With automated attacks, cybercriminals can attack many small businesses at once. SMBs need effective security measures to protect their networks and data.
Cyber-attacks are designed to collect personal information and often used in identity theft or unauthorized credit card use. Larger enterprises may have more data to run off with, but smaller businesses with less to spend on security are preferred targets. With automated attacks in the form of viruses and spyware, cybercriminals can attack hundreds or thousands of small businesses at the same time — those businesses often have more vulnerable networks that make it easier for attackers to succeed.
Lack of budget, expertise and time are top reasons for the success rate of attacks against SMBs. Some organizations may lack an IT security specialist and the budget for employee training and may not update security protocols regularly. Learn how your business can avoid becoming a target for cyber-attacks.
A firewall is your first defense against unauthorized access. According to the Federal Communications Commission, small businesses should implement an effective firewall to protect client data against cybercriminals. External firewalls are used by most businesses to act as the first line of defense, increasingly hackers are outsmarting them. Internal firewalls provide twice the protection. Employees who wish to work from home also need a firewall to ensure that client data doesn't leak out of their home network. To ensure compliance, your organization may need to provide firewall software and support.
Small businesses are often run based off of individual expertise and tribal knowledge. From a cybersecurity perspective, it's extremely important to document your security practices. There are several resources to help you get started. The Small Business Administration offers checklists and training to help online businesses protect their data. The FCC has a Cyberplanner 2.0 program that serves as a starting point for your security documentation. You can also consider the C3 Voluntary Program for Small Businesses, a program that has a detailed toolkit for evaluating and documenting best practices and policies.
Many businesses allow employees to use their personal smartphones for work purposes. With the trend in wearable tech and IoT, the number of devices connecting to your network is likely to grow exponentially.
Companies without a documented BYOD — bring your own device — may be in for unpleasant surprises if a lost or stolen device falls into the wrong hands. Every device that may connect to your companies email and other servers should be included in your policy documentation.
Employees in small companies often serve in several roles. However busy everyone is, it's essential to make sure anyone with access to the network receives training on network cybersecurity policies. Policies will change overtime as cybercriminals develop new means of attack. That's why companies keep their security documentation up to date and retrain employees periodically to minimize risk. Your policy should include a consequence for breaking the rules, especially if that results in a data breach.
Employees hate changing (and forgetting) passwords, but it's an important part of maintaining tight security. Many breaches occur due to weak or stolen passwords, so workstations, laptops and other devices connecting to your network all need to be password-protected. Consider requiring passwords with upper- and lowercase letters, symbols and numbers. SMBs should require password changes at least every 90 days.
No matter how careful the security team and employees are, breaches may still occur. Another way to protect your data is by backing up financial files, spreadsheets, databases, HR and payroll information. Data backed up on the cloud helps ensure your data is safely replicated in a separate location in case of flood, fire or other emergencies. Check your backup often to ensure the data is accessible and correct.
Training may cut down on the number of employees who open suspicious emails. However, it only takes one person to click on the wrong link to unleash malware. If anti-malware software has been installed on devices and your network, it may squash the bug right there. Phishing attacks often use position-specific tactics to entice employees to open them, so that should also be included in your training.
Using multi-factor identification settings for email and network resources provides a solid layer of protection for your data. Multifactor authentication (MFA) requires at least two types of authentication to verify the user's identity. MFA includes what the user provides, such as passwords, security tokens, such as cell phone numbers, and biometrics, such as fingerprint verification.