![\"\"](\"https:\/\/sectigostore.com\/blog\/wp-content\/uploads\/2020\/06\/secure-communications-and-data.png\")
One of the most important cyber security tips we can offer is to protect your data<\/a> at all costs. Your data includes everything from sensitive customer information (PII and financial info alike) to proprietary information like intellectual property and product pricing information. You know, the kind of data that you\u2019d never<\/em> want to see fall into the hands of your competitors or cybercriminals.<\/p>\n\n\n\n Dr. Al Marcella, president of Business Automation Consultants, LLC<\/a>, and an IT consultant with 38 years of experience in cybersecurity, risk management and risk mitigation. He says that using cryptographic tools and protocols is a must for small businesses:<\/p>\n\n\n\n \u201cImplement and consistently use strong encryption protocols on all organization sensitive, critical and essential data as well as associated, operational infrastructure. This includes desktops, laptops, tablets, smartphones, removable drives, backup tapes, and cloud storage solutions.\u201d<\/em> <\/p>\u2014 Dr. Al Marcella, president of Business Automation Consultants, LLC<\/strong><\/cite><\/blockquote>\n\n\n\n Basically, data encryption helps you to secure your data no matter whether it\u2019s at rest (sitting on a server somewhere) and in transit (transmitting between two endpoints):<\/p>\n\n\n\n You may be surprised to learn that using encryption isn\u2019t as complicated as it may seem. You don\u2019t have to calculate any complex mathematical equations or perform any complicated processes \u2014 you simply install some digital certificates (either on your web server or your email client), make a few selections, and you\u2019re set. The digital certificates handle the rest for you. <\/p>\n\n\n\n As you\u2019ll see, some of these cyber security tips are especially important during the ongoing Coronavirus pandemic in particular. With employers reporting that more than half of their workforces (53%) of full-time employees are working remotely due to COVID-19, according to a survey from Willis Towers Watson<\/a>, the need for secure remote access has never been more important. This is where strong network security and authentication measures<\/a> can really shine.<\/p>\n\n\n\n This means that to keep your business safe and its data secure, you need to take steps to mitigate risks and eliminate any remote connection vulnerabilities. But the tricky part is doing so without making it overly complicated for your users. If you make the security processes or tools too challenging or frustrating for users, they\u2019ll be resistant to using them.<\/p>\n\n\n\n A good place to start is to remind your employees to change their personal Wi-Fi passwords. People frequently use the default passwords that are set by their internet service providers (ISPs), which gives cybercriminals an easy avenue of attack. Limit the number of users who can access remote desktop. Also, make sure that their computers and devices are up to date and don\u2019t allow anyone to directly connect to your network without the use of a VPN.<\/p>\n\n\n\n Jacob Ansari, Senior Manager of Schellman & Company, LLC<\/a>, a global independent security and privacy compliance assessor, says that there are several other ways you can make remote connections more secure:<\/p>\n\n\n\n \u201cIdentify all of your remote access mechanisms, like VPNs, RDP, and maybe old-school stuff left floating around like VNC. Disable anything you don’t need. Set up multi-factor authentication for those that you do. Make use of MFA services like Duo or Google Authenticator or Auth0, which have low- or no-cost options for small numbers of users. Disable user accounts that aren’t used. If you rely on third parties for IT support, make sure they have to follow the same rules.\u201d<\/em> <\/p>\u2014 Jacob Ansari, senior manager of Schellman & Company, LLC.<\/strong><\/cite><\/blockquote>\n\n\n\n To kick off the third item on our list of IT and cyber security tips, let\u2019s take a moment to recognize how important a small business\u2019s identity and reputation are integral to its success. Much like with situations of personal identity theft, if your business\u2019s identity is compromised, it can deal a devastating blow. If a criminal is doing business in your name and the trust that customers place in your business is breached, you\u2019ve got a long road ahead to recovery. (That is, if your business recovers at all.)<\/p>\n\n\n\n Cybercriminals can create fake websites that look like yours to trick users into providing their personal information. They can also use phishing emails that appear to come from you or your company to deceive users into doing the same. This is why it\u2019s so essential for you to protect your identity.<\/p>\n\n\n\n But how do you stop them? This cyber security tip focuses on how you can use various authentication tools to assert your identity in different ways and prove that you are who you say you claim to be:<\/p>\n\n\n\n This type of certificate, also known as a client certificate or an S\/MIME certificate<\/a>, is useful for authenticating a specific user. Depending on how you choose to use it, this type of certificate serves a few different purposes for both email communications and website access:<\/p>\n\n\n\n A code signing certificate<\/a> enables software developers and manufacturers to prove their identities. If your software isn\u2019t signed, Windows pops up a warning message showing that your software is from an unknown publisher. When you sign your software while using a code signing certificate, you\u2019re validating your identity with a reputable third party (a commercial certificate authority) that can attest to the fact that you are who you claim to be. <\/p>\n\n\n\n We mentioned this type of certificate in our first cyber security tip. It\u2019s useful for protecting data in transit, meaning when it\u2019s transferred between two endpoints (typically, a user\u2019s web browser and your web server).<\/p>\n\n\n\n When it comes to providing access to any of your systems, including your network, you need to make sure that you can verify whether the person connecting is who they say they are. One type of tool that several of the experts we consulted sang the praises of is multi factor authentication<\/a> (MFA). This technology, which authenticates a user through two or more types of data, can include:<\/p>\n\n\n\n Alex Vovk, CEO and co-founder of Action1 Corporation<\/a>, is one of those experts who says that two-factor authentication (2FA), a type of MFA, and secure passwords make a great pair. He offers the following as one of his cyber security tips:<\/p>\n\n\n\n \u201cTwo-factor authentication is an obvious yet tremendously effective way to secure company assets. In many small and midsize companies, 2FA is neglected since the work environment is friendly and informal. That often results in identity theft \u2014 an external intruder steals user credentials and gains access to company data and resources. Enforce two-factor authentication and password complexity & expiration policies to avoid credentials abuse. Don’t leave the door wide open for attackers and rogue users!\u201d<\/em><\/p>\u2014 Alex Vovk, CEO and co-founder of Action1 Corporation<\/strong><\/cite><\/blockquote>\n\n\n\n Next on our list of cyber security tips: The best way to defend your small or mid-size business from cyber threats is to take a multi-layer approach. This should include the right mix of tools, processes, and people to operate them. Some of the basic cyber security tools include endpoint and network firewalls and antivirus solutions. However, you need to go beyond the basics and implement security measures like:<\/p>\n\n\n\n Marty Puranik, president & CEO of atlantic.net<\/a>, a web hosting solution, says that SMBs should also take advantage of behavior-based detection tools:<\/p>\n\n\n\n \u201cThese tools are more advanced than your traditional antivirus solutions. Things like endpoint detection and response can actually narrow down threats in real-time, prior to your information being compromised.\u201d<\/em><\/p>\u2014 Marty Puranik, president and CEO of Atlantic.net<\/strong><\/cite><\/blockquote>\n\n\n\n But that sounds like it can be a bit pricey \u2014 and depending on the tool you choose, it can be. So, what\u2019s a more cost-effective approach for SMBs who have big security aspirations but not a big budget to match them?<\/p>\n\n\n\n \u201cOrganizations should look to investing in a user-friendly unified security platform to easily manage all their security efforts. Complete visibility is a must for SMBs that can\u2019t afford to use SIEM solutions. In order to respond in real-time, they have to adopt a solution that detects anomalous in the network and monitors their user\u2019s activity.\u201d <\/em><\/p>\u2014 Sivan Tehila, Director of Solution Architecture of <\/strong>Perimeter 81<\/a><\/cite><\/blockquote>\n\n\n\n But cybersecurity tools aren\u2019t an end-all-be-all solution. Greg Scott<\/a>, a long-time cybersecurity professional and published author says that there\u2019s one more important thing for your cyber toolkit that can\u2019t be purchased.<\/p>\n\n\n\n \u201cTech tools count, but vigilance counts more. Firewalls, antivirus, web and spam filtering, and other technology are helpful, but attackers are clever and no substitute will ever exist for old-fashioned human vigilance.\u201d <\/em><\/p>\u2014 Greg Scott, cybersecurity professional and author<\/strong><\/cite><\/blockquote>\n\n\n\n Stacy Clements, a retired Air Force cyber operations officer and owner of Milepost 42<\/a>, says that it\u2019s critically important to keep your systems patched.<\/p>\n\n\n\n \u201cCyber criminals are constantly finding new vulnerabilities in software, so keeping systems patched is critically important. Most cyber breaches are on systems which have known vulnerabilities, and just haven’t been patched. Keep software up to date on servers, computers, and mobile devices.\u201d<\/em> <\/p>\u2014 Stacy Clements, owner of Milepost 42<\/strong><\/cite><\/blockquote>\n\n\n\n In his cyber security tips, Puranik also says that while having the right tools in place is important, they\u2019re virtually useless if you don\u2019t keep them patched and up to date via manufacturer updates:<\/p>\n\n\n\n \u201cBegin by making sure any software your employees use is up to date. A lot of software creators provide security updates for when vulnerabilities are discovered. If you’re using outdated software, you run the risk of opening the door for threats.\u201d<\/em> <\/p>\u2014 Marty Puranik, president and CEO of Atlantic.net<\/strong><\/cite><\/blockquote>\n\n\n\n One of the biggest mistakes that small businesses tend to make when it comes to cybersecurity is that they\u2019re so busy trying to focus on the technical side of things that they forget the bigger picture: What is it that you need to make sure that your business stays operational?<\/p>\n\n\n\n Knowing where your business stands in terms of its security vulnerabilities and risks<\/a> is invaluable. Performing regular vulnerability assessments can help you to identify vulnerabilities and help to protect your network from common security breaches. Risk assessments help you identify any potential risks that stem from an activity or process that you can mitigate.<\/p>\n\n\n\n Sure, you need cybersecurity tools and software that can help you stay ahead (or at least keep up with) cybercriminals. But one of the most essential things you need is your data: your intellectual property, customer information, and other sensitive data.<\/p>\n\n\n\n \u201cBackups are crucial to restoring business operations in the event of a successful breach. Use the backup rule of three \u2014 have at least three copies of essential data, on two different media, and at least one copy offsite. Also, be sure to test your backups regularly \u2014 a backup does you no good if it’s been corrupted.\u201d<\/em> <\/p>\u2014 Stacy Clements, owner of Milepost 42<\/strong><\/cite><\/blockquote>\n\n\n\n Having (and enforcing) great policies are a core element of any strong cybersecurity strategy. Part of this entails having strong cyber policies like BYOD and computer use policies, as well as a policy of least privilege.<\/p>\n\n\n\n \u201cWhile no single strategy fits all, practicing basic cyber hygiene would address or mitigate a vast majority of security breaches. Being prepared if an intrusion occurs is also critical and having a communications method for response, actively monitoring centralized host and networks, and including an enhanced monitoring to detect known security events is a must. With a well-oiled cyber policy, you can mitigate outsiders significantly.\u201d<\/em> <\/p>\u2014 Braden Perry, a litigation, regulatory, and government investigations attorney with <\/strong>Kennyhertz Perry, LLC<\/strong><\/a><\/cite><\/blockquote>\n\n\n\n When crap hits the proverbial fan, who are you going to call? I assure you that the Ghostbusters aren\u2019t going to be of any assistance to you. Only you can save yourself, which means that you need to have preparedness plans<\/a> in place that can be put into action at a moment\u2019s notice. Key components of this type of planning includes:<\/p>\n\n\n\n Run through exercises with your team to ensure that everyone understands their roles. Be sure to use different scenarios. This way, they know what they\u2019re responsible for doing in a variety of emergency situations.<\/p>\n\n\n\n Braden Perry, <\/strong>a litigation, regulatory, and government investigations attorney with Kennyhertz Perry, LLC, says that being proactive makes all the difference in the world for SMBs when it comes to response and mitigation for cyber attacks<\/a>.<\/p>\n\n\n\n \u201cIn the event of a malicious attack, a company should have systems in place to keep operational or at least backups where the company is not affected or very slightly affected. In the event of a total disruption of the business, it is too late to mitigate and you will likely see dramatic costs to the business. Being proactive rather than reactive is the key.\u201d<\/em> <\/p>\u2014 Braden Perry, a litigation, regulatory, and government investigations attorney with Kennyhertz Perry, LLC<\/strong><\/cite><\/blockquote>\n\n\n\n Collin Varner, senior associate at Schellman & Company, LLC, says that when it comes to protecting your organization, repetition is key to helping your team build essential habits.<\/p>\n\n\n\n \u201cAn incident response plan can address issues related to cyber attacks, data loss, and other events that bode risk to all organizations. Ensure responsibilities are defined and designated to the roles tasked with detecting and responding to security events. Frequent testing of a variety of scenarios can be carried out, allowing the individuals to be more knowledgeable in how to react when an incident occurs.\u201d <\/em><\/p>\u2014 Collin Varner, senior associate at Schellman & Company, LLC<\/strong><\/cite><\/blockquote>\n\n\n\n Cyber security insurance<\/a> can be a really great investment for many businesses. Considering that SMBs are the primary target of most cyber attacks, it never hurts to have that extra layer of protection. (Hence why it\u2019s on our list of cyber security tips.) However, buying good insurance shouldn\u2019t be the only protection that businesses have.<\/p>\n\n\n\n Steve Durbin, managing director of the Information Security Forum<\/a> in London, says that cyber insurance is a great investment but that SMBs should take the time to familiarize themselves with the particulars of each plan.<\/p>\n\n\n\n \u201cData breach liabilities are spreading quickly. As a result, I’m seeing more SMBs respond by purchasing cyber insurance, which has become a practical choice for a growing range of organizations and industry sectors. However, it is no replacement for sound cyber security and cyber resilience practices. On the contrary, well-resourced and industry and standards compliant practices can oftentimes positively reduce the associated premiums for cyber insurance.<\/em><\/p> Secondly, SMBs should certainly look cautiously at the small print. With each class action lawsuit prompted by data breach damages, case law precedents change and insurance companies adjust policies accordingly.\u201d<\/em> <\/p>\u2014 Steve Durbin, managing director of the Information Security Forum<\/strong><\/cite><\/blockquote>\n\n\n\n It\u2019s common for cybersecurity companies to talk about risk assessments \u2014 but what if those risks are coming from external sources such as third-party vendors? Collin Varner says that says that one of the best cyber security tips he can offer relates to third parties. Understanding what dependencies you may have of outsourced service vendors is prudent to managing an effective cybersecurity program:<\/p>\n\n\n\n \u201cThe attacker’s game is to exploit weak links in the operation, which may sit outside the organization’s control; therefore, remember to ensure protection of assets that are accessible by suppliers. Perform frequent security reviews in how your data is being managed and maintain an agreed level of information security standards within your agreements. It’s common practice to require your suppliers to undergo third party assessments of security performance, such as the obtainment of a SOC 2 or ISO 27001 certification.\u201d<\/em> <\/p>\u2014 Collin Varner, senior associate at Schellman & Company, LLC<\/strong><\/cite><\/blockquote>\n\n\n\n And if you don\u2019t think that giving third parties access to your network or other systems is risky, think again. Remember the Target data breach of 2013<\/a>? In that data breach, the personal and credit card data of 40 million customer accounts was exposed when the retail giant\u2019s POS system was breached using a third-party vendor\u2019s stolen credentials. Basically, the attacker used an HVAC vendor\u2019s login info to access Target\u2019s network.<\/p>\n\n\n\n The bottom line here is to make sure that any vendors you work with and give any level of access to takes security seriously. <\/p>\n\n\n\n Probably one of the most important (and recommended) cyber security tips that we were given relates to education. Cyber awareness training teaches your employees how to recognize a variety of cybersecurity threats and how to operate safely online. But what should that kind of training entail for small businesses?<\/p>\n\n\n\n \u201cYour company should plan a training program that helps the employees to understand the mechanism of spam, phishing, ransomware, malware, and many other forms of cyberattacks. One such attack is triggered then the knowledge in their day-to-day job will help them to resolve. Educating new employees and continuing to educate all employees about the Cybersecurity with educational videos, infographics, about recent breaches, etc. can help to understand it better.\u201d<\/em> <\/p>\u2014 Shagun Chauhan, Business Consultant, iFour Technolab Pvt Ltd<\/a><\/strong><\/cite><\/blockquote>\n\n\n\n Part of this training should include showing how phishing emails<\/a> aren\u2019t all just poorly written, typo-filled ramblings. Cybercriminals create simple yet effective phishing emails that appear legitimate through the use of social engineering techniques. They apply new approaches to old methods; essentially, they just put a new shade of lipstick on a pig.<\/p>\n\n\n\n Cindy Murphy, president of digital forensics at Tetra Defense<\/a>, says that it\u2019s not so much the attack methods that are changing as it is the messaging cybercriminals are using:<\/p>\n\n\n\n \u201cScammers are still predominantly using email to deceive their victims. What\u2019s new in this era is the fraudulent messaging within the emails: the CDC asks for donations in Bitcoin. Your COVID-19 Tax Relief Documents are available on this (fake) website. A doctor from the World Health Organization has \u2018drug advice\u2019 if you click here. This is social engineering at its worst \u2014 and unfortunately, it\u2019s more likely to work in these uncertain times.<\/em><\/p> People haven\u2019t become more gullible in the past three and a half months; they\u2019ve become used to big changes in small messages. When the next news headlines could be a matter of safety or sickness, it\u2019s much easier to believe information that appears right in your inbox.\u201d<\/em> <\/p>\u2014 Cindy Murphy, president of digital forensics at Tetra Defense<\/strong><\/cite><\/blockquote>\n\n\n\n But what are the biggest challenges facing SMBs regarding cyber awareness training? Alan Duric, co-founder and CTO of Wire<\/a> says that it\u2019s helping employees connect the dots between what they learn and how it applies to their daily work lives.<\/p>\n\n\n\n \u201cThere is a common disparity between perceived security and actual security in day-to-day business interactions. This is often due to a knowledge gap for non security professionals \u2014 in fact a survey found that <\/em>70% of business professionals<\/em><\/a> said it was normal to discuss company confidential information on calls, despite the fact that many popular solutions don\u2019t offer end-to-end encryption by default.\u201d<\/em> <\/p>\u2014 Alan Duric, co-founder and CTO of Wire<\/strong><\/cite><\/blockquote>\n\n\n\n Making the decision about whether to outsource your cybersecurity needs or hire someone in house is a choice that\u2019s very specific to your company\u2019s needs. In their cyber security tips, some experts might argue that outsourcing your IT and cybersecurity needs to a third-party vendor is the best option for small businesses because you\u2019re paying less to get access to more. However, there\u2019s a lot of debate within the industry about whether this type of generalization should be painted in such broad strokes.<\/p>\n\n\n\n In our last of the 10 steps to better cyber security, we share a suggestion from a security analyst and ethical hacker, Chelsea Brown. As the CEO and founder of Digital Mom Talk<\/a>, brown is quick to argue that you may be doing your business more harm than good in the long run by outsourcing your IT team:<\/p>\n\n\n\n \u201cDespite what any business thinks, outsourcing your entire IT department over the long haul is not good. A better option is to take the IT employees you currently have and help them get the training they need to better protect your growing enterprise. By investing in your current employees, many become loyal to you and you can see a bigger return on your investment over time. Help these employees become more valuable to your organization by giving them the training they need to better protect your business from the cyber threats.\u201d<\/em> <\/p>\u2014 Chelsea Brown, CEO and founder of Digital Mom Talk<\/strong><\/cite><\/blockquote>\n\n\n\n Brown also mentions several great certifications that can help your team improve their security knowledge and skills, including:<\/p>\n\n\n\nTip #2: Make Remote Access as Secure (and Easy) as Possible for Users<\/h3>\n\n\n\n
![\"\"](\"https:\/\/sectigostore.com\/blog\/wp-content\/uploads\/2020\/06\/cyber-security-tips-use-vpn.png\")
Tip #3: Use Authentication Tools to Prove Your Identity<\/h3>\n\n\n\n
Install Personal Authentication Certificates for Your Employees<\/h4>\n\n\n\n
Sign All Software Using a Code Signing Certificate<\/h4>\n\n\n\n
Install a Website Security Certificate (AKA an SSL\/TLS Certificate) on Your Web Server<\/h4>\n\n\n\n
Tip #4: Authenticate All Users and Restrict Access<\/h3>\n\n\n\n
![\"\"](\"https:\/\/sectigostore.com\/blog\/wp-content\/uploads\/2020\/06\/biometric-authentication-cyber-security-tips.png\")
Tip #5: Use a Multi-Layered Approach to Cyber Security<\/h3>\n\n\n\n
Tip #6: Keep Your Software, Hardware and Firmware Current<\/h3>\n\n\n\n
Tip #7: Prepare for the Worst, Hope for the Best<\/h3>\n\n\n\n
![\"Graphic](\"https:\/\/sectigostore.com\/blog\/wp-content\/uploads\/2020\/06\/checklist.png\")
<\/figure><\/div>\n\n\n\nPerform Regular Vulnerability and Risk Assessments<\/h4>\n\n\n\n
Maintain Current Data Backups<\/h4>\n\n\n\n
Develop, Execute and Enforce Cybersecurity Strategies and Policies<\/h4>\n\n\n\n
Have Plans and People in Place to Respond When Things Go Wrong<\/h4>\n\n\n\n
Consider Cyber Insurance (But Don\u2019t Substitute It for Good Cyber Security Practices)<\/h4>\n\n\n\n
Tip #8: Assess and Know Your Third-Party Risks<\/h3>\n\n\n\n
Tip #9: Train Employees to Recognize Threats<\/h3>\n\n\n\n
Tip #10: Invest in Your IT Team<\/h3>\n\n\n\n