Cybersecurity best practices for small businesses
Last updated on July 20th, 2024In an era dominated by digital advancements, small businesses increasingly rely on technology to drive growth and efficiency. However, this increased reliance on digital platforms also exposes them to cyber threats.
I’ve worked in technology implementation and maintenance for 20 years now, and cybersecurity has increasingly become a critical concern for small businesses. Gone are the days when it was only larger enterprises with this focus. Small businesses often lack the robust defenses that larger enterprises may have in place, making them a prime target for cyber criminals to extort.
In this article, we will explore essential cybersecurity best practices that small businesses can adopt to safeguard their digital assets.
- Employee training and awareness
Cybersecurity training for all employees that use IT equipment (including smartphones) has become an essential part of cybersecurity defense. Whilst we often think of cyber security breaches as being the exploitation of technical vulnerabilities in a system, the human factor is equally as important whether it be through human error or user manipulation (social engineering).
Human errors can lead to technical vulnerabilities as well as accidental data breaches (such as sending an email to the wrong person).
Social engineering is the manipulation of employees or others with privileged access, into sharing, disclosing or providing access to something they should not have. It’s an extremely common tactic, and is very effective.
As a result educating staff about the risks of phishing, malware, social engineering, and the importance of strong password practices is crucial. Regular training sessions and updates on emerging threats can help create a vigilant workforce.
This doesn’t have to be an expensive process, you can find my view of suggested topics for your own cyber security awareness training here. That said, there are many third parties that offer dedicated training with regular phishing simulation exercises. These phishing exercises send emails to employees that simulate the targets of hackers. This may include “urgent” requests that claim to be from a senior role in the organisation. Done right, these exercises can help employees recognise phishing attacks, and provides your organisation with an insight into a key area of risk. - Multi-factor authentication
Implementing multi-factor authentication (MFA) adds an extra layer of security beyond just passwords. We all know how flawed passwords can be. Requiring employees to use a combination of passwords and additional verification methods such as one-time codes or biometrics significantly reduces the risk of unauthorized access, even if passwords are compromised.
Multi-factor authentication should be enabled on any internet accessible systems. This includes your main identity provider (e.g. Microsoft 365 or Google Workspace) as well as external-facing services such as your VPN, and websites that hold business or financial data sch as your bank account, Amazon account etc. - Regular software updates/patch management
Ensure that all software, including operating systems and applications, are regularly updated with the latest security patches. Cybercriminals have automated bots scanning internet-facing services for vulnerabilities they can exploit. Once inside your infrastructure they would also look to exploit vulnerabilities in outdated software to achieve their goals.
Staying up-to-date helps protect your systems against known security flaws.
Protect end-user devices (PC’s, smartphones and tablets) by turning on automatic updates wherever possible, and rebooting devices once a month (ideally more often such as at the end of the working week) so updates take effect. Check devices regularly to ensure they are picking up updates as expected. - Firewall protection
Set up and configure firewalls to monitor and control incoming and outgoing network traffic. Firewalls act as a barrier between your internal network and the internet, blocking unauthorized access and potential cyber threats. Small businesses can use both hardware and software firewalls for added protection. - Data encryption
Encrypt sensitive data, both in transit (whilst being transferred) and at rest (whilst saved somewhere). This adds an extra layer of security, ensuring that even if data is intercepted, it remains unreadable without the proper decryption keys.
In-transit: Ensure websites and internally hosted web apps begin https. This ensures they are using encrypted communication to the end-user. Technically you’ll want to ensure the encryption type in-use is up-to-date. TLS 1.2 is the current minimum acceptable standard for in-transit encryption. I recommend testing external testing web services with Qualys’ free SSL labs tool. - Regular data backups
Implement a robust data backup strategy to protect against data loss due to cyberattacks, accidental deletion, or hardware failure. Regularly backup critical business data and ensure that the backups are stored securely, preferably offsite, to avoid losing crucial information in the event of a security incident.
For more details, I’ve previously done a YouTube video on simple backup principles, specifically looking at the 3-2-1 principle to backups. - Incident response plan
However small your organisation is, it’s important to be prepared for any type of major incident. This includes cyber security breaches. Develop and document an incident response plan that outlines the steps to be taken in the event of a cybersecurity incident. This plan should include procedures for identifying, containing, eradicating, recovering, and learning from security breaches. Having a well-defined response plan can minimise damage and downtime. - Secure Wi-Fi networks
Wireless networks have become essential for business flexibility, but offer a target to cyber criminals able to physically visit your locations. You can secure your Wi-Fi networks with strong encryption (minimum WPA2, but WPA3 is recommended). Also, ensure you have changed any login credentials (do not use out-of-the-box ones) for routers and access points. Also use a separate network for any guest access.
It’s good practice not to automatically trust any device based solely on the network they have connected to (be it cabled or wireless). If using services such as Microsoft 365 that support “conditional access” (rule-based access to resources), you may want to consider adding rules that look for a certificate on trusted devices or check the device MAC address (weaker option) before providing access. This reduces the impact in the event of your Wi-Fi network being breached. - Network security audits
Conduct regular security audits to identify vulnerabilities in your network infrastructure. This can involve penetration testing, vulnerability scanning, and reviewing access controls. Identifying and addressing potential weaknesses proactively can prevent security breaches.
There are many third parties that offer such services. Whilst you can do some basic scans yourself using some available tools, these will be significantly less effectively than those avaialble to penetration testing organisations. I would recommend speaking with well accreddited organisations (for example a TIGER scheme or CREST accredited tester). The scope of tests can be varied to target higher risk areas where cost is a challenge. - Supplier security assessments
If your business relies on third-party suppliers/service providers, ensure they meet good cybersecurity standards. Just as we discussed network security audits for your own organisation above, so too should you ensure that third parties holding ,or processing, data on your benefit do likewise.
Software-as-a-service (SaaS) providers should expect to be asked annually for proof that they have conducted an independent cyber security assessment of their infrastructure. I recommend adding this as a contractual requirement, asking suppliers to provide a high level summary of their penetration test results annually.
For security reasons you shouldn’t expect to be told the exact nature of issues, but should receive a summary showing the number of higher severity vulnerabilities identified, and confirmation once these have been closed. Most penetration testers use the Common Vulnerability Scoring System (CVSS) as a method to score the severity of vulnerabilities. Based on the current v3.1 version of the CVSS, you should expect to be reassured that any vulnerabilities scoring 7.0 and above have been resolved promptly after identification.
Regularly assessing supplier cyber security state, and including cybersecurity requirements in service provider contracts helps to mitigate risks associated with external partners.
Implementing strong cybersecurity practices is not just a necessity for large corporations; small businesses are equally vulnerable to cyber threats. By prioritising employee education, securing digital assets, and adopting proactive security measures, small businesses can significantly reduce the risk of falling victim to cyberattacks.
Remember, investing in cybersecurity is an investment in the long-term success and resilience of your business in today’s digital landscape.