Cybersecurity for SMBs

Overview

Many articles have been written on the topic of cybersecurity, but most of them are targeting large enterprises that have IT departments and numerous resources.  This article is specifically designed for SMBs and contains simple, straightforward steps that can be taken to help improve your business cybersecurity.

What Is Cybersecurity

Although most people are aware of the term cybersecurity, many may not fully understand what it means.  Cybersecurity is simply the actions you and your employees take to protect the data on your computers, mobile devices and network against criminal or unauthorized access and use.

Unfortunately, SMBs are at the forefront of cybersecurity breaches today.  Here are some sobering facts that show how SMBs are being targeted:

• Forty percent of all cybersecurity attacks are targeted at companies with less than 500 employees.¹
• Only fourteen percent of small businesses have a plan in place to protect their business.² 
• The number one cybersecurity threat to small businesses comes from their own employees.³
• Sixty percent of small businesses go out of business within six months of suffering a cyberattack.⁴

These facts indicate why it is critical for your business to take the necessary precautions to protect your data, your employees and your business.

Fortunately, there are some relatively simple steps to take that will help make your business more cybersecure.

Cybersecurity – Getting Started

While many businesses are fortunate and have IT departments or security departments that are charged with maintaining cybersecurity, the reality is that many SMBs do not.  However, this does not mean that their data should be unprotected.  All employees should be responsible for maintaining cybersecurity for the equipment and tools that they use and interact with on a regular basis.

The good thing is that cybersecurity is not a one-and-done type of process.  It is a cumulative process that begins with a series of small improvements and then depending on the requirements of your business, additional layers can be built up over time (as your business and budget allows).

The first step to implementing improved cybersecurity is also the easiest: educating your employees on the importance of cybersecurity.  Help them understand that cybersecurity does not just mean having their computer hacked, but that it also includes many other ways to gain unauthorized access to your business data.

Cybersecurity Components

Effective cybersecurity is composed of three components: common sense, physical security and electronic/digital security. 

I mention common sense because there are many simple steps that businesses can take to help implement cybersecurity that are no-to-low-cost.  This is also an area that many cybersecurity “experts” do not mention.

Why is physical security included?  Because many cybersecurity breaches occur as a direct result of a physical security breach.  Including physical security helps employees realize that there are many paths to enabling a cybersecurity attack.

Listed below are steps your business can take to help implement cybersecurity:

Cybersecurity – How To implement – Common Sense Security Steps

• Don’t write passwords down and then leave the piece of paper laying on your desk or in your drawer
• Don’t write passwords on a sticky note and attach it to the computer
• Physically attach laptops to the workstation or desk area via a security cable (security cables are available for purchase from numerous vendors)
• Install polarized screen protectors on all computer monitors and laptops to prevent unauthorized viewing of the screens
• Lock computers with a password when away from them during business hours
• Turn off computers and physically lock them up during non-business hours
• Don’t take or use work computers, cell phones, or other mobile devices to public places where they can be forgotten, stolen, cloned or hacked
• Don’t connect business computers or mobile devices to unsecured or public Wi-Fi networks
• Don’t open email from unknown senders or sources
• If there is any doubt about the authenticity of an email, delete it
• Don’t click on hyperlinks or attachments from unknown senders or sources (in text messages, chat sessions or email)
• Don’t provide personal or company information over the phone to anyone

Cybersecurity – How To implement – Physical Security Steps 

• If possible, use badges for entry to your business or offices
• When people enter your facility, don’t allow “drafting” (this is the practice of someone following the person in front of them without having to swipe a badge or provide other methods of authentication)
• Be alert to social engineering (this is the practice of manipulating an employee to provide confidential information)⁵
• Be alert to suspicious cars in the parking lot or people hanging around your business that are not employees
• If you see someone suspicious inside or outside your place of business, notify your management immediately
• If you see someone inside your business acting suspiciously, notify your management immediately
• If you see someone in an area where they should not be, notify your management immediately
• Install security cameras over all entryways and secure areas; if you cannot afford real cameras you can also install fake cameras that are very realistic looking

Cybersecurity – How To implement – Electronic/Digital Security Steps 

• If you provide Wi-Fi in your facility, take the following steps⁶
• Change both the router’s default generic user name and password to something more secure, as the defaults are a matter of public record
• Change the service set identifier (SSID), aka the network name that is broadcast by the router, to something more personalized
• Turn off the SSID broadcast so that anyone who needs to get onto your Wi-Fi will have to be told the SSID to enter
• Turn on the router’s encryption, set it to WPA2 and set up a password for devices to use to connect to Wi-Fi
• Turn on the router’s firewall
• Unless you specifically require it, turn off the Guest Network setting
• Turn off Wi-Fi Protected Setup (WPS)
• Periodically update the router’s firmware (this is the software for the router)
• Have and enforce a mandatory password policy for logging on to any computers, cell phones or mobile devices that are used for work
• Require passwords for logging on to any computers, cell phones or mobile devices that are used for work
• Require a password to log in to any business networks or databases
• If possible, establish two-factor authentication (2FA) to log on⁷
• Don’t use common words, phrases, or number strings for a password (such as “password”, “1234”, a pet’s name, etc.)
• All passwords should be at least 8-12 characters long and contain a mixture or upper- and lower-case letters, numbers, and special characters
• All passwords should be changed once per quarter, with at least the previous 6 passwords not able to be reused
• If employees must connect to your business network when away from the office, ensure that they connect via a virtual private network (VPN)
• All computers have a firewall included with the operating system, so ensure that the firewall is turned on
• Install virus protection software on all computers, cell phones and mobile devices
• If you already have virus protection, ensure that it is turned on and kept up to date
• Ensure that all laptops, cell phones and mobile devices have tracking/locking/wiping software installed so that they can be located and/or wiped if lost
• Do not allow the use of “shadow IT” (the use of personal equipment, hardware or software that is not supported by your IT organization)⁸
• Backup all critical data (on employee computers, network servers, etc.) on a regular basis
• Do not allow employees to connect USB or other external devices to computers or networks; if they must use them, have your virus protection software set to immediately scan them as soon as they are connected

Summary

Depending on the size of your business and the resources you have available, some of the recommendations listed above may require you to manually police and enforce them to ensure compliance.  Others may require a level of technical competency that you do not have available.  If that is the case, for the security of your business it may be worthwhile to consider hiring a consultant or subcontracting some of those functions out.

However, regardless of the size of your business, by following and implementing the above recommendations you will have taken positive steps to help secure your business from cybersecurity breaches and cyberattacks. 

© 2018 – Richard Hatheway, Catalyst Strategic Marketing

All Rights Reserved.

1,2 – “Untrained and Vulnerable: Small Biz Losing War on Cybercrime”, CIO Today, February 1, 2018, https://www.cio-today.com/article/index.php?story_id=107220

3 – “The 2017 State of SMB Cybersecurity”, Ponemon Institute, https://keepersecurity.com/assets/pdf/2017-Cybersecurity-SMB-Infographic.pdf

4 – “60% of small companies that suffer a cyber attack are out of business within six months.”, The Denver Post, October 23, 2016, https://www.denverpost.com/2016/10/23/small-companies-cyber-attack-out-of-business/

5 – “What is Social Engineering?”, Webroot, https://www.webroot.com/us/en/home/resources/tips/online-shopping-banking/secure-what-is-social-engineering

6 – “12 Ways to Secure your Wi-Fi Network”, PC Magazine, October 14, 2016, https://www.pcmag.com/article2/0,2817,2409751,00.asp

7 – “Understanding the basics of two-factor authentication”, Malwarebytes Lab, January 20, 2017, https://blog.malwarebytes.com/101/2017/01/understanding-the-basics-of-two-factor-authentication/

8 – “How to prevent shadow IT”, CSO Online, February 16, 2016, https://www.csoonline.com/article/3032209/security/how-to-prevent-shadow-it.html