Hearing about data breaches, outsider/insider threats, and new cybersecurity risks is enough to overwhelm any small business owner. Sure, hackers want your data, but you’re not doomed to become the next cybersecurity headline just because you rely on a network of devices and applications to get work done. Instead of letting the news freak you out, get proactive with a few key cybersecurity best practices.
Invest in the basics.
Starting with the simple things builds a firm foundation for the rest of your cybersecurity policy. Do you have a firewall in place? Have you invested in reliable antivirus and antimalware solutions? If not, you need to do those things first.
For your firewall, get something separate from the protection on individual devices. A separate firewall can defend every device connected to the network at any given time, which is vitally important as smart technology continues to become more popular.
As far as antivirus and antimalware solutions go, don’t just grab a few free programs and assume you’re covered. Make an investment in the highest-rated security software to give your small business as strong a first line of defense against deliberate and accidental breaches as possible. Be sure to purchase a license that will cover your entire network, while taking care to set up the programs properly from the start.
Know your connections.
Who’s on your network right now? Even if you think you know, you’re probably missing someone. The actions of employees, vendors, partners, and customers have the potential to put your data at risk. One wrong move and you’re a sitting duck for malicious hackers.
It’s much easier to protect your data from these threats if you’re familiar with who and what connects to the network every day. Assess the number and type of connections to determine if any permissions can or should be revoked. Get in touch with the platforms you use for data storage, HR automation, and customer-facing transactions to find out how they handle their own security. Should you find something you’re not comfortable with, consider switching to a different vendor.
Scrutinize every service.
In addition to the services you’re already using, be as thorough as you can when vetting any you intend to adopt. Whether you’re adding a virtual point of sale for customers or migrating a legacy system to the cloud, due diligence is paramount. Don’t sign any agreements before you know the vendor’s policies and history.
Research vendors to find out if they’ve been breached in the past. If so, how many times? What did they do to fix the problem? Were they prompt about it? This is an example of how going with the cheapest price may not always be the best option, since a low cost could mean someone is cutting corners where they shouldn’t.
Read security and privacy policies, including how vendors approach compliance and how data is stored, transferred, and backed up. Encryption, redundancy, and automatic backups are all essential security features.
Make least privilege your friend.
If you’ve read anything about small business identity and access management, you’ve probably heard of the principle of least privilege. It’s a simple rule ensuring employees only have access to the data and applications they need to perform their jobs, but for some reason, a lot of businesses have a hard time adhering to it
Access creep is an ongoing problem in which employee accounts accumulate more privileges than were originally intended. Even if your staff members aren’t using the full extent of the access they've been granted, hackers won’t be shy about taking advantage. You need to get access management under control to prevent unauthorized users from sneaking into the system and stealing sensitive data.
Do an audit to get a handle on the number of your active and abandoned accounts and their privilege levels. Get rid of the accounts no one is using and reign in permissions wherever necessary to close the door on enterprising hackers.
Don’t forget about employees who bring their own devices to the workplace.
Your employees probably think it’s great when they can pop on their phones and get a little work done without having to drive all the way to the office, but this practice is likely to be putting your systems at risk. Unless they’re using a virtual private network (VPN) or logging in from a secure device, they’re creating an additional point of vulnerability for hackers to exploit.
The solution to this is twofold:
- Prohibit employees from accessing your network over public Wi-Fi connections.
- Invest in a security plan to cover all devices, including those owned by employees.
If complete coverage from a third party isn’t doable due to budget restrictions, work with your IT department to configure all employee devices with the strongest possible security settings.
Switch up authentication.
Did you know four out of 10 internet users, including your employees, use the same password for more than one service? Worse: Most employees have no idea how to manage passwords safely. In fact, a lot of businesses are moving away from passwords altogether and adopting alternative authentication methods.
For instance, multi-factor authentication (MFA) is growing more and more popular. If your business is still in the growth stages, you may not be able to include something as fancy as biometrics in your MFA. However, you can look for platforms and services that use combinations of passwords and one-time codes or single sign-on solutions that provide access using one secure “master” authentication method.
The key is to make sure all forms of network access require more than one identifier to minimize the chances of hackers impersonating authorized users and hijacking accounts.
Upgrade everything always.
Pay attention to notices from hardware and software vendors announcing that support for a product is expiring. Letting these notices fall through the cracks is pretty much the same as inviting hackers into your network and letting them do whatever they want with your data.
After all, manufacturer support is what ensures your hardware and software stay protected. Patches and upgrades protect against newly discovered threats and when these are no longer issued, the outdated parts of your system become vulnerable. Set up automatic updates for supported products and be sure to upgrade to the latest versions of anything outdated as soon as possible.
Stop procrastinating with backups.
Did you know downtime from data loss can cost you $137 to $427 per minute? The good news is this: The annual cost of a data backup is a whole lot less than that. Data backups can even be automated, so you have no excuse to keep putting off this essential part of any successful security plan. It’s worth investing in a reliable offsite data storage solution with an option to scale as your business grows.
Go with a cloud service offering routine backups and redundancy across more than one storage site. This covers two critical aspects of data backup and recovery:
- It ensures data remains available if one of the servers is damaged or compromised.
- It makes the most recent version of data available if recovery is required.
Recovery speed is also important. Look for a backup solution promising the quickest recovery possible so that you don’t lose big chunks of work time in the event of onsite data loss.
Work with a pro.
Proactively paying a certified cybersecurity professional is much cheaper than cleaning up after a breach. Seek out someone who's certified as an information security manager (CISM) or information systems security professional (CISSP). These specialists have the credentials and the experience required to assess, develop, implement, and manage every aspect of your company’s network security.
Having a professional on board also takes the pressure off your internal IT department and lets you breathe a sigh of relief knowing someone with detailed knowledge of modern threats is taking care of your data.
Don’t scoff at education.
Your employees may roll their eyes when you announce you’re putting them through cybersecurity training, but it’s something every business should do. No matter how amazing your team may be, you can’t assume everyone knows how to stay secure on the network.
Use the security policy and protocols developed by the cybersecurity expert you hired to create your training. If you’re not sure how to go about this, contact a company or organization specializing in cybersecurity training. Everyone on your team should come away from training sessions with a solid understanding of how to maintain and enforce security across the network and what steps must be taken to minimize damage if a breach occurs.
You don't want to put cybersecurity on autopilot once you have these protections in place. Be diligent by reassessing your risk levels periodically and keep in touch with the cybersecurity professionals with whom you’ve chosen to work. New technology is going to keep making security more complicated, but with the right plan, you can stay on top of it and ensure that your business has the best protection available.