Cybersecurity for small businesses doesn’t have to be expensive, but it is critical. According to the 2019 Data Breach Investigations Report by Verizon, 43% of reported data breaches involved small business victims. Worse yet, the U.S. National Cyber Security Alliance estimates that 60% of all SMBs are forced to shut down their operations following an attack.
As a small-to-medium business owner, you have big security needs that shouldn’t be limited by over-priced and complicated cyber security solutions forcing you to take on yet another costly monthly bill. In this guide I will outline the importance of cyber security for small businesses and show you the most important steps you can take to improve your data loss prevention strategy on a budget.
Table of ContentsFree eBook:
5 Common Cybersecurity Threats in 2020
Learn cost-effective solutions to protect your business
against cybersecurity threats in 2020
Small-to-medium business owners and startups have a much more personal relationship with money than large enterprises. Every expense hits much closer to home as that money could very well be coming from your pocket, the pockets of early investors, or from the modest revenue that you’d much rather be spending on the things that will directly grow your business.
Here’s the thing…
Improving the cyber security capabilities of your business doesn’t have to be expensive! While there are absolutely some things that will require resources (time for training staff, investing in data loss prevention software, etc), any short term gains you might see from investing that money elsewhere will quickly go down the drain in the event of a data breach.
Your business – any business – simply cannot afford to skimp on securing the sensitive data in your custody. You don’t necessarily need the most expensive security softwares, multi-staff dedicated IT security teams, and your own dedicated data storage servers – you just need to invest in cost-effective resources that make sense for your business’ security needs.
That said, there is a very real barrier that small-to-medium businesses face when it comes to investing in cyber security software – economies of scale. Smaller organizations have less users and a smaller revenue base to work with, which means they are not able to take full advantage of volume discounts like large enterprises do.
All hope is not lost, though. We’ll touch more on the types of cost-effective (and free!) resources your small business needs to improve its data loss prevention capabilities later in this article.
A common mistake made by small business owners is assuming that they aren’t a valuable target for threat actors (the security industry term for ‘hackers’). Shockingly, 68% of SMBs in the 2015 Security Pressures Report from Trustwave believed their organization was safe from cyberattacks and data compromises – you cannot afford to make this mistake!
All small businesses have sensitive data that they need to protect:
Threats to data security are entirely industry agnostic and small businesses have far more valuable data than they might realize. Even if you’re not a tech company you are still a valuable target to scam artists, cybercriminals, and insider threats because of the value associated with the sensitive data you need to operate your business.
When you’re bootstrapping your business, it’s highly likely that having a dedicated IT person on staff isn’t going to be financially feasible. Your business may also genuinely not have as great of a need for regular ongoing IT maintenance as other companies – but that doesn’t mean you don’t need IT security!
There are going to be occasions where your company needs to seek professional help from dedicated IT security professionals. Fortunately, there are ways that small business owners can leverage the expertise of cyber security experts without breaking the bank.
Small businesses with semi-regular IT needs can outsource their IT work through Managed Service Providers (MSP) that specialize in data security services. With an MSP on retainer a small business will always have access to critical security expertise without having to maintain dedicated staff members. MSPs will also help guide businesses through their IT software and hardware needs, saving them considerable time that would be spent on research and testing multiple solutions.
Small businesses need professional IT help when:
While many businesses opt for a break/fix model where IT support is only called on to fix immediately identifiable issues, budgeting for routine IT maintenance where feasible can help further maintain the security of your network and keep things up and running. Continual IT maintenance will help save on costs associated with downtime and data breaches, making it a valuable investment.
Reputation is everything for small businesses, particularly in local circles where word quickly gets around if the business simply isn’t up to snuff. While not every consumer or potential client is going to think to ask about your approach to data security, they will certainly steer clear if it develops a reputation of negligence and mismanagement of sensitive data.
Aside from the cost of a data breach, being unable to demonstrate that you’re serious about your corporate data security responsibilities is going to guarantee that any potential partners are going to think twice before trusting your business.
Don’t think that a large company will want to work with a small-to-medium business? Think again!
Larger companies love working with small businesses, and the partnerships they make can be of great benefit for both parties. The large companies benefit from the agility and flexibility that their small business partners have and the small businesses benefit from the connections and reputation that their larger partners have – it’s a total win-win!
If you want to play ball with established enterprises, your business needs to step up its data security game big time.
All it takes is one nasty data breach to irreparably end your business. The U.S. National Cyber Security Alliance estimates that 60% of all SMBs are forced to shut down their operations following an attack
IBM’s 2019 Cost of Data Breach Report found the average cost of a breach to be $150 per record stolen. While there are plenty of examples of companies that have recovered from costs of data leaks, more often than not these companies are better equipped to withstand the fallout.
The costs of a data breach are more than fines:
The average costs of compliance for the companies surveyed by GlobalScape in 2017 was $5.47 million and the average cost of non-compliance was $14.8 million – 2.71x greater than the cost of compliance. When the cost of a data breach is compared to the investment of maintaining adequate data security and data privacy standards, there’s a clear winner.
An internet connection is the single greatest vulnerability to data security, but you’ll be hard pressed to find a business that doesn’t benefit from having an internet connection in some way. The key is to be aware of the data security risks associated with the internet and plan your cyber security strategy accordingly.
If you’ve been using email for a fair stretch of time, it’s almost guaranteed that you’ve stumbled upon a phishing email before. Those cryptic emails claiming to be your ticket to wealth aren’t just annoying spam messages, they are the most common and dangerous tool used by threat actors to infiltrate your network.
62% of businesses experienced phishing and social engineering attacks in 2018. Phishing attacks can be far more convincing and sophisticated than what you might be used to seeing, so don’t think your employees are guaranteed to see these messages for what they are.
A particularly personalized phishing attack – known as spear phishing – can be used by threat actors to craft eerily convincing phishing emails that can convince your employees to visit malicious websites that install computer spy software on your network. Spear phishing attacks use personal information collected from social media and other available sources to directly relate to their target, greatly increasing the chances that they’re would-be victims will fall for their trap.
Security software simply isn’t enough to protect data. While dedicated tools are absolutely important for providing your business with the critical security controls it needs to address vulnerabilities, investing in the security knowledge of your employees is the single greatest step you can take to keep corporate and customer data secure.
Consider this – your employees are on the front-lines and interacting directly with the endpoints (computers, laptops, mobile phones, etc) that are vulnerable to attacks from threat actors if not used properly. Your employees need to be equipped with adequate security awareness training that covers common workplace vulnerabilities.
In an effort to improve procurement efficiency and reduce costs, many workplaces will allow their employees to use their personal devices at work. This practice is known as “Bring Your Own Device” or “BYOD”, and it can be a serious security problem if it’s not well executed.
That’s not to say that employees should never be allowed to use personal devices, just that business owners and security teams need to be aware of the risks associated with BYOD policies and plan accordingly.
Why BYOD can be dangerous:
As a business owner you will naturally build a close relationship with your employees. Your employees are what make your business possible and they have understandably earned your trust, but that doesn’t mean that they shouldn’t be managed as part of your data security plan.
Insider threats aren’t always malicious. While you will absolutely need to have a plan for preventing jaded employees from loading company secrets on a flash drive and selling it to your competitors, more often than not insider threats are simply employees that are careless.
How good employees become insider threats:
According to Verizon’s 2019 Data Breach Investigations Report 34% of all breaches that happened in 2018 were caused by insider threats. The proximity and access that employees have to a small business make them a likely source of cyber security incidents if not managed appropriately.
With all of the information that’s available about cyber security, it can be overwhelming for a small business owner to get started in improving their data security capabilities. To help you get started, here are the most critical data loss prevention steps that small businesses need to take. Once this essential framework is established, you’ll be in a much better position to start incorporating more advanced security controls as your data security needs evolve.
This is one of those stages where having the advice of a security expert is going to pay off the most. Even if you perform a security risk self-assessment (and you really should!), there’s bound to be less obvious vulnerabilities that can be missed by the untrained eye.
When developing a cyber security risk management plan, it is important to tailor the security controls based on the risk level associated with the device. Endpoint devices can be placed into three risk categories: Low Risk, Moderate Risk, and High Risk.
The unfortunate reality of any cyber security plan is that you cannot protect everything equally – your risk management plan will need to prioritize higher risk devices and networks over those that pose a lower risk
What to Include in Your Assessment
Following the initial assessment, make a plan to revisit your risk planning at least once a year. As your business grows and develops your risk profile will naturally fluctuate and you may need to account for new threats that have emerged.
If your employees aren’t adequately equipped with the knowledge they need to use technology safely in the workplace they’re bound to slip up eventually. Do not let your employees be your weakest link – make sure they’re kept up-to-date on their security responsibilities and the steps they can take to protect sensitive data.
If the means for training employees is not available in-house, seek out dedicated training services and free online materials. At the end of this article I’ve provided links to free and paid resources to get you started.
The 2013 data breach of Target that resulted in the payment card data of 41 million consumers being leaked was caused by a third-party vulnerability. A small HVAC company that had a virtual connection to one of Target’s servers was hacked as a result of a malware-laced email. Once the HVAC company was compromised, the threat actors had a direct connection to Target’s network where they could continue their attacks. Target was forced to pay $18.5 million as a result of the data breach – do not let your small business fall victim to security gasps of third-party vendors.
Businesses of all sizes rely on third-party vendors to bolster their capabilities without heavily investing in cultivating those capabilities internally. When you establish a connection with a third party that lets them have access to your business and its systems, you still have data security responsibilities that you need to attend to.
When selecting a third-party vendor, you need to perform due diligence to ensure that they’ve done everything they can to ensure the security of their systems and the data that you’ll be sharing with them. Where possible limit any direct access that the third party has to your systems and set clear data security expectations in a service-level agreement (SLA).
With the increased prevalence of ransomware attacks, the dire need to have secure backups of data is greater than ever before. Ransomware attacks infect computers and maliciously encrypt files, only (potentially) releasing the encryption key when a ransom is paid.
Even without the threat of ransomware, any data that your business cannot afford to lose needs to have redundant copies to prevent the loss of that data.
Critical business data should be securely backed up in 3 places:
For small businesses that do not have the time to invest in physical backups, cloud storage providers provide the peace of mind that comes with data redundancy without the hassle. While cloud storage vulnerabilities do exist, leading providers implement robust security measures that protect the data from external threats. Your main priority will be ensuring that employees do not have unrestricted access to cloud storage backups of data as they could potentially download data they shouldn’t be accessing.
As I mentioned before, insider threats are a serious problem for businesses of all sizes. While you may get away with physically monitoring for suspicious and undesirable behavior when you have a small team (though that’s really not the best use of your time), this sort of insider threat management strategy simply isn’t going to be scalable as your business grows.
How to protect data from insider threats:
Policies and procedures that are focused on cyber security planning provide your workforce with clear guidance for how they are expected to use technology and data in the workplace. At minimum you should include rules and processes for data handling, the acceptable use of devices, and the cyber security responsibilities of your employees.
Data breaches are not a matter of if – they are a matter of when. Proactively planning a cyber incident response plan will ensure that your business is well prepared to respond to a data breach incident. The last thing you will want to be doing when resolving a security issue is incident response planning from scratch; by having the key considerations worked out in advance you can focus your energy on remediation and executing the response plan.
Tips for Preparing for & Responding to a Data Breach:
For more information, this incident response checklist from Process Street has the specific steps you can take immediately after an IT security incident. This FTC article also has great insights into responding to data breaches.
In addition to the steps you will take in response to a security incident, you should also document the data loss prevention and cyber security measures that your business takes on a day-to-day basis. This will not only serve as important evidence of your business’s honest efforts to secure data, it will also provide you with a clear overview of what can be improved in the future.
The employee offboarding process presents significant data security risks. Employees have intimate access to corporate data, insider knowledge of the organization’s systems, and a level of trust that can allow them to steal data undetected.
These vulnerabilities need to be addressed as part of any insider threat management program. Click here to learn the best practices for protecting data during a termination and gain access to a downloadable IT offboarding checklist.
A web filter is a cost-effective security tool for protecting your business against web-based threats. CurrentWare’s content control software BrowseControl supports category filtering to proactively prevent employees from stumbling on known malicious websites that can stealthily infect your network with drive-by downloads.
Category filtering makes internet access permissions easy to manage by seamlessly blocking millions of websites across over 100 URL categories such as porn, warez, social media, and viruses.
Benefits of a web filter:
Practicing proper password hygiene is the single most important thing that a business with a limited security budget can do to protect data. Unfortunately poor password hygiene is far too prevalent, with a shocking 59% of users surveyed in the LastPass Psychology of Passwords Report admitting to reusing passwords.
Reused passwords are an absolute nightmare for data security. If a previously used password is made public through a data breach, any accounts that the password was used on are now vulnerable. Using unique passwords for each account limits the amount of damage that can happen when an account is compromised, but it’s tedious to remember hundreds of unique passwords. That’s where password managers come in!
With a password manager such as LastPass, KeePass, and 1Password, your employees can generate unique and complex passwords that are then encrypted and stored in the password manager. With this method all that needs to be remembered is a single strong master password – no more password reuse!
How to make a strong master password:
Unfortunately, even a strong password can be a security risk if it is somehow breached. That’s where multi-factor authentication (MFA) comes in. With MFA, your employees will be required to provide a second piece of authentication to prove they are who they say they are. With MFA enabled you will have an added layer of security to prevent an attacker from gaining access into corporate accounts.
Examples of MFA:
There is something problematic about using password managers in a professional setting. What do you do if an employee that has dozens or hundreds of company account passwords leaves on bad terms or is fired?
If the former employee is feeling vindictive this could lead to serious damages if the account passwords cannot be reset in time. Even without this aspect of risk, resetting passwords is an incredibly time consuming process. That’s where identity as a service (IDaaS) & single sign-on (SSO) come in.
Traditionally, access permissions are handled with dedicated tools such as Microsoft’s Active Directory (AD). As cloud-based applications became more popular, IDaaS providers stepped in to help fill the gaps. While Microsoft also offers a cloud-friendly version of AD called Azure Active Directory, IDaaS providers have proven to be valuable for businesses that need added support for their identity management.
SSO is remarkably similar to password managers in that they allow employees to access all of the services they need at work using a single login. The key difference is that SSO also lets you manage the access permissions that individual employees have. SSO will also provide IT admins with greater details into the context of each login such as where the user is, the device they’re using, and their IP address.
Identity-as-a-service vendors not only provide SSO capabilities, they also cover the access permissions that employees have to business applications. These features are critical for ensuring that employees only have access to the resources they need and nothing more.
If your business uses a lot of different applications, you will want to consider investing in IDaaS. This will add another monthly expense to your budget but it’s a worthwhile investment to help make authorization-based security scalable.
Employee monitoring software is an affordable solution for managing the risk of insider threats. By using software to monitor computer activity on your network you can detect unsafe internet usage and suspicious employee behavior.
Employee monitoring software can be perceived as invasive. Follow these expert tips from CurrentWare’s managing director Neel Lukka to monitor your employees in a way that is transparent and respectful of their privacy expectations.
Data minimization (data minimalism) is the process of ensuring that only the exact data needed for legitimate business use is collected and stored. In the era of ‘big data’ it is often tempting for businesses to capture and store as much data as possible in an effort to gain the greatest amount of insights. Unfortunately, hoarding greater amounts of data than is truly necessary opens up your business to a higher degree of risk that the data will be leaked.
Best Steps for Minimizing Data:
According to “Market Snapshot Report: Secure Operations Automation.” by Voke, 80 percent of data breaches were caused by poor patch management and configuration updates. Every piece of software (and even hardware such as routers) will provide periodic security updates that are designed to patch known vulnerabilities. To reduce the resources required to maintain regular patching, minimize the amount of software that is used in your organization and enable automatic updates.
The internet relies on the use of network ports to send different kinds of data. If you leave all of your network ports open by default you provide threat actors with greater options for accessing your network.
The best practice is to only leave open the specific ports that are needed by your business and use a port filter to close any unused ports. This particular tip can be difficult to follow if you are strapped for time, but it will help improve the security of your network.
Many businesses forgo this step because special applications may stop working if a port they need is blocked, forcing whoever has opted to take on IT management to research the port the app is requesting and unblocking it.
How to discover which ports need to be left open:
If you will be using CurrentWare products, visit this article to see the ports you will need to keep open.
Data encryption is a critical security control for preventing breached files and stolen harddrives from being usable by hackers unless they have the decryption key or a significant amount of computing resources to brute-force the decryption process.
If you are running business-ready versions of Windows 10+, you can use Bitlocker to encrypt virtual storage volumes, USB storage devices, and even entire hard drives. You can also encrypt specific folders using the Encrypted File System (EFS) that comes with Windows.
USB devices that are commonly used in the workplace can be incredibly dangerous. To protect against these devices, consider implementing a data loss prevention solution such as AccessPatrol to enforce the exclusive use of authorized USB devices.
The Dangers of USB Devices:
While it may be convenient to provide employees with the ability to install their own software and make adjustments to their computers as needed, administrator credentials provide user accounts with far too much control over devices to be considered safe. Accounts with admin rights can potentially overwrite file access permissions, creating a potential data security incident by making restricted data more accessible.
By limiting the amount of admin accounts you can also reduce the amount of resources required to monitor these accounts for suspicious activity and reduce the amount of accounts that can be potentially compromised.
Anti-virus and anti-malware software are essential for protecting company endpoints against exploits from malicious software. While some free programs are available, many of these prohibit use in a commercial setting in their end-user license agreement (EULA).
These free alternatives may also lack the full functionality of their paid counterparts or not be as up-to-date on the latest threats, making them a less-than-optimal solution for data loss prevention and network security. Paid anti-virus and anti-malware programs will also often include a centralized management platform that allows all of the computers in the network to be managed from a single workstation rather than checking each computer manually.
It’s important to note that while there are similarities between anti-virus and anti-malware programs, they are not exactly the same.
Data loss prevention is not exclusive to managing digital threats. When computers, laptops, and USB devices are lost or stolen, any unencrypted or unredacted data that resides on them must be considered breached.
How to Improve Physical Security:
Managed services providers (MSP) and Managed security services providers (MSSPs) make advanced cyber security and data loss prevention accessible to companies that do not have the resources to hire and train their own on-site IT support staff.
An MSP will typically sell their services on a subscription model with costs being priced per user or device. Some MSPs will also offer flat-fee pricing to handle the support of all their customer’s IT infrastructure.
The Benefits of an MSP for Small Businesses:
Businesses that need to manage their cyber security on a budget may be weary about the monthly expenses that come with an MSP. When deciding whether contracting an MSP is the right investment for your business it’s important to factor in the costs of a data breach, lost productivity due to equipment failures, and the time it takes to manage your own IT infrastructure.
BrowseControl is easy-to-use and affordable, making it the best internet filter for small-to-medium businesses that want to protect their network and manage employee productivity on a budget.
Why BrowseControl is the Best Internet Filter for Small Businesses:
BrowseReporter is CurrentWare’s computer monitoring software for tracking how employees use technology in the workplace. Track time spent on unproductive websites and applications to identify employees that are actively disengaged from their duties or engaging in harmful internet usage.
Why BrowseReporter is the Best Employee Monitoring Software for Small Businesses:
AccessPatrol allows small business owners to easily manage the risks of USB devices in the workplace by enforcing the exclusive use of encrypted USB devices, blocking unauthorized USB devices, and monitoring file transfers.
Why AccessPatrol is the Best DLP Software for Small Businesses:
To further help guide your small business cyber security strategy, these free resources provide actionable insights to improve the security of your network and data.
Resource | Description |
The CurrentWare Blog | We regularly post insights into cyber security, employee monitoring, technology, and remote workforce management on our blog. Sign up for our monthly newsletter to stay up-to-date! |
Cybersecurity & Infrastructure Security Agency (CISA) | This is an official website of the US Department of Homeland Security. They provide in-depth resources that help organizations of all sizes combat cybercrime. |
Common Vulnerabilities and Exposures (CVE) | The CVE list is used by the global cyber security community to track publicly known cyber security vulnerabilities. With the CVE you can see if your vulnerability scanners are checking for recently uncovered threats. |
National Cyber Awareness System Alerts | Similar to the CVE list, this is a list of alerts published by the US government. These alerts provide security recommendations to help fight recently discovered threats. |
Federal Communications Commission – Small Business cyber security Resources | The FCC maintains a page on their websites with dozens of links to valuable cyber security resources to help empower small businesses. |
ESET cyber security Awareness Training | Many companies such as ESET offer free and paid cyber security training courses to help keep your employees working safely. |
Center for Internet Security (CIS) – The 20 CIS Controls & Resources | This detailed resource collection from CIS offers informational videos, PDFs, and spreadsheets detailing the controls you can implement to protect sensitive data. |
Tech Support Guy | This open forum allows small business owners to post their tech support questions. The community is frequented by IT support professionals that are eager to help. |
Managing data loss prevention on a budget is no small task. Proactive cyber security often requires specialized knowledge and consistent upkeep to pull off effectively. With the resources and best practices shown in this article your small-to-medium business can better protect itself against hackers, insider threats, and breaches of sensitive business data.
FREE WHITE PAPER
How to Keep Data Safe
When Offboarding Employees
Concerned about the damage a terminated employee could cause with access to sensitive corporate information, account passwords, and other data?
Click the button down below to learn the best practices for managing insider threat risks & gain access to a checklist of key items you must include in your offboarding process.