There is a temptation among small businesses to think that you’re just going to fly under the radar and not be targeted by hackers because you’re a small business. Unfortunately, the reality is that small businesses account for more than 50% of cyberattacks.
This largely happens because they don’t focus on security.
Cybersecurity isn’t something small businesses can skimp on.
The big challenge when it comes to cybersecurity is the constantly shifting threats that businesses face. As soon as your business is safe against one, another threat pops up. That adds to your IT and security staff’s workload – not only do they have to respond to threats they face right now, but they always have to be on the lookout for what’s next on the horizon. It’s exhausting. And not an efficient way to run a business.
The good news is that there are steps you (and your employees) can take to increase your overall security.
What do you need to consider when it comes to small business security?
As mentioned, keeping your business safe can be a lot of work, but it’s not impossible. If you get the whole team on board with keeping your business safe, the little efforts made by everyone can be the difference between a small incident and a major hack.
1. Employee training and education
As many as 95% of all cyberattacks on small businesses are attributed to human error. These errors happen because humans aren’t paying enough attention, they’re using poor passwords or they just have a moment where they let their guard down. Whatever the reason, taking the time to train your employees in basic cybersecurity measures can have a huge impact on your business.
You want to make sure employees are learning about the newest threats, the kinds of attacks being used, and what they can do to help prevent them (including setting up strong passwords). A good cyber training program takes this one step further and includes hands-on drills where employees are sent fake phishing emails (for example). Phishing emails are emails sent by cybercriminals that look real but are designed to trick users into revealing passwords or clicking on bad links.
2. Regularly update software and hardware
As much as it seems like our computers and the software we use always needs an update, these are critical to ensuring your system is as secure as possible. These updates (also known as patches) are often used to fix vulnerabilities that have been discovered within either a piece of hardware or software. If you don’t install updates regularly, you risk leaving your system open to attack as hackers can exploit these issues to gain access to your systems.
3. Securing your WiFi
Network security is a huge part of keeping your business safe. But if the only thing keeping hackers from your system is a lazy WiFi password (like your mom’s birthday), or worse, the system’s default password, then you’re basically leaving your business open to attack.
A weak WiFi password wouldn’t be so bad for companies if, once inside, attackers found their access was limited. But, more often than not, our wireless networks act as the gateway to all our business data. The key is to have strong protection for your network, and also for everything that accesses your network, like Internet of Things (IoT) devices, which can make your system open to attack. The IoT includes any device that is connected to the internet, everything from lightbulbs to cell phones. The problem is a lot of these devices are relatively easy to crack because they often contain poor default security and, once cracked, they provide access to your internal network.
4. Access control
As mentioned above, one of the ways you can limit the damage attackers do when they get into your system is to limit access. What this means is that should a hacker breach your network, they can only see a small part of it. It’s kind of like someone breaking into your house, but only being able to access the coatroom.
You can limit access by using a protocol like role-based access control (RBAC). At its core, RBAC means that any given user only has access to the parts of your system that they need to do their job. In other words, it’s like giving employees keys (or key cards) that only open the doors they need for work. You’re not giving the network tech the key to the boiler room, just like you’re not giving the plumber the keys to the network room.
5. Backups and disaster recovery
Everybody knows the importance of backups, but it’s something that can be hard to remember when it’s left up to individual employees. Backups are copies of the important data within your system (files that employees use, network information, customer data, etc.) that are stored off the network to be used in case something happens, an office fire, or an earthquake, for example..
Regular, automated backups ensure that, if something goes wrong, there is a current, uninfected copy of all your business data. The idea behind a backup is that if something does happen, you wipe the system clean and restore everything from the most recent backup. The more current the backup, the less you lose as a result of the attack.
Disaster recovery involves using backups, but there’s a little more to it. A comprehensive Disaster Recovery Plan includes a full suite of tools, procedures, and policies that enable a company to quickly respond to cyberattacks, natural disasters, or other incidents that can shut down a business. A good policy includes a mix of practices like regular backups and risk evaluations to help reduce the impact of an event.
6. Create a culture of security
The best thing you can do, really, is to create a culture within your company where every employee embraces security as a part of their job. Education plays a huge part in this. But it’s also making sure that everyone within the company is on the same page. You want the CEO to have the same strong password habits that employees have, to not only set an example, but also to prevent people from becoming complacent about security.
The more effort everyone in your company puts into good security practices, the safer your valuable customer data.
7. Good password hygiene
People know that passwords need to be strong to be effective, but effective is hard to remember and, as a result, people tend to go with things they won’t forget. The trouble is that weak passwords are easy to crack and can leave your system open to attackers.
Teaching your staff how to choose or make a strong password can be the difference between someone hacking into your network or your business being safe. The best way to do this is to create a culture around strong passwords. This involves company-wide policies around how frequently they need to be changed, length, and complexity. Passwords should be changed on a quarterly basis, often enough to keep data safe, but not so frequently people start reusing them. Or worse, writing them down on sticky notes taped to their home screen…
8. Physical security
This is the one everyone forgets, but there is a physical component to cybersecurity. Making sure the building where your data is kept is safe, is a hugely important part of keeping your business safe. All the firewalls and monitoring in the world don’t mean a thing if your server room is in a building out back that anyone can access. And, while that scenario is a bit of an exaggeration, ensuring that your business is physically secure means no one can get into your building, access your servers, and steal information without a key.
Similar to access control (discussed above), you need to be sure people can only access what they need to do their jobs. Most of your employees aren’t going to need access to the server room (including the CEO), so using a system that keeps them out keeps your business safe. Simple things like requiring visitors not only be buzzed in but signed in are also good security practices.
A managed security service provider can help
Even though these tips are all relatively simple, staying on top of everything you need to do to keep your small business safe can be a huge challenge. There are only so many hours in the day and you need to be as focused on running your business as possible (as does your team).
That’s where a managed security services provider (MSSP) can help. An MSSP, like Kaytuso our MSSP division, can handle details like staff training and security drills, ensuring network access is properly restricted, keeping your hardware and software updated, and managing your disaster recovery efforts.
Not only that, but Kaytuso can also ensure your network is proactively monitored 24/7, and that you’re fully compliant with all the regulations that apply to your business or industry. Best of all, they do all that for one low price a month.
If you’re ready to protect your small business from cyberattacks, contact us today.
Kaytuso – the cybersecurity & regulatory compliance division of ManhattanTechSupport.com LLC.
Exceed Digital – the custom software development and business intelligence solutions division of ManhattanTechSupport.com LLC