Large corporations may get all of the headlines when it comes to major security breaches and hacking attempts, but that doesn’t mean your small business is flying under the radar for hackers. Some attackers might see your small business as a path of least resistance in terms of attacking systems and stealing data.
The truth is, hackers want the largest payoff with the least amount of work and while large enterprises are full of valuable information, their security systems are usually far more robust than small-to-medium-sized businesses.
That’s why we’ve created this comprehensive rundown of everything you need to know to guard your small business, including:
- Why cybersecurity is so important to your small business
- Common cybersecurity threats to be aware of?
- Small business cybersecurity tips and best practices
- A list of small business cybersecurity resources
Why Cybersecurity Is So Important to Your Small Business
Every business should take cybersecurity precautions. Small businesses are especially vulnerable to the negative effects of a breach. Suffering a breach of sensitive data, especially personally identifiable information (PII), is a very expensive affair that can cost your businesses thousands, if not millions of dollars in fines depending on the number and types of records exposed.
IBM’s 2021 “Cost of a Breach” study found that the average per-record cost increased from $141 in 2020 to $161 in 2021. Let’s say you have a customer record base of 1,500. A breach of PII would cost your business $241,500 on average in record fines alone. With the increase in cyberattacks, it’s not likely that this cost increase shows any signs of slowing.
Well, that same IBM study found the average cost of a ransomware attack totaled around $4.62 million. These costs are nothing to scoff at. This means you have thousands, if not millions, of reasons to prioritize cybersecurity, even as a small business.
Let’s say that the potential monetary fines aren’t enough to convince you. Thinking from an optics perspective, what would a cyberbreach do to your image?
Customers, clients, and employees all count on you to keep the information they share with you private. Exposing their information to cybercriminals erodes that trust and can easily sink your business.
Look at cybersecurity conglomerate SolarWinds. Their massive breach isn’t only costing them millions in fines and legal proceedings, but it’s also costing them enough business prospects to prompt them to hide their high-profile client list.
What Are the Common Cybersecurity Threats to Be Aware of?
Malware encompasses any kind of malicious software meant to sabotage systems, lock up or exfiltrate valuable information, spy on networks, or create backdoors to security functions. There are many different types of malware, including:
- Ransomware: Prevents users from accessing their system or personal files through encryption and demands a ransom payment to regain access.
- Spyware: Applications that covertly monitor online behavior without the user’s knowledge or permission.
- Worms: Uses the network to replicate copies of itself to systems or devices automatically and without user intervention.
- Trojans: Any application that masquerades as one thing to get past scrutiny and then does something malicious.
- Rootkits: Clandestine computer programs designed to provide continued privileged access to a computer while actively hiding its presence.
- Keyloggers: Software programs or hardware devices that track the activities from input devices. Typically stores your keystrokes in a small file, which is either accessed later or automatically emailed to the person monitoring your actions.
- Logic Bombs: Any code that is hidden within an application and causes something unexpected to happen based on some criteria being met.
2. Insider Threats
When you think of “insider threats” you may picture malicious moles in a company waiting for the right time to steal your most valuable secrets. While this is one example, it’s not the only one. Insider threats can even come in the form of ignorant or well-intentioned employees who act carelessly with company assets.
Employees who log onto public Wi-Fi without a virtual private network (VPN) or leave their company devices unattended are potential insider threats. Employees with a grievance against management are sometimes potential insider threats.
3. Social Engineering
Social engineering is the process by which intruders gain access to facilities, networks, databases, and even employees by exploiting the general trusting nature of people. Think of social engineering as their cyberequivalent of con artistry. Social engineering attacks include:
- Phishing/spear phishing: Phishing is an attack method that uses communication means to fool victims into giving up sensitive information or clicking and downloading malicious materials. Spear phishing campaigns target specific company employees using document files like C Suite and project leaders.
- Tailgating: Attackers closely follow behind employees or use employees as cover to enter secured facilities and offices.
- Dumpster diving: Attackers rummage through the trash of businesses to find sensitive information they can use for future, more intrusive attacks.
4. Network/Application Attacks
Next, we have the types of cyberattacks that get all of the attention in the news and pop culture: network and application attacks. These types of attacks are more technical and rely on exploiting vulnerabilities in the network, application, and website security. The most common attacks of this nature are:
- Man-in-the-middle (MITM): An attacker intercepts traffic between two endpoints for the purposes of receiving and manipulating that information. There are several types of MITM attacks, including address resolution protocol (ARP) poisoning ― intercepting traffic within a local area network (LAN) or LAN switch ― and session hijacking ― hijacking broadcast traffic.
- Distributed denial of service (DDoS): Denial of service attacks occur when an attacker floods a target with traffic to deny service to servers. DDoS uses botnets to flood victims with traffic to make it harder for victims to stem the flow of junk traffic.
- Structured query language (SQL) injection: An injection attack that makes it possible to execute malicious alterations to databases on the back end of applications. These types of attacks are used to bypass application security functions.
- Cross-site scripting (XSS): Attacker aims to execute malicious scripts in a web browser of the victim by including malicious code in a legitimate web page or web application. This is a method used for session hijacking.
What Are the Small Business Cybersecurity Tips and Best Practices?
Now that you have a basic understanding of the threat landscape that’s out there, here are a few best practices and tips you can adopt into your organization to improve your security efforts. You’d be surprised just how effective some of the simpler tips are when implemented correctly.
1. Train your employees on security practices
It turns out that countless cyberattacks have one factor in common: Human error. As discussed earlier, insider threats aren’t only malicious moles looking to steal your valuable data and secrets.
It’s crucial to educate your employees on best practices when handling company technology, many of which are on this list. It’s best to make the training a mandatory yearly requirement and tie the completion to gaining access to sensitive systems.
2. Keep your software up-to-date
Software that’s up-to-date will have all of the latest patches dealt with. Out-of-date software is prone to security exploits that hackers are more than willing to take advantage of.
If at all possible, set up your software to update automatically to prevent certain machines from falling behind due to oversight or procrastination.
3. Use a VPN
The best VPNs create encrypted tunnels for network traffic so that users can access sensitive company material without exposing their activity to prying eyes. VPNs are especially valuable nowadays with so many of us working from home as a result of the pandemic. The last thing you want is your valuable proprietary information falling into the hands of network hackers.
4. Avoid suspicious-looking emails
Protect yourself and your organization from phishing scams by avoiding any emails that are suspicious, too good to be true, poorly worded, or include abnormal requests.
5. Use a proxy firewall to protect your network
Out of all of the available network firewalls, proxy firewalls are the most secure since they provide a layer of separation between internet traffic and your network perimeter, perform deep packet inspection of traffic coming in and out of the network, and also take note of the different internet protocol (IP) addresses making contact with your firewall, also known as a stateful firewall capability.
6. Plan for the use of mobile devices
Smartphones in the workplace are here to stay, so it’s crucial that your business plans for them. If left unmanaged, these smart devices pose a threat to your security infrastructure, whether we’re talking about phishing scams or users accessing sensitive company data on personal devices.
Either adopt a mobile device management (MDM) system that monitors and controls access to personal smartphones that are used on the job or completely restrict access to sensitive materials and networks with personal devices.
7. Use multifactor authentication
Passwords aren’t enough to protect your networks and data. Some passwords are easy to guess, while others are used multiple times by your workforce for simplicity. Whatever the case, you should adopt a multifactor authentication system to provide an extra layer of login access security to your systems.
This includes one-time codes ― such as email and short message service (SMS) ― biometric verification, phone authentication, security questions, and application push notifications.
8. Avoid unknown USB drives
Would you pick food up off of the ground and eat it? Probably not. It’s been on the ground, for one. And two, you have no idea where it came from or where it has been. It’s just gross. So why would you pick up an unknown USB drive that’s just laying around and plug it into your computer?
Attackers love taking advantage of the curiosities of others by leaving mysterious USB drives around and hoping someone will pick them up to plug them in. This gives attackers the chance to inject malicious processes onto your device for all kinds of purposes.
Small Business Cybersecurity Resources
There are tons of resources out there full of information on cybersecurity and new threats. However, if you’re looking for the most prevalent threats and popular solutions, these outlets will deliver in spades.
Open Web Application Security Project (OWASP): One of my favorite things about the cybersecurity community is the sense of togetherness when it comes to sharing information regarding new threats and solutions to those threats.
The OWASP is a great example of this community coming together to provide tools, resources, community information, security training, events, and even regular top 10 lists of the biggest threats to web applications at that time.
US-CERT Twitter Account (@USCERT_gov): Stay up-to-date on the latest threats and breaches with the US-CERT government Twitter account. This account provides new information regarding vulnerabilities in software and hardware, new patches that have come out to fix old issues and educate users on the current landscape of cybersecurity.
Common Vulnerabilities and Exposures (CVE): A comprehensive dictionary of common vulnerabilities and their key identifiers. This easily searchable resource is funded by the United States Department of Homeland Security and run by the MITRE Corporation.
Infotec: Get the training and resources you need to stay on top of your business’ security needs. Infotec offers a multitude of training options (virtual and in-person) as well as detailed blog posts covering all kinds of security topics.
Federal Communications Commission (FCC) Small Biz Cyber Planner: Security threats don’t just target the big fish in the pond. Small businesses are a target as well, which is why the FCC created this helpful resource to get your organization on track with a cybersecurity plan that works for you.
Google Security Blog: A no-frills resource created by the Google Security Team that offers rundowns of the most recent web security threats as well as an archive of old threats to watch out for.
U.S. Department of Defense Cyber Crime Center (DC3): This resource is made for supplying businesses with forensic tools, information, training, and reporting avenues regarding cybercrimes and vulnerabilities.