As small business owners attempt to establish and grow their companies while focusing on customers and revenue, these owners often find themselves wearing many hats and juggling everything from HR to legal to marketing. As a result, many small businesses mistakenly overlook their security function.
While many cybersecurity attacks and breaches reported in the news happen at major enterprise organizations, the reality is cybercriminals don’t discriminate by size. Small businesses also can be a target and the aftermath of an attack can be devastating.
In fact, a recent report on the state of cybersecurity for SMBs from the Ponemon Institute reported that the number of small businesses that experienced breaches “involving sensitive information about customers, target customers or employees” increased to 63% from 58% in just one year. In addition, nearly one-third of companies that were breached did not know the root cause of the attacks, which means these businesses lacked the systems and practices to not only stop a breach, but figure out how it happened.
So how can a small business protect itself? Warding off these costly attacks requires 360-degree cybersecurity measures. Here are some tips to help create and implement an effective cybersecurity strategy:
- Secure all endpoints: Many traditional or anti-virus tools block only the malware they recognize, but more sophisticated endpoint protection software can scan and block malware with a constantly updated threat list. It’s important that small businesses consider and secure all endpoints – from stationary workstations to laptops to mobile devices – to help prevent a breach.
- Educate employees and users: No amount of technology can completely protect SMBs’ network and data, meaning user training and awareness is crucial to building solid defenses. Since humans are often the weakest link in IT security, trained workers can shift from liabilities to assets and become the first line of defense against cybersecurity threats.
- Enforce strong password policies: Passwords are necessary and should be changed regularly. It’s important to require users to select passwords with a combination of numbers, special characters and upper and lowercase letters to make them harder to crack.
- Add security patches: Oftentimes, ransomware attacks exploit vulnerabilities that easily can be fixed through proper patch management. Businesses need strict patching policies so users don’t ignore software update prompts. Preferably, businesses should deploy automated patch management, which takes users out of the equation.
- Apply firewalls: Firewalls block unauthorized content with controls, such as access denial to IP addresses known to deliver malware. Even if a malware payload is delivered, a firewall can prevent it from communicating with the command and control server from which it would receive instructions to lock out data. This could stave off infection until the malware is detected and removed. Firewalls also let businesses choose which types of content to allow into the network, blocking unauthorized data while still allowing outbound communications.
- Develop an incident response plan: Prevention is critical to a cybersecurity strategy, but small businesses cannot ignore another critical component – an incident response. Since no security measure is completely foolproof, businesses must prepare for the worst-case scenario. An incident response plan should outline what steps to take and who is responsible for the response following a breach. This should be developed in advance, as reaction time is critical and coming up with a response plan after an incident has occurred is too late.
- Establish a cross-functional security team: While technical staff are usually the first to spring into action following an incident as they seek to identify the problem, assess the damage and start remediation, the response also includes non-technical aspects. Avoiding, preparing for and responding to security breaches typically involves more people than those in charge of IT and cybersecurity. It may be necessary to notify customers and suppliers about the breach. Therefore management, as well as other functions like marketing, PR, HR and legal should all be involved.
With the increasing risk and frequency of cyberattacks, it’s critical that small businesses have strong, well-executed cybersecurity strategies to protect their business and employees from ransomware, malware, phishing, botnets and more. These days, small businesses can’t afford not to.