11 Small Business Cybersecurity Tips

March 23, 2020

Though it is the large-scale data breaches that make the headlines, small businesses are also vulnerable to attack. Cybercriminals that target these small businesses are after credit card numbers, social security numbers, and any other personally identifiable information that could sold on the Dark Web for profit. To make matters more difficult, small businesses have less resources to commit to data and network security than enterprise organizations, but with some basic levels of cyber hygiene and security in place, small businesses can significantly reduce their risk of attack.  

As always, it is important to read up on cybersecurity trends, but do not skip the basics. Here, we’ve assembled a list of the top 11 things that a small business can do today to reduce their cyber risk. 

Over time, “Password” has become a misnomer. This should really be thought of as a “passphrase”. Rather than a singular word, construct your password as a short sentence or phrase, such as “OneSpanprotectstheworldfr0mdigitalfraud!” is a much stronger password while still remaining easy to memorize. 

In addition, remind your employees that this should be a unique password not used on any other sites. One of the biggest vulnerabilities in passwords are people’s tendancy to reuse their passwords across every account they have. That means if even one company in which the user has an account gets breached, the company’s resources are now vulnerable. 

Over time, “Password” has become a misnomer. This should really be thought of as a “passphrase”. Rather than a singular word, construct your password as a short sentence or phrase, such as “OneSpanprotectstheworldfr0mdigitalfraud!” is a much stronger password while still remaining easy to memorize.

  1. Apply Device Encryption 

    When accessing network resources remotely, in addition to using mobile app security, it is very important to use a virtual private network (VPN) while doing so. A VPN encrypts data while in transit from the network to the device, meaning that if a cybercriminal were to intercept the data while it is en route to the device, they will only have acquired encrypted data. It will be illegible unless they have the encryption key as well. In addition, you need to ensure secure channels of communication between the client side and the server. 
  2. Be Careful with Payment and Transaction Information 

    As an individual or as a business, it is important to ensure the security of your payment systems before submitting any credit card information. Work with your banks or processers to ensure sophisticated anti-fraud solutions are being used. 

  3. Keep Clean Machines 

    By clean, we mean to update your web browsers, operating systems, and security software. Set your anti-virus program to scan the system after each update, and make sure the system remains as current as possible. 

    The periodic updates released by these developers include code fixes to sure up known vulnerabilities in the system. These vulnerabilities are sometimes not discovered until they are exploited, so it is important that your devices are updated to close these vulnerabilities quickly. 

  4. Have a Mobile Device Action Plan 

    Mobile devices have put IT security teams in a difficult position. Mobile devices are essential in today’s business world, but they can pose a significant security risk. They can be stolen, hacked, the user could download compromised apps, and so on. To mitigate these risks, establish a mobile device action plan. These plans include developing a list of required security solutions and policies applied to the device before the employee can use it. 

    Then, develop a reporting procedure, so users can report any lost or stolen equipment. This will help your IT security team respond to risks as they arrive. 

    Also, consider enacting these policies: 

    • Do not permit jailbroken or rooted devices 

    • Ensure device encryption 

    • Only allow apps to be downloaded from the official app marketplaces 

    • Ask users to sign an Acceptable Use Policy that will detail the ways in which employees are permitted to use a company device. 

  5. Limit Access to Data Systems 

    Apply permissions to different users depending on their needs. For example, the CFO will need access to all financial information on the corporate network to fulfill their role in the company, but the receptionist does not. By ensuring that only select users have access to select resources limits the potential damage should a cyber attacker hijack one of the user’s accounts. If that user cannot access sensitive information, then neither will the attacker. 

  6. Maintain a Strong Antivirus Software 

    Anti-virus software, alongside a firewall, is a foundational component of a cybersecuirty strategy. Anti-virus software scans the internal database in search of potentially hostile files in the system. Without such a system, it would be very difficult to spot a breach after it has occurred. 

  7. Protect and Back Up Sensitive Data 

    One of the most prominent form of cyber-attacks is called a ransomware attack. After an attacker infiltrates the corporate network, they install some code that encrypts the entire database. Then, they extort the company into paying them a sum of money in exchange for the key to decrypt their data. Typically, these offers have a time limit. After they expire, they wipe the entire database. Worse yet, sometimes the attack will refuse to provide the decryption key after payment is received. 

    The best defense against these types of attacks is a strong, reliable backup strategy. Whether using tape, disc, or cloud backup storage, having some backup of your systems is essential. 

    Finally, ensure that there are different credentials to access your backup environment. This will prevent a cyberattack from infiltrating the backup as well. 

  8. Provide Multi-Factor Authentication 

    Multi-factor authentication requires a user to complete two or more authentication factos in order to access corporate resources. These authentication factors can take the form of something you know (like a password), something you have (like a one-time password or trusted device), and something you are (like a fingerprint or facial scan).  

    By leveraging multi-factor authentication, you can significantly improve the security of your organization. It is possible to replicate a single form of authentication, but by asking for multiple, varied forms, the likelihood of fraud is greatly reduced. 

  9. Set Strong Passwords 

    Relatively speaking, passwords are the least secure form of authentication. If passwords are your only method of security, we strongly encourage you to consider two-factor authentication, multi-factor authentication solutions, or use hardware authenticators. That being said, a well-constructed password is still going to be much more effective than a weak one. Follow these guidelines when constructing a password: 

    • 10+ Characters

    • 1+ Uppcercase letter 

    • 1+ Lowercase letter 

    • 1+ Number 

    • 1+ Special character (!,@,#,$ etc.) 

    Over time, “Password” has become a misnomer. This should really be thought of as a “passphrase”. Rather than a singular word, construct your password as a short sentence or phrase, such as “OneSpanprotectstheworldfr0mdigitalfraud!” is a much stronger password while still remaining easy to memorize.

    In addition, remind your employees that this should be a unique password not used on any other sites. One of the biggest vulnerabilities in passwords are people’s tendancy to reuse their passwords across every account they have. That means if even one company in which the user has an account gets breached, the company’s resources are now vulnerable.

  10. Train Employees on Cybersecurity 

    The weakest link in a security system is the human one. Cybercriminals have developed sophisticated phishing and social engineering schemes to trick users into relinquishing sensitive account information leading to a breach. It is important to train and habitually remind employees to be on the lookout for telltale signs of phishing attempts. Other security training topics should include: 

    • Crafting strong passwords

    • Spotting phishing emails 

    • Safe browsing practices 

    • Protecting sensitive corporate information 

    • Refusing suspicious downloads 

    But reminders and regular training is still not enough. In addition, you should implement random and unannounced tests. Send fake phishing emails to your employees following traditional elements of a phishing email. Then identify those who clicked on your fake email and offer training courses. This will help you disseminate the training information to those employees who need it most.

  11. Use Network Firewalls 

    A firewall is a group of security programs that prevent outside users from accessing corporate data while on the corporate network. This is a fundamental component of internet security and a must-have for any IT environment. However, the firewall is not a security system until itself. You must supplement the firewall with the other security practices listed here. 

Read More About Cyber Security

There is always something new to read in the cyber security industry. The ongoing arms race between security professionals and cybercriminals is ever-escalating. Subscribe to the OneSpan Blog to stay abreast of industry updates and new trends.