For most people, cybersecurity can be a complicated and intimidating topic. Many times, it involves overcoming negative perceptions like feeling overwhelmed by all the jargon and not knowing where to even start. For that reason, addressing it often gets put on the back burner, which can cause even bigger problems. But there are a few basic and cost-effective security steps that small businesses can take which can make big improvements in their security posture.
1. Accept You’re a Target. The first step in improving your security is to acknowledge that you’re a target for cybercriminals. Do not fall into the trap of burying your head in the sand or thinking that since you’ve never had a problem before, that you’re pretty “safe.” Every organization, regardless of size, is a target and no industry is off limits. If cybercriminals see value in attacking your organization, they will.
2. Conduct a Security Assessment. Even if you have some basic security measures in place, like a firewall and anti-virus, it’s important to understand where your security gaps are. Perform an internal and external security assessment to determine where your vulnerabilities lie and determine what remediation and other safeguards should be in place but are not. This can include implementing stronger security policies, segmentation of confidential or sensitive information on the network, data backup procedures, etc.
3. Security Awareness Training. Your organization should have a training program that ensures its employees understand the mechanisms of spam, phishing, spear phishing, malware, ransomware and the many forms of social engineering, and can apply this knowledge in their day-to-day job. These techniques, which frequently come in the form of emails and web links, are all common ways for a hacker to get into your network.
4. Prioritize and Police Passwords. Understand that beefing up your passwords and adopting a policy is critical. According to a recent Verizon Data Breach Investigations Report, over 70% of employees reuse passwords at work. The report also finds a staggering “81% of hacking-related breaches leveraged either stolen and/or weak passwords.” These numbers are significant because cybercriminals follow the path of least resistance, and today that path is users with simple, self-managed passwords. Implementing a password policy that requires, among other things, complex passwords and that forces password changes on a scheduled basis can go a long way to protecting your organization. Having a mechanism in place to enforce your newly implemented policy is also a key factor to its success.
5. Using a Password Manager. Managing several difficult passwords can be a burdensome task, but password security shouldn’t be compromised for convenience. Using a password manager is a great way to ensure all passwords are secure. The best part is, you only need to remember one master password. For more information on password managers check out this article from Wired magazine.
6. Enable Multi-Factor Authentication: Sometimes referred to as 2-Step Authentication, or 2-Factor Authentication, Multi-Factor Authentication (MFA) adds another layer of security for accessing your accounts, in addition to your ID and password. It requires a second form of authentication for you to successfully log in. This can be a variety of mechanisms including a push notification to your mobile phone, a 6-digit code provided in a key fob, or a biometric scan of your face or fingerprint. Regardless what form MFA takes, it’s an added measure that makes it easier to prove it is really you who is trying to log in. For more information on the benefits of using multi-factor authentication, read the article, “How 2FA Reduces Account Compromise.”
7. Keep Up with Patching. Ensure your operating systems, application software, and firmware are being updated (patched) when updates become available. Updates are often issued by the manufacturer to fix a vulnerability found in the software. Not having a plan for regularly performing updates can leave your systems vulnerable to attacks that hackers intentionally seek out to exploit. For more information on the importance of software updating/patching, read the article, “Why Systems Patching Matters.”
8. Regularly Backup Your Data. Do not underestimate the importance of routinely backing up your data. Having a sound backup strategy that includes scheduled backup routines and verification testing are a must have. Cyberattacks and other disasters don’t warn their victims that they’re about to happen, they just happen. And when one does, it can shut your operations down and take all your data with it. If the data you need to run your business becomes inaccessible or corrupt, through a ransomware attack, for example, being able to restore it from a very recent, working backup will be critical.
The 3-2-1 rule is an easy-to-remember best practice for backup and recovery. It means that when you build out your backup and recovery strategy you should: keep at least 3 backup copies of your data, keep the backed-up data on 2 different storage types, and keep at least 1 backup copy in an offsite location such as the cloud.
9. Monitor and Audit IT Activity. Make sure you’re monitoring and auditing the activity on your IT systems—not just for availability and performance, but for things like logins after hours, unusual types or quantities of data transfers, creation of new administrator credentials, and the like. If inappropriate and unauthorized activity is occurring, catching it quickly can help protect your data and organization. For more information about why monitoring your IT operations for security events is important, read the article, “Anatomy of a Cyber Attack.”
10. Get Cyber Insurance. As cybercriminals continue to become more sophisticated, attacks will continue to occur. It’s no longer a matter of if your organization will be attacked, but when. Security incidents are incredibly costly, sometimes putting organizations out of business. Costs could include legal counsel, cyber forensics, restoration of IT systems and data, breach notification, credit monitoring, PR counseling, crisis management, and more. Verify that your organization has cyber insurance (this coverage is often not included in your standard policy) to protect you in the event of a security incident. For more information on the importance of cyber insurance coverage read the article, “Cyber Insurance: Worth the Price?”
These ten steps are—in no way—meant to be an exhaustive list of things that will keep you from getting hit by a cyberattack. There is essentially no one who can guarantee that an attack won’t happen, even when your organization is defended by the most expensive and sophisticated cybersecurity program in the world (like our government agencies for example). But they are meant to be a set of basic/minimum first-steps that any organization can take to better protect themselves.
Bonus Tip #11: The best defense is to take the burden of security off your plate and implement our cost-effective managed security services. For a fraction of the cost of even one IT person, our managed security program provides a comprehensive, enterprise-quality package of security services— including the ones mentioned in this article—that are specifically designed for small and mid-sized organizations. Click here to find out how you can leverage the resources of our security program to do more.