Small and medium-sized businesses, collectively known as SMBs, are the true gems of a local economy. While we grow up recognizing the big business brands like Rogers, Coca-Cola, FedEx and Walmart, small businesses are responsible for creating, delivering, producing, moving, and selling many of our everyday wants and needs. While SMBs typically operate with the same primary goals and desires as a big market business, there is one major hurdle that larger businesses are better prepared to deal with … cyber security. Below are 7 cyber security tips aimed at keeping your small business safe, secure, and productive.
Security Awareness Starts at the Top
Gone are the days where small businesses felt safe from cyber attacks. Today, cyber thieves prey on any sized business, with many even preferring to focus on smaller organizations. In fact, almost half of all cyberattacks target small businesses, with a recent report from Verizon estimating that 43% of attacks targeted SMBs. Even more alarming, 54% of small businesses still believe that they are too small to be attacked, leaving the door wide open for attacks.
One of the best cyber security tips is to ensure that your CEO and senior leadership team has fully bought into the importance of cyber security. Many security awareness training programs focus on educating front-line staff. However, CEOs and executives are just as likely, if not more so, to be the target of a phishing email or phone call, also known as vphishing (Voice phishing).
Also, a “do as I say, not as I do approach” when it comes to cyber security can be problematic. How often has your CEO promoted the importance of good security hygiene, only to write down their passwords on a sticky note or saved in a Notepad file? Executives and managers need to lead by example when it comes to cyber security. So, if you take any of these cyber security tips seriously, let it be this one…make sure you and your other business leaders practice what they preach.
Backup Everything….and we Mean Everything
One of the more confusing aspects of Information Technology is a never-ending array of acronyms, terms, and tools. This influx of technical terminology often leads to mixing up essential business practices, which is quite notable when it comes to backup and disaster recovery. Terms like redundancy, disaster recovery, high availability, replication, and backups are often used interchangeably by non-technical business leaders, which can cause issues when you find out that you are indeed not doing something that you thought you were doing.
The average time to identify a breach in 2020 was 207 days. (IBM)
This confusion is common when it comes to Cloud services like Microsoft 365 and Google GSuite. When businesses purchase Microsoft 365, users understand that Microsoft has multiple data centres and several redundancy layers, and they assume that this means that their data is backed up. This assumption is wrong. In the fine print of Microsoft’s End User License Agreement (EULA), it states that backing up data on Microsoft solutions such as SharePoint, OneDrive, and Teams is the user’s responsibility, not Microsoft’s. This is a typical cyber security tip that you will hear from Information Technology companies. Ensure that you are using a third-party solution to back up ALL of your Cloud data, and make sure you know where that backed up data is and how to access it. In the event of a ransomware attack, you will be glad you did.
Cyber Security Incidents Can Come from Within the Organization
Don’t worry; we are not calling your employees criminals. However, a recent study by Cybint reported that 95% of all cyber security incidents were caused by human error or system failure. While we tend to go after the low hanging fruit and protect our businesses from phishing and use next-gen firewalls to keep the attackers out, it is important to review your internal training procedures and tools often to ensure that everyone is trained correctly and doing their part to keep your business, and themselves, safe.
Keep with Times When it Comes to Password Policies
Let’s face it, while necessary, passwords are super annoying. According to a report published by Security Brief last year, the average person has 100 passwords. This is problematic because it forces people to reuse passwords and ignore password complexity best practices. In another study by Security Intelligence, 63% of confirmed data breaches leverage a weak, default, or stolen password.
An estimated 300 billion passwords are used by humans and machines worldwide. (Cybersecurity Media)
While we understand that poor password management can lead to security issues, many businesses still operate under outdated password best practices. As cyber security tips generally go, this one may be a bit loaded, but it is a very valid point.
In the past, most password management policies involved frequently changing your passwords. However, with the advent of password managers and Multi-Factor Authentication (MFA), we are beginning to rely heavily on technology rather than trusting that all employees will follow good password guidelines.
MFA is now a must-have. MFA, or sometimes called 2FA, involves using two or more authentication methods to access a system. This is generally your password combined with a facial recognition scan, fingerprint scan, approving a notification on your smartphone, or entering in a key you received on your smartphone or through an alternative email address. In addition to MFA, a strong password manager, such as 1Password, is a great way to ensure that you maintain strong and safe passwords without having to store them in an unsecured location.
Know What You Don’t Know
Yes, by nature, this cyber security tip is impossible to follow; however, there are ways to find out information that you didn’t know you needed to know (take a moment to read that again). A common problem businesses face is having previously exposed employee credentials up for grabs on the dark web. This means that right now, a hacker could be using credentials that he or she received from a previous data breach to access your systems.
64% of Americans have never checked to see if they were affected by a data breach. (Varonis)
One way to get in front of this problem is through Dark Web scanning. Several services allow you to manually or automatically scan the dark web for any exposed credentials that could provide access to your critical business systems. One of the most common and free-to-use sites, haveibeenpwned.com, allows you to enter any email address or password, and you will instantly know if that information currently exists on the dark web. If you do find employee information on the dark web, you can instruct that employee to change their password or provide them with additional security options such as MFA or a password manager.
Start with Finance
As a small business, one of the most critical cyber security tips is to ensure that anyone with a financial role has received vital security awareness training. Two widespread cyber security scams target the finance team. The first involves someone pretending to be an existing vendor, client, or partner who recently switched banks. To protect your business from this type of attack, ensure that your finance team knows to verify any financial request using a secondary source; this could be calling the contact on a phone number you already have or emailing them directly instead of replying to the email.
The second common scam that can impact the finance team is known as CEO Fraud. This is where someone pretends to be a company executive by spoofing their email address and making a request to purchase a money transfer or gift cards. Again, always ensure that you use more than one method of authentication before actioning any financial request. Both scams have also risen due to COVID-19, as face-to-face requests are far less common. Remember, when in doubt, verify.
Don’t Forget About Physical Security Practices
It’s easy to focus on cyber security tips in the digital and online space. However, you should remember to brush up on physical security practices. Do employees leave sensitive documents unattended on a printer? Do employees know what to do if a maintenance person is requesting access to the facility? Are sensitive areas locked? Do employees only have access to areas that they are required to be in for their job? While some of these seem obvious, given the extended work from home period caused by COVID-19, many employees might need a refresher.
Conclusion
When it comes to cyber security tips, the best one we can offer is to stay diligent with your security program. With zero-day threats and vulnerabilities, security programs can go stale quickly, so make sure your policies and procedures are reviewed and updated regularly.
Concerned about cyber security for your small business? Check out our Cybersecurity page for more information.
