Sourced from Kaspersky
Cyber threats aren’t just a problem for big corporations and governments – small businesses can be targets too. In fact, there is evidence that small businesses are more vulnerable to cyberattacks, not least because they sometimes lack the resources to protect themselves effectively.
It’s important to protect your business from cyberattacks, but with the cyber landscape evolving all the time, it can be daunting to know where to start. Here’s a guide to help small businesses navigate the world of cyber threats.
Why is cyber security so important for small businesses?
Cyberattacks put your money, data, and IT equipment at risk. If a hacker gains access to your network, they can inflict significant damage with what they find, such as:
• Access to customer lists
• Customer credit card information
• Your company’s banking details
• Your pricing structure
• Product designs
• Business growth plans
• Manufacturing processes
• Other types of intellectual property
These attacks don’t just put your company at risk. Hackers may use their access to your network as a stepping stone into the networks of other companies whose supply chains your business forms part of.
As more people around the world work remotely, cyber security for business has become even more important. Many small businesses use cloud-based technology and tools for their daily operations – including online meetings, advertising, buying and selling, communicating with customers and suppliers, and banking transactions. For both financial and reputational reasons, it’s essential to protect your data and cloud-based systems from unauthorized breaches or hacks.
What is the impact of cyberattacks on small businesses?
A cyberattack can have a devastating impact on your business. In fact, 60% of small businesses that fall victim to an attack shut down within six months after the breach. While that may be the most drastic potential result of an attack, there are other consequences that your business could experience, including:
• Financial losses from theft of banking information
• Financial losses from disruption of business
• High costs to rid your network of threats
• Damage to your reputation after telling customers their information was compromised
Cybersecurity tips for small businesses
As a small business, you might feel helpless against cyberattacks. Fortunately, you can take steps to protect your company by keeping up with the latest security ideas for businesses. Here are some essential business cybersecurity tips:
1: Train your employees
Employees can leave your business vulnerable to an attack. While precise statistics vary by country and industry sector, it is unquestionably the case that a high proportion of data breaches are caused by insiders who either maliciously or carelessly give cybercriminals access to your networks.
There are many scenarios that could result in employee-initiated attacks. For instance, an employee might lose a work tablet or disclose login credentials. Employees may also mistakenly open fraudulent emails, which can deploy viruses on your business’ network.
To protect against threats from within, invest in cybersecurity training for your employees. For example, teach staff the importance of using strong passwords and how to spot phishing emails. Establish clear policies describing how to handle and protect customer information and other vital data.
2: Carry out risk assessment
Evaluate potential risks that might compromise the security of your company’s networks, systems, and information. Identifying and analyzing possible threats can help you devise a plan to plug security gaps.
As part of your risk assessment, determine where and how your data is stored and who has access to it. Identify who may want to access the data and how they may try to obtain it. If your business data is stored in the cloud, you could ask your cloud storage provider to help with your risk assessment. Establish the risk levels of possible events and how breaches could potentially impact your company.
Once this analysis is complete and you have identified threats, use the information you have collated to develop or refine your security strategy. Review and update this strategy at regular intervals and whenever you make changes to information storage and usage. This ensures your data is always protected to the best of your ability.
Cybersecurity tips for small businesses
As a small business, you might feel helpless against cyberattacks. Fortunately, you can take steps to protect your company by keeping up with the latest security ideas for businesses. Here are some essential business cybersecurity tips:
1: Train your employees
Employees can leave your business vulnerable to an attack. While precise statistics vary by country and industry sector, it is unquestionably the case that a high proportion of data breaches are caused by insiders who either maliciously or carelessly give cybercriminals access to your networks.
There are many scenarios that could result in employee-initiated attacks. For instance, an employee might lose a work tablet or disclose login credentials. Employees may also mistakenly open fraudulent emails, which can deploy viruses on your business’ network.
To protect against threats from within, invest in cybersecurity training for your employees. For example, teach staff the importance of using strong passwords and how to spot phishing emails. Establish clear policies describing how to handle and protect customer information and other vital data.
2: Carry out risk assessment
Evaluate potential risks that might compromise the security of your company’s networks, systems, and information. Identifying and analyzing possible threats can help you devise a plan to plug security gaps.
As part of your risk assessment, determine where and how your data is stored and who has access to it. Identify who may want to access the data and how they may try to obtain it. If your business data is stored in the cloud, you could ask your cloud storage provider to help with your risk assessment. Establish the risk levels of possible events and how breaches could potentially impact your company.
Once this analysis is complete and you have identified threats, use the information you have collated to develop or refine your security strategy. Review and update this strategy at regular intervals and whenever you make changes to information storage and usage. This ensures your data is always protected to the best of your ability.
3: Deploy antivirus software
Choose antivirus software that can protect all your devices from viruses, spyware, ransomware, and phishing scams. Make sure the software not only offers protection, but also technology that helps you clean devices as needed and resets them to their pre-infected state. It’s important to keep your antivirus updated to stay safe from the latest cyber threats and patch any vulnerabilities.
4: Keep software updated
As well as antivirus, all the software you use to keep your business running should be kept up-to-date. Vendors regularly update their software to strengthen it or add patches that close security vulnerabilities. Bear in mind that some software, such as a Wi-Fi router’s firmware, may need to be manually updated. Without new security patches, a router – and the devices connected to it – remain vulnerable.
5: Back up your files regularly
Does your company back up its files? If a cyberattack happens, data could be compromised or deleted. If that happened, could your business still run? Don’t forget to consider the amount of data that may be stored on laptops and cell phones – without this, many businesses wouldn’t be able to function.
To help, make use of a backup program that automatically copies your files to storage. In the event of an attack, you can restore all your files from your backups. Choose a program that gives you the ability to schedule or automate the backup process so you don’t have to remember to do it. Store copies of backups offline so they don’t become encrypted or inaccessible if your system suffers a ransomware attack.
6: Encrypt key information
If your business deals with data relating to credit cards, bank accounts, and other sensitive information on a regular basis, it’s good practice to have an encryption program in place. Encryption keeps data safe by altering information on the device into unreadable codes.
Encryption is designed with a worst-case scenario in mind: even if your data is stolen, it would be useless to the hacker as they wouldn’t have the keys to decrypt the data and decipher the information. That’s a sensible security precaution in a world where billions of records are exposed every year.
7: Limit access to sensitive data
Within your business, restrict the number of people with access to critical data to a minimum. This will minimize the impact of a data breach and reduce the possibility of bad faith actors from within the company gaining authorized access to data. Set out a plan which outlines which individuals have access to certain levels of information, so that roles and accountability are clear to all involved.
8: Secure your Wi-Fi network
If your business is using the WEP (Wired Equivalent Privacy) network, make sure you switch to WPA2 or more later, as these versions are more secure. It’s likely that you’re already using WPA2 but some businesses neglect to upgrade their infrastructure – so it’s worth checking to be sure. You can read more about WEP versus WPA in our guide.
You can protect your Wi-Fi network from breaches by hackers by changing the name of your wireless access point or router, also known as the Service Set Identifier (SSID). You can use a complex Pre-shared Key (PSK) passphrase for additional security.
9: Ensure a strong password policy
Ensure that all employees use a strong password on all devices that contain sensitive information. A strong password is at least 15 characters in length – ideally more – and contains a mix of upper- and lower-case letters, numbers, and symbols. The more difficult it is to crack a password, the less likely a brute force attack will be successful.
You should also put in place a policy to change passwords at regular intervals (at least quarterly). As an additional measure, small businesses should enable multi-factor authentication (MFA) on employees’ devices and apps.
10: Use password managers
Using strong passwords which are unique to every device or account quickly becomes difficult to remember. The need to remember and type out lengthy passwords each time can also slow your employees down. That’s why many businesses use password management tools.
A password manager stores your passwords for you, automatically generating the correct username, password and even security question answers that you need to log into websites or apps. This means users only have to remember a single PIN or master password to access their vault of login information. Many password managers also guide users away from weak or re-used passwords and remind you to change them regularly.
11: Use a firewall
A firewall protects hardware as well as software, which is a benefit to any company with its own physical servers. A firewall also works by blocking or deterring viruses from entering your network. This is in contrast to an antivirus which works by targeting the software affected by a virus that has already gotten through.
Ensuring a firewall is in place protects your business’s network traffic – both inbound and outbound. It can stop hackers from attacking your network by blocking certain websites. It can also be programmed so that sending out sensitive data and confidential emails from your company’s network is restricted.
Once your firewall is installed, remember to keep it up-to-date. Check regularly that it has the latest updates for software or firmware.
12: Use a Virtual Private Network (VPN)
A Virtual Private Network provides another layer of security for your business. VPNs allow employees to access your company’s network securely when working remotely or travelling. They do this by funnelling your data and IP address through another secure connection in between your own internet connection and the actual website or online service you need to access. They are especially useful when using public internet connections – such as in coffee shops, airports, or Airbnb’s – which can be vulnerable to hackers. A VPN gives users a secure connection which separates hackers from the data they are hoping to steal.
13: Guard against physical theft
While you need to be mindful of hackers trying to breach your network, don’t forget that your hardware can be stolen too. Unauthorized individuals should be prevented from gaining access to business devices such as laptops, PCs, scanners, and so on. This may include physically securing the device or adding a physical tracker to recover the device in case of loss or theft. Ensure all your employees understand the importance of any data that might be stored on their cell phones or laptops when out and about.
For devices used by multiple employees, consider creating separate user accounts and profiles for additional protection. It’s also a good idea to set up remote wiping – this allows you to remotely delete the data on a lost or stolen device.
14: Don’t overlook mobile devices
Mobile devices create security challenges, especially if they hold sensitive information or can access the corporate network. Yet they can sometimes be overlooked when businesses are planning their cybersecurity. Ask your employees to password-protect their mobile devices, install security apps, and encrypt their data to stop criminals from stealing information while the phone is on public networks. Be sure to set reporting procedures for lost or stolen phones and tablets.
15: Ensure third parties who deal with you are also secure
Be wary of other businesses such as partners or suppliers who may be granted access to your systems. Make sure they are following similar practices to you. Don’t be afraid to check before you grant access to anybody.
What to look for in a cybersecurity company
For many small businesses, cybersecurity is not necessarily their core focus. It’s understandable if you need help with cybersecurity – after all, you have a business to run. But how do you know what to look for in a cybersecurity company? Here are some key attributes to look out for:
Independent tests and reviews:
A cybersecurity company could dazzle you with technical jargon and an impressive marketing campaign, so it’s important to look at independent tests and reviews. The best cybersecurity firms want their products tested and are happy to share the results.
Avoid cheap options:
You want to avoid a company that comes in, installs software and then disappears. Additionally, a company claiming to specialize only in one field without offering additional products or support can’t provide the protection you need.
Extra support:
Whether a threat has been detected or you are having trouble backing up your files, you want a company that offers a decent level of support. Choose a company that helps you navigate threats, finds solutions, and takes the hassle out of cybersecurity.
Growth potential:
As your business grows, you need a cybersecurity company that can grow with you. Focus on companies that offer a full range of security systems for businesses, including those you may need in the future.
Choose antivirus software that can protect all your devices from viruses, spyware, ransomware, and phishing scams. Make sure the software not only offers protection, but also technology that helps you clean devices as needed and resets them to their pre-infected state. It’s important to keep your antivirus updated to stay safe from the latest cyber threats and patch any vulnerabilities.
4: Keep software updated
As well as antivirus, all the software you use to keep your business running should be kept up-to-date. Vendors regularly update their software to strengthen it or add patches that close security vulnerabilities. Bear in mind that some software, such as a Wi-Fi router’s firmware, may need to be manually updated. Without new security patches, a router – and the devices connected to it – remain vulnerable.
5: Back up your files regularly
Does your company back up its files? If a cyberattack happens, data could be compromised or deleted. If that happened, could your business still run? Don’t forget to consider the amount of data that may be stored on laptops and cell phones – without this, many businesses wouldn’t be able to function.
To help, make use of a backup program that automatically copies your files to storage. In the event of an attack, you can restore all your files from your backups. Choose a program that gives you the ability to schedule or automate the backup process so you don’t have to remember to do it. Store copies of backups offline so they don’t become encrypted or inaccessible if your system suffers a ransomware attack.
6: Encrypt key information
If your business deals with data relating to credit cards, bank accounts, and other sensitive information on a regular basis, it’s good practice to have an encryption program in place. Encryption keeps data safe by altering information on the device into unreadable codes.
Encryption is designed with a worst-case scenario in mind: even if your data is stolen, it would be useless to the hacker as they wouldn’t have the keys to decrypt the data and decipher the information. That’s a sensible security precaution in a world where billions of records are exposed every year.
7: Limit access to sensitive data
Within your business, restrict the number of people with access to critical data to a minimum. This will minimize the impact of a data breach and reduce the possibility of bad faith actors from within the company gaining authorized access to data. Set out a plan which outlines which individuals have access to certain levels of information, so that roles and accountability are clear to all involved.
8: Secure your Wi-Fi network
If your business is using the WEP (Wired Equivalent Privacy) network, make sure you switch to WPA2 or more later, as these versions are more secure. It’s likely that you’re already using WPA2 but some businesses neglect to upgrade their infrastructure – so it’s worth checking to be sure. You can read more about WEP versus WPA in our guide.
You can protect your Wi-Fi network from breaches by hackers by changing the name of your wireless access point or router, also known as the Service Set Identifier (SSID). You can use a complex Pre-shared Key (PSK) passphrase for additional security.
9: Ensure a strong password policy
Ensure that all employees use a strong password on all devices that contain sensitive information. A strong password is at least 15 characters in length – ideally more – and contains a mix of upper- and lower-case letters, numbers, and symbols. The more difficult it is to crack a password, the less likely a brute force attack will be successful.
You should also put in place a policy to change passwords at regular intervals (at least quarterly). As an additional measure, small businesses should enable multi-factor authentication (MFA) on employees’ devices and apps.
10: Use password managers
Using strong passwords which are unique to every device or account quickly becomes difficult to remember. The need to remember and type out lengthy passwords each time can also slow your employees down. That’s why many businesses use password management tools.
A password manager stores your passwords for you, automatically generating the correct username, password and even security question answers that you need to log into websites or apps. This means users only have to remember a single PIN or master password to access their vault of login information. Many password managers also guide users away from weak or re-used passwords and remind you to change them regularly.
11: Use a firewall
A firewall protects hardware as well as software, which is a benefit to any company with its own physical servers. A firewall also works by blocking or deterring viruses from entering your network. This is in contrast to an antivirus which works by targeting the software affected by a virus that has already gotten through.
Ensuring a firewall is in place protects your business’s network traffic – both inbound and outbound. It can stop hackers from attacking your network by blocking certain websites. It can also be programmed so that sending out sensitive data and confidential emails from your company’s network is restricted.
Once your firewall is installed, remember to keep it up-to-date. Check regularly that it has the latest updates for software or firmware.
12: Use a Virtual Private Network (VPN)
A Virtual Private Network provides another layer of security for your business. VPNs allow employees to access your company’s network securely when working remotely or travelling. They do this by funnelling your data and IP address through another secure connection in between your own internet connection and the actual website or online service you need to access. They are especially useful when using public internet connections – such as in coffee shops, airports, or Airbnb’s – which can be vulnerable to hackers. A VPN gives users a secure connection which separates hackers from the data they are hoping to steal.
13: Guard against physical theft
While you need to be mindful of hackers trying to breach your network, don’t forget that your hardware can be stolen too. Unauthorized individuals should be prevented from gaining access to business devices such as laptops, PCs, scanners, and so on. This may include physically securing the device or adding a physical tracker to recover the device in case of loss or theft. Ensure all your employees understand the importance of any data that might be stored on their cell phones or laptops when out and about.
For devices used by multiple employees, consider creating separate user accounts and profiles for additional protection. It’s also a good idea to set up remote wiping – this allows you to remotely delete the data on a lost or stolen device.
14: Don’t overlook mobile devices
Mobile devices create security challenges, especially if they hold sensitive information or can access the corporate network. Yet they can sometimes be overlooked when businesses are planning their cybersecurity. Ask your employees to password-protect their mobile devices, install security apps, and encrypt their data to stop criminals from stealing information while the phone is on public networks. Be sure to set reporting procedures for lost or stolen phones and tablets.
15: Ensure third parties who deal with you are also secure
Be wary of other businesses such as partners or suppliers who may be granted access to your systems. Make sure they are following similar practices to you. Don’t be afraid to check before you grant access to anybody.
What to look for in a cybersecurity company
For many small businesses, cybersecurity is not necessarily their core focus. It’s understandable if you need help with cybersecurity – after all, you have a business to run. But how do you know what to look for in a cybersecurity company? Here are some key attributes to look out for:
Independent tests and reviews:
A cybersecurity company could dazzle you with technical jargon and an impressive marketing campaign, so it’s important to look at independent tests and reviews. The best cybersecurity firms want their products tested and are happy to share the results.
Avoid cheap options:
You want to avoid a company that comes in, installs software and then disappears. Additionally, a company claiming to specialize only in one field without offering additional products or support can’t provide the protection you need.
Extra support:
Whether a threat has been detected or you are having trouble backing up your files, you want a company that offers a decent level of support. Choose a company that helps you navigate threats, finds solutions, and takes the hassle out of cybersecurity.
Growth potential:
As your business grows, you need a cybersecurity company that can grow with you. Focus on companies that offer a full range of security systems for businesses, including those you may need in the future.