As a small business owner, you're likely more focused on how to increase your reach or how to get more customers than you are concerned about protecting your business from a ransomware attack or a data breach. You aren't alone. Digital.com conducted research revealing that 51% of small businesses had no cyber security procedures in place. A quick look at Verizon's 2021 Data Breach Investigations Report will show why that's a major problem. It's estimated that 46% of all data breaches targeted small or medium-sized businesses.
With both IBM and the Ponemon Institute reporting that the cost of a data breach increased 10% from 2020 to 2021, this highlights the risk facing small business owners like yourself. Do you have the capital to recover from a customer data breach, like credit card information? That same research showed that the cost of a cyber incident fell between $826 and $653,587 in 95% of all attacks on small or medium-sized businesses, but that doesn't have to be a foregone conclusion. We've put together some small business cybersecurity best practices to help you in protecting your business.
Why Small Businesses?
It's no wonder that small businesses present such an attractive target. They possess far more sensitive data than the average individual, but at the same time, they also lack the higher levels of IT security and cyber security that large corporations invest in to protect their customer information. A cybercriminal that can gain access to your network or operating system can cause physical damage to your systems or enough reputational damage to sink your business. That's why these small business cybersecurity best practices are essential to securely structuring your network and securing sensitive information.
Small Business Cyber Threats
The threat profile facing small businesses is much the same as that of larger enterprises. The difference is that they rarely have expert staff on hand to defend against those threats and respond to any cyber incidents. Here are some of the common attacks used to target small businesses.
Malicious Software
While it is more commonly known as malware, malicious software is any program that performs actions that are not in the best interests of the device owner, or that was otherwise designed to take some sort of nefarious action. This can include programs such as:
- Adware – tracks your online activity to provide targeted advertisements to you
- Ransomware – completely encrypts all of a device or network and locks out all users pending payment of a ransom
- Keyloggers – record and transmit all keystroke input back to the attacker
Network Attacks
There are several types of cyber attacks that can target networks or users who think they're browsing the network securely. Bad actors who can gain access to your network have free reign to intercept all network traffic and the sensitive information being transmitted through it. Man-in-the-middle attacks can be used where attackers set up a cloned or twin network to trick unsuspecting users into connecting to it, or your network may even be targeted for a direct attack through hacking. Regardless of the method used, protecting your business means protecting both your internal and public-facing WiFi networks and ensuring that your employees are browsing any network securely when using a mobile device containing sensitive data for your company.
Account Compromise
Compromised access credentials are a goldmine for cybercriminals. They can be obtained by phishing emails or other social engineering scams, password attacks, or through some of the malware programs we mentioned just before, but a compromised account hands the criminal all of the access and permissions that the account is entitled to without triggering most of the warnings signs that your average small business owner would have put in place like an antivirus program.
Small Business Best Practices
We listed those common threat vectors not to scare you but to help you truly appreciate the depth and breadth of the threat facing your small business. Protecting your business, customer information, credit card data, and other sensitive information comes down to preparation. It's unlikely that you can thwart a determined attacker; the Rockstar Games hack was conducted by a teenager using only a Fire TV stick, a hotel TV, and his mobile phone, but the goal is to harden the target and encourage attackers to look for a less challenging victim. By implementing some of these small business cybersecurity best practices that we've put together, you'll be well prepared and hopefully present an imposing enough image to accomplish just that.
Require Multi-factor Authentication
Multi-factor authentication (MFA) such as authenticator codes or text/email passcodes, is a must for all credentialed logins. Any type of MFA is a difficult challenge to overcome for attackers, but many times, it can still be defeated through phishing. The Cybersecurity and Infrastructure Security Agency (CISA) recommends using FIDO authentication, which utilizes your device unlock code or other biometric features to verify your identity. This makes it the gold standard of MFA and virtually phishing-proof. One point to drive this best practice home is that MFA cannot be on the honor system; it must be administratively mandated both in policy and by IT, requiring it for every account.
Install Security Programs
We made this vague to encompass the variety of cybersecurity programs out there. Your budget will likely be your guide here, but you should consider antivirus, anti-malware, network traffic monitoring, and endpoint detection and management software. Even all-in-one cybersecurity suites provide most, if not all, of those features.
Backup Data
At least daily, your sensitive information should be backed up to a secure, encrypted, offline location. This ensures that ransomware attacks are less likely to result in the temptation for small business owners to make ransom payments. Loss of less than 24 hours of sensitive data is not worth the steep ransom typically demanded, and it is definitely not worth the payment because there's no guarantee the operating system will decrypted.
Conduct Risk Assessments
This is another recurring item, but you must regularly conduct risk assessments. On an annual basis, evaluate your cybersecurity posture and actual practices and see where gaps may occur. You can then make informed decisions on where to take your cybersecurity program.
Create Cybersecurity Policy
With functional risk assessments, you can establish policies that cement these cybersecurity best practices meaningfully. This should include policies on approved mobile devices, if using your own device is acceptable, and restrictions on the acceptable use of company-owned or personally-owned mobile devices. You should also include strong passwords, password vaults, and MFA requirements. Providing training that explains the reasoning behind the policy is integral to the buy-in of your staff, and enforcing this policy through technical means and monitoring is a must.
Formulate an Incident Response Plan
Failing to plan for a possible cyber incident is planning to fail. Establishing an incident response plan and providing quality training on it removes the uncertainty from the hectic aftermath of a cyber incident. In addition to the plan creation and training, running organized tabletop exercises involving all employees, contractors, and outside personnel involved in the response should occur on at least an annual basis, but quarterly is ideal.
At E-Marketing Associates, we specialize in the challenges facing small businesses. Whether you're looking for assistance in a specific website design for small business needs, social media strategies, or increasing your website ranking through SEO, our digital marketing experts can assemble a program for your needs. We also publish a small business newsletter with all sorts of useful information for small business owners. Contact us today to see what we can do for your small business.