Cybersecurity: 6 Best Practices for Small Businesses

cybersecurity concept

If you’re a small business owner, you probably don’t spend much time thinking about cybersecurity. After all, don’t most cybercriminals focus their efforts on big companies with deep pockets?

The truth is, cybercrime presents a genuine threat to your small business.

The U.S. Congressional Small Business Committee found that 60 percent of cyberattacks happen at businesses with less than 100 employees. Why do cybercriminals attack small businesses more than larger corporations? Well, there’s some logic behind their madness. Small businesses are an easy target.

Consider this: Large corporations have dedicated IT departments and large budgets for robust cybersecurity measures. Small businesses often take a “do-it-yourself” approach to cybersecurity. Alternatively, they don’t do anything at all. Only 31 percent of small firms take active measures to guard against cyberattacks. 

However, what if you can’t afford a dedicated cybersecurity officer for your company? What if you’re working with limited funds?   

Don’t panic. There are plenty of things you can do to prevent cyberattacks on your small business, without breaking the bank or bringing on a dedicated security team.

 

Cybersecurity Best Practices for Small Businesses

 

1.   Train employees. 

Your employees are your biggest asset. They’re also your greatest cybersecurity liability. Include cybersecurity training for all new employees, and make it a point to conduct regular, company-wide refresher training.

Employee security awareness training should include:

  • Email safety. Any employee in your company can be vulnerable to phishing attacks. Emphasize the risks of clicking unknown links, providing unprompted confidential information, or downloading random files.
  • Secured vs. unsecured networks. Employees should only access sensitive company information over secure networks. Avoid unsecured networks, such as the public Wi-Fi networks you’d find at a local coffee shop.  
  • Social media savvy. Establish clear social media policies for all employees that include the kind of information they can post. For additional security, consider prohibiting social media use on company computers and devices.

 

2.   Establish and enforce a cybersecurity policy.

Employees should know that you mean business when it comes to cybersecurity. Establish clearly communicated rules along with consequences for violating cybersecurity policies.

Include the following practices in your security policy:

  • Strong passwords. Each employee should create a strong password composed of uppercase and lowercase letters, numbers, and symbols. Set up an automatic prompt that requires employees to change passwords after a few months.
  • Multi-factor authentication. This type of authentication goes a step beyond a strong password. It requires at least two forms of authentication to access secure data. For instance, a password might be accompanied by a phone code or a fingerprint login.
  • Don’t rely on word of mouth. Document your protocols and provide each employee a manual with all relevant company rules. The Department of Homeland Security even offers instructional posters that you can hang in the office to reinforce your cybersecurity policy.

 

3.   Limit access to company information.

You want your company to grow, but that means more employees and more electronic devices. It also means more people who can potentially access sensitive information.

Two important things you can do to help keep your information safe:

  • Destroy data. No one wants a costly data breach. To reduce your risk, keep minimum data on file. Do you need every customer’s credit card number, Social Security number, or address on file? If not, get rid of it.
  • Wipe devices. Go beyond an electronic reformat. When you dispose of old equipment, use special software to wipe the data completely. Adopt technology that will allow you to remotely wipe data from a device if it is ever misplaced or stolen.

 

4.   Create layers of defense.

Cybercrime is getting more sophisticated every day. Your defensive response must be just as multi-faceted as the threats coming your way. The best cyber defense includes several layers of protection, such as installing anti-malware, anti-virus, and anti-spyware software on all devices and the network.

You should also install a firewall, which is essentially a virtual security system that helps keep cybercriminals from accessing your network. If you have employees who work from home, make sure they have a firewall on their home networks, too.

 

5. Plan for mobile.

In a BYOD (bring your own device) office culture, employees often work from a variety of devices, such as smartphones or tablets, in the office and at remote locations. When employees’ mobile devices access the corporate network, they present a security hazard.

If mobile devices are allowed on the network, enact strong mobile device security protocol. Here are a few best practices:

  • Mobile passwords. Use password protection on all mobile devices, and use strong passwords.
  • Install updates. Keep all mobile apps up to date. App updates often include security patches, so this is critical.
  • Watch out for texts. Be careful with text messages from unknown numbers. Avoid sending any sensitive information via text, and don’t click on unfamiliar links.
  • Report lost devices. Require employees to report any lost or stolen mobile device so that you can remotely wipe the device of data or take other steps to secure company data.

6. Create backups.

Every business should have a contingency plan in place in case of compromised security. If a hacker does manage to get past your layers of defense, it will be critical to have backups available to restore company data.  

Regularly back up data on all company computers, as well as personal computers that employees use for company business. Backups should include documents, spreadsheets, databases, and all human resources, client files, and financial files. Set up automatic backups to the cloud, or store backups off-site. 

 

Bring in the experts

If you need help getting started on cybersecurity enhancements for your small business, the SBA offers a cybersecurity course and a cybersecurity planner for small businesses.

If you’re still struggling to get a grip on the threats posed by cybercrime, consider bringing in a cybersecurity expert. A cybersecurity specialist can train your employees on safe cyber practices and run a risk assessment to help you identify weak spots in your business’ cybersecurity efforts.

 Originally published Mar 11, 2019 10:00:00 AM