Written by: James Hart
Even if you don’t think your small business has any valuable information, the average cybercriminal will probably disagree.
The last few years have shown that cybercrime is a threat for organizations of all sizes, even smaller companies. Their customer lists, their payment and banking information, their patents and designs — they all hold value to thieves. Or the bad actors will extract payment from their victims by using ransomware.
Plus, many hackers have realized that, unlike larger companies, most small businesses don’t have particularly robust defenses.
As a result, cybercrime continues to grow. Last year, the number of US cybercrime incidents surged by 10%, and the losses associated with those incidents grew by 22%, totaling more than $12.5 billion, according to the FBI’s Internet Crime Complaint Center.
Fortunately, it’s possible to strengthen your cybersecurity very quickly with a few key tactics. In this post, we’ll cover some of the most common but effective ways for protecting your company’s digital presence.
Understand your risks, and plan accordingly
You should regularly conduct risk assessments of your company’s network and systems. As part of that review, you should know what kinds of sensitive information you have on your network, exactly where it’s stored and who can access it.
By conducting a risk assessment, cybersecurity experts can point out holes in your digital security, the places where bad actors are most likely to strike, and even conduct penetration tests to see how your team and your systems respond to a realistic (but fake) attack. Once you know where the weaknesses are, you can assign your team to fix them or hire security experts to implement improvements.
There’s also the matter of the physical world, which should receive regular risk assessments, too. Whoever conducts that review should be looking for ways that intruders could sneak into your property. They should also be testing the security around your sensitive areas, such as server rooms or wherever high-value files are stored.
And the same way that you prepare for natural disasters, fires and other business disruptions, your emergency planning should identify exactly what to do if sensitive customer information is stolen, if ransomware locks you out of your network or some other related emergency occurs.
Who will take responsibility for getting your system back online? How will you communicate with customers about the issue? Should you buy an insurance policy to help cover the cost of recovery?
Implement the right tools
Obviously, technology needs to be a central part of your cybersecurity defense. That includes:
- Firewall software to prevent intruders from accessing data on your network, or to prevent sensitive information from leaking out
- Antivirus software to remove any malware or spyware that finds its way onto your machines
- Virtual private networks (VPNs) to allow traveling employees and those working from home to access your systems securely
It’s important to make sure these and other programs are updated regularly, so that any security vulnerabilities are quickly patched.
Train your team to identify and avoid online threats
Everyone in your organization should receive basic cybersecurity training when they first join the team, and the training should be repeated at least once a year. To ensure everyone’s actually paying attention, you can also give them a test that, if they fail, requires them to retake the training.
After this training, team members should be able to identify phishing attempts in incoming emails. They should know how to spot the most common types of scams, like the text message “from the CEO” asking them to go out and buy gift cards.
Don’t stop testing your team
One of the best ways to keep your team sharp? Work with a cybersecurity contractor who can send fake phishing emails to the entire team throughout the year. In many cases, you can have a “Phish Alert” button built into their email app so employees can immediately point out any phishing attempts they see. Anyone who clicks a link in a test email or downloads an attached PDF could be assigned more training on best security practices.
The benefit? When your staff receives “phishing” emails every week, they’ll be more likely to remember how to spot them. And they need to be on their guard: Last year, there were nearly 300,000 reported cases of phishing or spoofing, the single most common type of cybercrime, the FBI reported. Reported losses totaled $18.7 million.
Build a “say something” culture
Some of the biggest threats to your cybersecurity may turn out to be internal ones — including the trusted employee that you had no reason to suspect of wrongdoing. In many cases, though, there were signs.
Maybe the employee constantly, bitterly complained of being underpaid — and then suddenly started driving a brand new car and taking high-dollar vacations. Maybe they kept wandering into offices or departments where they had no reason to be. Or maybe their car could be spotted in the office parking lot early on Sunday mornings when no one else was around.
You might have missed these signs, but it’s unlikely that all of your employees did. By encouraging them to speak up if they see something unusual, you increase your odds of either preventing data theft or, if one happens, catching the responsible party quickly.
Track and limit access to your systems
No one should be able to access your company’s files or tools unless they have a job-related reason for using those resources, especially for sensitive and valuable files like a customer list, proprietary designs, ingredient lists, upcoming marketing plans and other files.
Your IT team should be able to put tools in place that require anyone who wants to use those sensitive files to provide a password first. For example, if each employee has a company-issued desktop or laptop, each person should have a unique user account on that machine, one that requires them to sign in before they can use the computer.
For the most sensitive information, you might consider storing those files and machines in a locked room in your offices.
Also, you should either place limitations on or entirely prevent team members from downloading software onto their devices. This will cut off one of the most common ways for malware to end up on your computers.
Tighten the security for your Wi-Fi network
Make sure your router is using an updated encryption standard — WPA3 is the most current, though many also employ a version of WPA2. You can make your network even more secure by setting your router so it won’t broadcast the network’s name or SSID. And remember to update the password to your router.
Back up your data
Data backups can save the day in the event of a ransomware attack. The number of such incidents increased by 18% last year, while the associated losses grew 74% to $59.6 million.
So, make sure that your data is consistently being backed up on a regular basis — ideally, both online and offline, with a copy kept off-site. If you can’t update continuously, then daily. If not daily, then weekly.
And test your backups to make sure they’re complete and accessible. You don’t want to discover there’s a problem with those files at the exact moment need them.
Encrypt your most sensitive files
In the event that hackers steal any of your files, encryption will prevent them from actually using any valuable information.
Have a plan for stolen devices
Make sure that company devices can be remotely wiped of any data so that, in the event of theft, bad actors can’t access sensitive information stored on those machines.
Get serious about password hygiene
Require your team to regularly update the passwords they use to access company systems, and teach them how to create hard-to-crack ones — none of this “password123” nonsense. A good rule of thumb is to update passwords every three months, though your company’s needs might be different.
You can help your employees improve their password habits by providing password management software that remembers all of their login information, which should discourage them from reusing the same passwords over and over. Instead, a good password manager will encourage them to create longer, more complex passwords.
You should also require that your employees employ multi-factor authentication whenever it’s available. Doing so should make it harder for bad actors to steal passwords and infiltrate your company’s systems.
The bottom line about small business digital security
Good cybersecurity should include firewalls, antivirus software, multi-factor authentication and all the other technical tools that most people think of when they think about cybersecurity.
But there’s also a significant people element, too. By investing in risk assessments, training and culture, companies can increase their odds of spotting and stopping bad actors from invading their networks and taking advantage of the data they find there.
Chesley Brown provides a range of services to help companies protect their intellectual property and other sensitive information, both online and in the physical world. In cases where a breach has already occurred, the firm can also conduct discreet, in-depth internal investigations to identify how it happened and how to prevent future cases. If your organization is looking for a trusted expert in this area, start a conversation with Chesley Brown today.
Sign up!
For industry-leading guides and analysis sign up for our blog below.
Latest News
risk-takers #9. Joe Sheram – The Turnaround Guru
Brent sits down with corporate turnaround expert Joe Sheram to discuss financial risk, corporate theft, the importance of cash, and some of the biggest challenges businesses face when navigating a crisis from a financial perspective. Joe has helped countless organizations restructure, and strategize their way through some of the most complex and serious issues a business can face.
Read MorePodcast | Risk Takers Series #9. Joe Sheram – The Turnaround Guru
Brent sits down with corporate turnaround expert Joe Sheram to discuss financial risk, corporate theft, the importance of cash, and some of the biggest challenges businesses face when navigating a crisis from a financial perspective.…
Read Morerisk-takers #08. The State of Security – SPECIAL EPISODE
2020 has been a year full of change. In this week’s special episode Brent sits down with Vice Presidents Bryan Taylor, Josh Noland and Max Briggs for a lively discussion on the current state of security. The team discusses current trends affecting business owners, law enforcement, and employees and what to expect in the future. They also discuss how companies can help employees adjusting to the new norm. This is an enlightening conversation, where you’re sure to learn something new.
Read MorePodcast | Risk Takers Series #08. The State of Security – SPECIAL EPISODE
2020 has been a year full of change. In this week’s special episode Brent sits down with Vice Presidents Bryan Taylor, Josh Noland and Max Briggs for a lively discussion on the current state of…
Read MoreWhat is Business Continuity?
Before completely rewriting your Business Continuity Plan, it helps to understand the fundamentals of business continuity. I put together the following FAQ to give you a better understanding of the underlying information and provide a…
Read More