As a small enterprise owner, it’s easy to fall into the trap of assuming that cybercriminals won’t target you. After all, why would anyone waste their time going after your business when there are much juicier fish in the sea?
Well, the truth is that criminals love to prey on small and medium-sized enterprises. Smaller businesses are often more vulnerable to attack as they have more digital assets than the typical consumer yet tend to lack the IT infrastructure and specialist expertise of larger companies.
The good news is that implementing a robust cybersecurity strategy is achievable for companies of all sizes and budgets – all it requires is a bit of planning. We’ve rounded up some essential tips to maximize the cybersecurity of your small business.
Why do criminals target small businesses?
No company is too small or obscure to escape the attention of cybercriminals. In fact, hackers actually tend to favor targeting smaller organizations, with research from Ponemon Institute finding that more than 61 percent of small and medium-sized businesses were affected by a cyber attack in 2017 – up from 54 percent a year earlier.
Why exactly do criminals love to target small businesses? There are a few reasons at play.
First, the general uptake of technology across all sectors means that businesses of all sizes are now viable targets. In the past, some companies – those in the retail and service industries, for example – had little reason to take their operations online, which meant they were safe from cybercrime due to simple obscurity. However, widespread adoption of technology such as cloud services and the Internet of Things means that every company is now sending and receiving data that can potentially be stolen.
Second, SMBs have what the criminals want: valuable data. While they may not have the same resources as a huge multinational company, SMBs still hold a lot of sensitive data such as financial records, medical records, personal information, client details and more. As you might imagine, this data can be very valuable for criminals who might, for example, use this information as leverage for ransom, or sell it on the black market to the highest bidder.
Third, many SMBs don’t have the funds necessary to implement and maintain a professional security solution. These companies are typically focused on minimizing overheads and running as lean as possible in order to remain solvent in a competitive economy, which often means cutting expenses on seemingly non-essential parts of the business – including cybersecurity. Cybercriminals are aware that most SMBs do not have the resources for a dedicated IT team and are therefore more vulnerable to attack than larger enterprises.
Tips for improving the cybersecurity of your small business
1. Train Employees
In many ways, your employees are your first line of defense. With this in mind, it’s important that you take the time to train both new and existing staff on the fundamentals of cybersecurity. This might involve teaching staff how to create strong, unique passwords for their accounts, enabling two-factor authentication wherever possible, training employees to identify the signs of phishing and encouraging people across every level of the business to be mindful of the risks of public Wi-Fi when working outside the office. You could also consider sending out regular emails to keep everyone up to date on the latest security threats and any updates to internal protocols.
2. Establish a cybersecurity policy
Regardless of the size of your business, it’s a good idea to establish a formal cybersecurity policy. This document establishes your rules and security controls regarding your staff’s use of your network and company devices, and should be used when onboarding new employees (remember step #1!). Despite the importance of this type of policy, less than 4 in 10 (39 percent) small businesses have a formal document covering cybersecurity risks, according to figures collated by research institute Ipsos.
A simple cybersecurity policy might establish guidelines regarding:
- Acceptable use of email and the Internet
- How staff should protect work mobile devices
- Password creation and storage
- Remote access security protocol
- The use of removable media (such as USB drives, CDs, DVDs, etc)
- How sensitive data is handled
3. Limit access to software and hardware
It’s important to remember that cybersecurity doesn’t only involve defending your system against external threats – you also need to think about internal threats. Indeed, about 1 in 4 data breaches involves internal actors, according to figures collated by Verizon.
One of the most effective ways to manage internal threats is to adopt the principle of least privilege, which essentially means that all users should only have the bare minimum permissions they need to get their work done. This minimizes the data that individual employees can access and reduces the risk of sensitive data falling into the wrong hands.
Depending on what type of data your company handles, you might also need to consider limiting physical access to certain parts of the business. Implementing controls such as RFID doors, security checks, fingerprint scanners, password-protected control panels and so on are critical for maintaining access control and preventing unauthorized persons from entering important parts of your business.
4. Create backups
IT infrastructure plays a central role in just about every modern business and when it goes down, the costs can be devastating. In fact, research from market intelligence firm IDC found that IT downtime costs small businesses an average of $137-$427 per minute!
With these figures in mind, it’s essential that you have an effective recovery system in place to help you get back up and running should you lose your data for any reason. Be sure to use a combination of off-site backups (such as an online cloud backup) and on-site backups (such as network-attached storage) so that your data will be safe even in the event of a major disaster.
5. Invest in proven antivirus/anti-malware software
Good antivirus software provides an important layer of protection and is instrumental in safeguarding your business against ransomware, trojans, worms and a variety of other digital threats. In the event that a malicious file makes its way onto your machine – via, say, a click-happy employee or a zero-day exploit – you need to be confident that your software is capable of detecting, stopping and removing the threat before it can make any changes to your system.
When it comes to choosing antivirus software, remember to look beyond detection rates. For example, factors such as system impact, privacy policies, product support, and configurability may influence which software you decide to use. If you’re looking for a resource-efficient product and a customer service team that provides real, human support, feel free to try out Emsisoft Anti-Malware.
6. Cyber insurance may be an option
Cyber insurance is becoming increasingly popular as more businesses come to terms with the financial risks of being involved in a cyber attack. In fact, the cyber insurance market is expected to exceed $7.5 billion in annual premiums by 2020, according to research from PwC.
What exactly do cyber insurance policies cover? Details can vary, but they typically cover the expenses involved with business losses, forensic investigations, lawsuits, extortion and the costs involved with notifying customers whose data has been breached. Be sure to go over the small print with a fine-tooth comb to find out exactly what is covered (e.g. some policies don’t cover social engineering attacks and non-targeted attacks). This is an option for businesses that have a particularly valuable “crown jewel” to protect. Bear in mind that the cyber insurance industry is very much in its infancy and underwriters are still coming to grips with the risks and financial impact of cybercrime. As such, you might find that your insurer offers a far lower level of coverage than you might expect (and need).
With that said, cyber insurance is not a replacement for a good cybersecurity program in your company. In fact, most insurers require that you have minimum cybersecurity protocols in place before they insure you.
7. Keep mobile devices secure
Mobile devices pose a challenging security risk to SMBs as they’re much more difficult to manage than conventional desktop PCs. This is particularly true given the rise of bring your own device (BYOD) policies. About 59 percent of businesses currently allow staff to use their own devices for work purposes, according to research from Tech Pro Research, which means that businesses have to try and secure a wide range of hardware, software and operating systems.
Take the time to create a mobile device security plan. This might involve enforcing password protection, installing mobile antivirus software and prohibiting staff from sending sensitive information over public Wi-Fi when they’re out in the field. In addition, keep track of all company-issued equipment and have response procedures in place for devices that are lost or stolen.
8. Always update your software
Many cyber attacks involve exploiting security flaws in an operating system or piece of software. To stop this from happening, software developers release updates to patch the vulnerability and make their application more secure.
As a business owner, it’s crucial to update your software whenever a new patch is released. Delaying updates essentially extends the window of opportunity for an attack. Always take the time to install the patch when you see an update notification pop up on your screen – even if you’re in the middle of working on something – and enable automatic updates whenever possible. The same goes for any apps installed on work-related mobile devices.
9. Consider using a VPN
A virtual private network (VPN) is a service that adds another layer of security to your connection by encrypting your data and routing it through a VPN server. This allows you to work securely from public Wi-Fi spots and ensures that you and your staff are able to remotely access network resources, regardless of where you’re geographically located.
Be wary about which VPN service you use, especially if you’re looking for a free VPN. Research from CSIRO found that 38 percent of free Android VPNs contain some form of malware, 18 percent do no encrypt user traffic and 75 percent use third-party tracking libraries – not exactly what you want from a service designed to provide privacy and security!
Protecting your small business
It’s true that modern SMBs face a plethora of digital threats, but that doesn’t mean that you need a huge budget or a dedicated IT department to keep your company safe. Establishing a defined security policy, teaching employees how to identify the signs of an attack and taking a multi-layered approach to security can go a long way toward protecting your business.
Looking for an enterprise antivirus solution that won’t let you down? Be sure to check out Emsisoft Anti-Malware.
What do you do to keep your business safe? Let us know in the comment section below!
Have a good (malware-free) day!