From data security to automation, we’ve got the scoop from 14 cybersecurity and small business experts on the 10 steps to cyber security that you can implement for your small to midsize business
Although SMBs are commonly the targets of various types of cyber attacks, they typically lack the budget, personnel and technical expertise that enterprises have available to defend against such attacks. That’s why we’ve decided to put together a list of the best cyber security tips for small businesses possible for 2020.
Workplaces are changing, and even employees at small businesses are now working from home as a result of the COVID-19 pandemic. So, in addition to the “usual” threats that SMBs face on a daily basis, now they also must contend with additional threats that stem from remote work environments.
Whether you want to consider these suggestions as 10 steps to better cyber security or something else, the point here is that this list of IT and cyber security tips are those that small and midsize businesses like yours can perform that will still make you a tougher target for cybercriminals. These tips come from 14 IT and cybersecurity experts from around the world.
10 Steps to Cyber Security: The Best Cyber Security Tips That You Can Implement Now
When you look for cyber and IT security tips for small businesses, you’re likely looking for cost-effective solutions and processes that you can implement without an entire team of IT pros (and without breaking the bank). That’s likely because you don’t have a massive budget like enterprises and other large organizations. So, is this a hopeless cause?
Of course not. There are several ways that you can make every cent of your cybersecurity budget count while alleviating stress for your IT staff. Here are the 10 steps to cyber security that you can implement immediately to make your small or mid-size business more secure:
Tip #1: Secure Your Data and Communications
One of the most important cyber security tips we can offer is to protect your data at all costs. Your data includes everything from sensitive customer information (PII and financial info alike) to proprietary information like intellectual property and product pricing information. You know, the kind of data that you’d never want to see fall into the hands of your competitors or cybercriminals.
Dr. Al Marcella, president of Business Automation Consultants, LLC, and an IT consultant with 38 years of experience in cybersecurity, risk management and risk mitigation. He says that using cryptographic tools and protocols is a must for small businesses:
“Implement and consistently use strong encryption protocols on all organization sensitive, critical and essential data as well as associated, operational infrastructure. This includes desktops, laptops, tablets, smartphones, removable drives, backup tapes, and cloud storage solutions.”— Dr. Al Marcella, president of Business Automation Consultants, LLC
Basically, data encryption helps you to secure your data no matter whether it’s at rest (sitting on a server somewhere) and in transit (transmitting between two endpoints):
- Use the HTTPS protocol to secure in-transit data that’s sent to your website. Since data transmits between a user’s browser (client) and your website (server) in plaintext — meaning that it’s readable to those who know how to look — it means that you must protect the transmission channel. Installing an SSL/TLS certificate on your web server helps you to secure the data that transfers between web client and your website. It does this by creating a secure, encrypted channel between the two devices that prevents cybercriminals from “reading” or otherwise accessing that information.
- Use encryption to secure at-rest data while it sits on your server. Whether you’re looking to secure data that sits on your email server or in cloud storage, it’s essential that you encrypt it before sending or uploading it. This way, if a bad guy somehow gets access to your accounts and steals your files, they won’t be able to read or access the data without a digital key.
You may be surprised to learn that using encryption isn’t as complicated as it may seem. You don’t have to calculate any complex mathematical equations or perform any complicated processes — you simply install some digital certificates (either on your web server or your email client), make a few selections, and you’re set. The digital certificates handle the rest for you.
Tip #2: Make Remote Access as Secure (and Easy) as Possible for Users
As you’ll see, some of these cyber security tips are especially important during the ongoing Coronavirus pandemic in particular. With employers reporting that more than half of their workforces (53%) of full-time employees are working remotely due to COVID-19, according to a survey from Willis Towers Watson, the need for secure remote access has never been more important. This is where strong network security and authentication measures can really shine.
This means that to keep your business safe and its data secure, you need to take steps to mitigate risks and eliminate any remote connection vulnerabilities. But the tricky part is doing so without making it overly complicated for your users. If you make the security processes or tools too challenging or frustrating for users, they’ll be resistant to using them.
A good place to start is to remind your employees to change their personal Wi-Fi passwords. People frequently use the default passwords that are set by their internet service providers (ISPs), which gives cybercriminals an easy avenue of attack. Limit the number of users who can access remote desktop. Also, make sure that their computers and devices are up to date and don’t allow anyone to directly connect to your network without the use of a VPN.
Jacob Ansari, Senior Manager of Schellman & Company, LLC, a global independent security and privacy compliance assessor, says that there are several other ways you can make remote connections more secure:
“Identify all of your remote access mechanisms, like VPNs, RDP, and maybe old-school stuff left floating around like VNC. Disable anything you don’t need. Set up multi-factor authentication for those that you do. Make use of MFA services like Duo or Google Authenticator or Auth0, which have low- or no-cost options for small numbers of users. Disable user accounts that aren’t used. If you rely on third parties for IT support, make sure they have to follow the same rules.”— Jacob Ansari, senior manager of Schellman & Company, LLC.
Tip #3: Use Authentication Tools to Prove Your Identity
To kick off the third item on our list of IT and cyber security tips, let’s take a moment to recognize how important a small business’s identity and reputation are integral to its success. Much like with situations of personal identity theft, if your business’s identity is compromised, it can deal a devastating blow. If a criminal is doing business in your name and the trust that customers place in your business is breached, you’ve got a long road ahead to recovery. (That is, if your business recovers at all.)
Cybercriminals can create fake websites that look like yours to trick users into providing their personal information. They can also use phishing emails that appear to come from you or your company to deceive users into doing the same. This is why it’s so essential for you to protect your identity.
But how do you stop them? This cyber security tip focuses on how you can use various authentication tools to assert your identity in different ways and prove that you are who you say you claim to be:
Install Personal Authentication Certificates for Your Employees
This type of certificate, also known as a client certificate or an S/MIME certificate, is useful for authenticating a specific user. Depending on how you choose to use it, this type of certificate serves a few different purposes for both email communications and website access:
- For email, it enables you to digitally sign your emails using a digital signature. This helps you to show your recipient that you are who you claim to be and also indicates that the sensitive contents of your message haven’t been tampered with since it was signed.
- For email, it also allows you to encrypt your messages and any attachments. This means that before you even hit “send” on an email, your message is scrambled and becomes unreadable to anyone aside from your intended recipient.
- For website security, this type of digital certificate can also be used to give access to restricted areas of your website. For example, let’s say you want to allow only specific users to access a portal or area of your website. If they have this type of certificate installed, the server will be able to authenticate them and give them access.
Sign All Software Using a Code Signing Certificate
A code signing certificate enables software developers and manufacturers to prove their identities. If your software isn’t signed, Windows pops up a warning message showing that your software is from an unknown publisher. When you sign your software while using a code signing certificate, you’re validating your identity with a reputable third party (a commercial certificate authority) that can attest to the fact that you are who you claim to be.
Install a Website Security Certificate (AKA an SSL/TLS Certificate) on Your Web Server
We mentioned this type of certificate in our first cyber security tip. It’s useful for protecting data in transit, meaning when it’s transferred between two endpoints (typically, a user’s web browser and your web server).
Tip #4: Authenticate All Users and Restrict Access
When it comes to providing access to any of your systems, including your network, you need to make sure that you can verify whether the person connecting is who they say they are. One type of tool that several of the experts we consulted sang the praises of is multi factor authentication (MFA). This technology, which authenticates a user through two or more types of data, can include:
- Something you know (such as a password or PIN),
- Something you have (such as an HSM, token, or mobile app), and
- Something you are (a biometric such as a fingerprint, facial scan or retinal scan).
Alex Vovk, CEO and co-founder of Action1 Corporation, is one of those experts who says that two-factor authentication (2FA), a type of MFA, and secure passwords make a great pair. He offers the following as one of his cyber security tips:
“Two-factor authentication is an obvious yet tremendously effective way to secure company assets. In many small and midsize companies, 2FA is neglected since the work environment is friendly and informal. That often results in identity theft — an external intruder steals user credentials and gains access to company data and resources. Enforce two-factor authentication and password complexity & expiration policies to avoid credentials abuse. Don’t leave the door wide open for attackers and rogue users!”— Alex Vovk, CEO and co-founder of Action1 Corporation
Tip #5: Use a Multi-Layered Approach to Cyber Security
Next on our list of cyber security tips: The best way to defend your small or mid-size business from cyber threats is to take a multi-layer approach. This should include the right mix of tools, processes, and people to operate them. Some of the basic cyber security tools include endpoint and network firewalls and antivirus solutions. However, you need to go beyond the basics and implement security measures like:
- DNS- and IP-based web filtering,
- Email filtering, penetration testing,
- Intrusion detection systems (IDS),
- Unified threat management (UTM) tools,
- Automation solutions like PKI certificate managers and patch management tools, and
- Regular data backups.
Marty Puranik, president & CEO of atlantic.net, a web hosting solution, says that SMBs should also take advantage of behavior-based detection tools:
“These tools are more advanced than your traditional antivirus solutions. Things like endpoint detection and response can actually narrow down threats in real-time, prior to your information being compromised.”— Marty Puranik, president and CEO of Atlantic.net
But that sounds like it can be a bit pricey — and depending on the tool you choose, it can be. So, what’s a more cost-effective approach for SMBs who have big security aspirations but not a big budget to match them?
“Organizations should look to investing in a user-friendly unified security platform to easily manage all their security efforts. Complete visibility is a must for SMBs that can’t afford to use SIEM solutions. In order to respond in real-time, they have to adopt a solution that detects anomalous in the network and monitors their user’s activity.”— Sivan Tehila, Director of Solution Architecture of Perimeter 81
But cybersecurity tools aren’t an end-all-be-all solution. Greg Scott, a long-time cybersecurity professional and published author says that there’s one more important thing for your cyber toolkit that can’t be purchased.
“Tech tools count, but vigilance counts more. Firewalls, antivirus, web and spam filtering, and other technology are helpful, but attackers are clever and no substitute will ever exist for old-fashioned human vigilance.”— Greg Scott, cybersecurity professional and author
Tip #6: Keep Your Software, Hardware and Firmware Current
Stacy Clements, a retired Air Force cyber operations officer and owner of Milepost 42, says that it’s critically important to keep your systems patched.
“Cyber criminals are constantly finding new vulnerabilities in software, so keeping systems patched is critically important. Most cyber breaches are on systems which have known vulnerabilities, and just haven’t been patched. Keep software up to date on servers, computers, and mobile devices.”— Stacy Clements, owner of Milepost 42
In his cyber security tips, Puranik also says that while having the right tools in place is important, they’re virtually useless if you don’t keep them patched and up to date via manufacturer updates:
“Begin by making sure any software your employees use is up to date. A lot of software creators provide security updates for when vulnerabilities are discovered. If you’re using outdated software, you run the risk of opening the door for threats.”— Marty Puranik, president and CEO of Atlantic.net
Tip #7: Prepare for the Worst, Hope for the Best
One of the biggest mistakes that small businesses tend to make when it comes to cybersecurity is that they’re so busy trying to focus on the technical side of things that they forget the bigger picture: What is it that you need to make sure that your business stays operational?
Perform Regular Vulnerability and Risk Assessments
Knowing where your business stands in terms of its security vulnerabilities and risks is invaluable. Performing regular vulnerability assessments can help you to identify vulnerabilities and help to protect your network from common security breaches. Risk assessments help you identify any potential risks that stem from an activity or process that you can mitigate.
Maintain Current Data Backups
Sure, you need cybersecurity tools and software that can help you stay ahead (or at least keep up with) cybercriminals. But one of the most essential things you need is your data: your intellectual property, customer information, and other sensitive data.
“Backups are crucial to restoring business operations in the event of a successful breach. Use the backup rule of three — have at least three copies of essential data, on two different media, and at least one copy offsite. Also, be sure to test your backups regularly — a backup does you no good if it’s been corrupted.”— Stacy Clements, owner of Milepost 42
Develop, Execute and Enforce Cybersecurity Strategies and Policies
Having (and enforcing) great policies are a core element of any strong cybersecurity strategy. Part of this entails having strong cyber policies like BYOD and computer use policies, as well as a policy of least privilege.
“While no single strategy fits all, practicing basic cyber hygiene would address or mitigate a vast majority of security breaches. Being prepared if an intrusion occurs is also critical and having a communications method for response, actively monitoring centralized host and networks, and including an enhanced monitoring to detect known security events is a must. With a well-oiled cyber policy, you can mitigate outsiders significantly.”— Braden Perry, a litigation, regulatory, and government investigations attorney with Kennyhertz Perry, LLC
Have Plans and People in Place to Respond When Things Go Wrong
When crap hits the proverbial fan, who are you going to call? I assure you that the Ghostbusters aren’t going to be of any assistance to you. Only you can save yourself, which means that you need to have preparedness plans in place that can be put into action at a moment’s notice. Key components of this type of planning includes:
- An incident response (IR) plan
- A business continuity (BC) plan
- A disaster recovery (DR) plan
- A team roster with a breakdown of roles and responsibilities
- An outline of post-incident investigations and activities
Run through exercises with your team to ensure that everyone understands their roles. Be sure to use different scenarios. This way, they know what they’re responsible for doing in a variety of emergency situations.
Braden Perry, a litigation, regulatory, and government investigations attorney with Kennyhertz Perry, LLC, says that being proactive makes all the difference in the world for SMBs when it comes to response and mitigation for cyber attacks.
“In the event of a malicious attack, a company should have systems in place to keep operational or at least backups where the company is not affected or very slightly affected. In the event of a total disruption of the business, it is too late to mitigate and you will likely see dramatic costs to the business. Being proactive rather than reactive is the key.”— Braden Perry, a litigation, regulatory, and government investigations attorney with Kennyhertz Perry, LLC
Collin Varner, senior associate at Schellman & Company, LLC, says that when it comes to protecting your organization, repetition is key to helping your team build essential habits.
“An incident response plan can address issues related to cyber attacks, data loss, and other events that bode risk to all organizations. Ensure responsibilities are defined and designated to the roles tasked with detecting and responding to security events. Frequent testing of a variety of scenarios can be carried out, allowing the individuals to be more knowledgeable in how to react when an incident occurs.”— Collin Varner, senior associate at Schellman & Company, LLC
Consider Cyber Insurance (But Don’t Substitute It for Good Cyber Security Practices)
Cyber security insurance can be a really great investment for many businesses. Considering that SMBs are the primary target of most cyber attacks, it never hurts to have that extra layer of protection. (Hence why it’s on our list of cyber security tips.) However, buying good insurance shouldn’t be the only protection that businesses have.
Steve Durbin, managing director of the Information Security Forum in London, says that cyber insurance is a great investment but that SMBs should take the time to familiarize themselves with the particulars of each plan.
“Data breach liabilities are spreading quickly. As a result, I’m seeing more SMBs respond by purchasing cyber insurance, which has become a practical choice for a growing range of organizations and industry sectors. However, it is no replacement for sound cyber security and cyber resilience practices. On the contrary, well-resourced and industry and standards compliant practices can oftentimes positively reduce the associated premiums for cyber insurance.
Secondly, SMBs should certainly look cautiously at the small print. With each class action lawsuit prompted by data breach damages, case law precedents change and insurance companies adjust policies accordingly.”— Steve Durbin, managing director of the Information Security Forum
Tip #8: Assess and Know Your Third-Party Risks
It’s common for cybersecurity companies to talk about risk assessments — but what if those risks are coming from external sources such as third-party vendors? Collin Varner says that says that one of the best cyber security tips he can offer relates to third parties. Understanding what dependencies you may have of outsourced service vendors is prudent to managing an effective cybersecurity program:
“The attacker’s game is to exploit weak links in the operation, which may sit outside the organization’s control; therefore, remember to ensure protection of assets that are accessible by suppliers. Perform frequent security reviews in how your data is being managed and maintain an agreed level of information security standards within your agreements. It’s common practice to require your suppliers to undergo third party assessments of security performance, such as the obtainment of a SOC 2 or ISO 27001 certification.”— Collin Varner, senior associate at Schellman & Company, LLC
And if you don’t think that giving third parties access to your network or other systems is risky, think again. Remember the Target data breach of 2013? In that data breach, the personal and credit card data of 40 million customer accounts was exposed when the retail giant’s POS system was breached using a third-party vendor’s stolen credentials. Basically, the attacker used an HVAC vendor’s login info to access Target’s network.
The bottom line here is to make sure that any vendors you work with and give any level of access to takes security seriously.
Tip #9: Train Employees to Recognize Threats
Probably one of the most important (and recommended) cyber security tips that we were given relates to education. Cyber awareness training teaches your employees how to recognize a variety of cybersecurity threats and how to operate safely online. But what should that kind of training entail for small businesses?
“Your company should plan a training program that helps the employees to understand the mechanism of spam, phishing, ransomware, malware, and many other forms of cyberattacks. One such attack is triggered then the knowledge in their day-to-day job will help them to resolve. Educating new employees and continuing to educate all employees about the Cybersecurity with educational videos, infographics, about recent breaches, etc. can help to understand it better.”— Shagun Chauhan, Business Consultant, iFour Technolab Pvt Ltd
Part of this training should include showing how phishing emails aren’t all just poorly written, typo-filled ramblings. Cybercriminals create simple yet effective phishing emails that appear legitimate through the use of social engineering techniques. They apply new approaches to old methods; essentially, they just put a new shade of lipstick on a pig.
Cindy Murphy, president of digital forensics at Tetra Defense, says that it’s not so much the attack methods that are changing as it is the messaging cybercriminals are using:
“Scammers are still predominantly using email to deceive their victims. What’s new in this era is the fraudulent messaging within the emails: the CDC asks for donations in Bitcoin. Your COVID-19 Tax Relief Documents are available on this (fake) website. A doctor from the World Health Organization has ‘drug advice’ if you click here. This is social engineering at its worst — and unfortunately, it’s more likely to work in these uncertain times.
People haven’t become more gullible in the past three and a half months; they’ve become used to big changes in small messages. When the next news headlines could be a matter of safety or sickness, it’s much easier to believe information that appears right in your inbox.”— Cindy Murphy, president of digital forensics at Tetra Defense
But what are the biggest challenges facing SMBs regarding cyber awareness training? Alan Duric, co-founder and CTO of Wire says that it’s helping employees connect the dots between what they learn and how it applies to their daily work lives.
“There is a common disparity between perceived security and actual security in day-to-day business interactions. This is often due to a knowledge gap for non security professionals — in fact a survey found that 70% of business professionals said it was normal to discuss company confidential information on calls, despite the fact that many popular solutions don’t offer end-to-end encryption by default.”— Alan Duric, co-founder and CTO of Wire
Tip #10: Invest in Your IT Team
Making the decision about whether to outsource your cybersecurity needs or hire someone in house is a choice that’s very specific to your company’s needs. In their cyber security tips, some experts might argue that outsourcing your IT and cybersecurity needs to a third-party vendor is the best option for small businesses because you’re paying less to get access to more. However, there’s a lot of debate within the industry about whether this type of generalization should be painted in such broad strokes.
In our last of the 10 steps to better cyber security, we share a suggestion from a security analyst and ethical hacker, Chelsea Brown. As the CEO and founder of Digital Mom Talk, brown is quick to argue that you may be doing your business more harm than good in the long run by outsourcing your IT team:
“Despite what any business thinks, outsourcing your entire IT department over the long haul is not good. A better option is to take the IT employees you currently have and help them get the training they need to better protect your growing enterprise. By investing in your current employees, many become loyal to you and you can see a bigger return on your investment over time. Help these employees become more valuable to your organization by giving them the training they need to better protect your business from the cyber threats.”— Chelsea Brown, CEO and founder of Digital Mom Talk
Brown also mentions several great certifications that can help your team improve their security knowledge and skills, including:
- Open Source Intelligence (OSINT),
- Offensive Security Certified Professional (OSCP),
- Cyber Security Analyst (CySA+), and
Final Thoughts on These IT and Cyber Security Tips for Small Businesses
SMBs have a lot going for them — their smaller sizes make them more agile and adaptive to making changes than larger enterprises. They can choose to operate fully online or in a face-to-face setting. But where they’re lacking compared to their corporate giant counterparts is in terms of budgets and resources for managing risks.
Alex Vovk sums up this challenge succinctly: “When it comes to operational decisions, security implications aren’t taken into account and the IT risks are underestimated. That makes SMBs easy targets for cybercriminals.” This is why implementing these cyber security tips and best practices sooner rather than later is key to keeping your small or midsize business safe.
The knowledge, actions and behaviors of your employees matter, and they can either be your organization’s greatest cybersecurity risks or assets. Your willingness to invest both in the necessary tools and your employees can be the difference between your business being an easy or a tough nut for cybercriminals to crack.