Change the default login credentials and the SSID broadcast name on your router and enable WPA2 / WPA3 encryption. Ensure that the router software is up to date on a daily basis. WPS (Wi-Fi Secure Setup) should be disabled because it has a well-known security vulnerability that can be easily abused to gain access to your network.
21. Block Removable Media or External Storage
To prevent the unauthorised transfer of sensitive data, disable removable media or limit access to USB ports. This also helps to avoid malware and viruses from entering the network from outside sources.
22. Perform Vulnerability Assessment and Penetration Testing
You can search your website for vulnerabilities using free software like Vega. If your website accepts credit card payments, however, vulnerability scans with a PCI approved scanner like HackerGuardian are needed.
When it comes to penetration testing, a security analyst may use manual or semi-automated software to complete the job. Wireshark, Nmap, and even frameworks like Metasploit or Immunity Canvas can be used to gather information. Depending on how important the company is, these evaluations can be conducted periodically or annually. You will need to employ a credible security expert to conduct these checks.
23. Use SSL/TLS Certificates to Encrypt Your Website Traffic
Often use HTTPS on your websites to keep the connection between the client browser and your server secure. Installing SSL/TLS certificates on your web servers not only provides secure channels for your clients, but it also establishes your identity. It builds consumer confidence and increases the value of your brand.
24. Use S/MIME to Encrypt All Emails Containing Sensitive Data
Email isn’t the most reliable mode of communication. S/MIME (Secure/Multipurpose Internet Mail Extensions) allows you to encrypt and sign your addresses, which is a game changer. This guarantees that the message hasn’t been tampered with and that it was actually sent by you. While Pretty Good Privacy (PGP), an older email standard, can necessitate the use of plugins, S/MIME is built into most email clients.
25. Frame a Business Continuity and Disaster Recovery Plan
When all is said and done, no matter how powerful your cyber security is, a cyber attack has the ability to fully cripple your network. If you wait until you’re threatened to devise a strategy, you’re likely to lose a lot of money as well as your cool. Create a robust, well-documented strategy, as well as backup and recovery plans that include specific steps for restoring vital infrastructure, BC/DR team contact information, and expert contact information, among other things.
To conclude, when it comes to cyber protection for small and mid-sized companies, a combination of a few key security solutions, caution, and sound judgement go a long way. Although it’s understandable that high-end security solutions aren’t always available, it’s important to note that there are some equally good open source and cost-effective alternatives.
Whatever choice you choose, there will always be a cost associated with cyber protection. The question is whether you should spend it on protecting your company’s network or on restoring your brand’s reputation following a breach.