According to research conducted by Symantec, the number of cyberattacks against small businesses (companies with fewer than 250 employees) has been steadily growing over the last six years, with hackers specifically targeting employees (phishing). And while distributed denial of service, or DDoS, attacks are still a leading form of cyber warfare, ransomware and malware attacks, targeting users of smartphones and internet of things (IoT) devices, as well as PCs and systems running on Macs and Linux, are also a big threat to small businesses.
For large businesses with IT departments and/or security professionals monitoring the business 24/7/365 for security threats, protecting themselves from cyber threats is annoying but doable – part of the cost of doing business online. But what can small(er) businesses, which typically don’t have IT departments or the ability to hire a security firm, do to protect themselves? Here are nine ways small businesses can ward off cyberattacks and security breaches, as well as several tips on how to protect your data if or when prevention fails.
Ways to ward off cyberattacks
1. Train employees on cybersecurity best practices
“Ninety-five percent of all security breaches at the workplace are because of human error,” says Tony Anscombe, senior security evangelist, Avast. “To combat this, cybersecurity should be a core part of the workplace culture – including ongoing education, training and reviews for each employee.”
“Educating employees regularly must be a top priority,” agrees Vijay Basani, CEO, EiQ Networks. “Unaware and careless employees are one of the most effective ways for cybercriminals to find ‘open doors’ to the corporate network, usually through spear phishing techniques designed to deliver malware.
“Educating employees on the dangers of phishing and malware – clicking on even one attachment or link in an external email – and making it part of the employee onboarding process can be the best defense in preventing malware from finding that open door,” he says.
“Furthermore, [businesses] should teach their employees never to open an unsolicited email attachment and be wary of any URL links contained in email messages,” advises Marc Laliberte, information security analyst, WatchGuard Technologies.
2. Invest in antivirus software
“Regardless of the type of computers that you are running (Windows or Mac), an investment in antivirus software is always a great move,” says Tom DeSot, CIO, Digital Defense. “While many people may think that Macs are immune to viruses, they in fact are not and can become infected almost as easily as a Windows computer.”
That’s why he recommends that businesses “run at least two different types of anti-virus software: one on [their] servers, one on [their] laptops/desktops. The reason for this is that you stand a better chance of catching [and stopping] a virus since one of the anti-virus software packages may have a signature for it whereas the other one may not.”
Most importantly, “don’t forget to keep your signatures up to date,” he says. “Not updating your antivirus software is almost as bad as not having it at all.”
3. Turn on firewalls
In addition to having antivirus software, “make sure that you have firewalls enabled on your desktop/laptop computers as well as your servers,” says DeSot. “This not only lessens the attack surface of the host; it also helps prevent systems from becoming infected by worms or other types of malware that are looking for services such as FTP or file shares to infect another host.
“If your host does not come with a native firewall, there are plenty of internet protection suites that have a firewall built into them as well,” he says. “Many of the anti-virus vendors sell these types of suites and often bundle them with their anti-virus software. This goes a long way to protecting your systems from attack and keeping your data safe.”
4. Make sure everyone has strong, unique passwords
“Seventy-six percent of attacks on corporate networks are due to weak passwords,” says Anscombe. “Your child’s birth date, your home town or a pet’s name [are all examples of weak passwords, codes that can be easily hacked].”
Instead, make sure all employees use strong passwords. And by ‘strong’ he means it “should have numbers, special characters and upper and lowercase letters.” Also, passwords should not be re-used or shared on different sites.
To ensure passwords are unique, “employ password managers [such as LastPass] that will generate unique, strong passwords for you.”
5. Use encryption/SSL
“The No. 1 security measure that small businesses should not overlook is encryption,” says Doug Beattie, vice president, GlobalSign. “SSL/TLS certificates allow sensitive information to be sent securely. Without them attackers are able to intercept all the data being sent between a server and a client (a website and a browser, for example).
“SSL certificates from a trusted certificate authority (CA) are imperative, especially for secure credit card transactions, data transfer and securing browsing,” he states. “But problems and vulnerabilities often come into play when their lifecycles are not properly managed and the certificates expire. An expired certificate leaves your doors wide open for a hack (i.e., allows the browser to become an entry point), so it is important to [keep] track [of] when your certificates are up for renewal” and renew them promptly.
6. Update (patch) your operating system and software regularly
“Hackers are constantly probing operating systems, browsers and software for vulnerabilities,” says Troy Gill, manager of Security Research, AppRiver. “It is not a matter of if they will find these flaws as it is a matter of when. Once vulnerabilities are discovered, software vendors work quickly to patch these vulnerabilities. The fix comes in the form of an update, and the failure to apply these updates can leave you very exposed.”
So to prevent exposure to hackers, “make sure your operating system is set to receive automatic updates,” and regularly check for or download updates (patches) for your most regularly used software and apps, too.
7. Enable two-factor authentication
“Enabling two-factor authentication provides far more security (and thus peace of mind) than a password alone,” says Mike Catania, CTO, PromotionCode. “The odds are that you have your mobile phone on you anyway, so the level of inconvenience is extremely low for a huge return in keeping the bad guys out. 2FA, as its popularly referred, essentially confirms you by requesting a PIN verification from your mobile device if someone attempts to log in from an unrecognized machine.”
8. Use a virtual private network (VPN)
“The growth of bring your own device (BYOD) in the workplace means employees may be tempted to use their own cloud-based apps to store or share customer data with colleagues,” says Julian Weinberger, director of systems engineering, NCP engineering. That “may leave sensitive company data vulnerable with only the strength of an employee’s password to protect it.”
To protect against mobile breaches, “small businesses can restrict [or prohibit] BYOD or use a virtual private network. A VPN will enable remote offsite employees to create an encrypted, end-to-end connection with the company network and transfer data securely regardless of their location or the application they are using.”
9. Minimize risk from third-party vendors
“SMBs need to talk to third party vendors about their security policies [before they do business with them] to ensure they’re properly protecting company information,” says Kevin Haley, director of product management, Symantec Security Response. “Ask questions such as: Are you using multilayer security? Are you backing up the data? Are your systems up to date? SMBs should also limit the amount of customer data they share and only provide what is absolutely necessary in order to minimize risk.”
How to protect data when cyberattacks happen
1. Back up data regularly
“By constantly backing up your data and storing a copy safely in a separate location, you create a strong last line of defense against a wide range of threats, from hardware failure to equipment theft, fire, flood and file-encrypting ransomware,” says Stephen Cobb, senior security researcher, ESET. “Be sure to test recovery from your backup copies on a regular basis to make sure everything can be restored and the appropriate employees know how to restore it.”
2. Have a disaster recovery (DR) plan in place
“SMBs should have a disaster recovery plan ready to go in the event of a cybersecurity [breach],” says Brady Keller, digital manager, Atlantic.Net. “If all of your business's data is stored with a cloud service provider, have autonomous and complete backups of that data somewhere else. This can be done by paying either a third party vendor to back up your data or your staff to create the backups internally. These backups and the corresponding recovery plan should be tested thoroughly in disaster simulation exercises.”
3. Consider cyber liability insurance
“This is one of the best backup lines of defense small business owners can invest in,” says Ted Devine, CEO, Insureon. “Often available to businesses as a rider to a general liability policy, cyber liability insurance can cover costs, including credit monitoring services and investigation fees, when a virus or hacker breaches a business’s defenses and exposes customer data.”