Small Business Cyber Security Plan
The size of your organization doesn’t matter. If you are using modern technology your organization has a target on it for digital adversaries. Your business needs a solid small business cybersecurity plan.
A small business cyber security plan is more important than ever.
More than 80% of cyberattacks in 2021 hit organizations with fewer than 1,000 employees. About 40% had less than 100 employees.
However, more than half of small businesses say they don’t have a cyber security plan, and 30% have no protection against cyberattacks. While some businesses aren’t worried, 1 in 5 small businesses with an online presence has been hit by a cyberattack.
About 45% of small businesses reported being hit by a cyberattack and the numbers are rising. Still, almost 60% of small and medium businesses (SMBs) don’t have a cyber security plan.
It’s no surprise cybercriminals continue to find ways to exploit small businesses for profit. A breach is crippling a small to medium business, marked by revenue losses ranging from less than $250,000 to more than $1 million. These numbers are growing rapidly year over year.
In this cyber security solutions guide, we go over the elements of a small business cyber security plan that delivers, including:
- Learning the types of cyberattacks threatening small businesses
- Defending your business from cyberattacks
- Updating your operating system
- Training your employees
- Creating backups for cyberattacks and disaster recovery
Download this page as an eBook PDF
Types of Cyberattacks Threatening Small Businesses
There’s a range of threats your small business cyber security plan has to prepare you for. The nature of the attack depends on the goal of the hacker. For example, if they’re selling private information online, they will target small businesses for:
- Medical records
- Social security numbers
- Proprietary information
- Intellectual property
- Personal identifiable information
Most often, hackers are motivated by money. They will cause disruptions in your technology and demand payment to restore it to working order.
Small businesses are a prime target for these attacks because they usually have very little cyber security to deter hackers. But before we get into defending against these threats, you should learn more about what you’re protecting against.
Among the most common attacks are the most basic types, such as:
- Wireless network exploits
Imagine being locked out of your entire system until you meet a hacker’s demands.
This was the case during the worldwide “WannaCry” ransomware attack in 2017. The attack affected more than 200,000 computers across 150 countries, with financial damages ranging from hundreds of millions to billions of dollars. It caused sweeping shutdowns for companies in manufacturing, healthcare, education, communications, and government agencies, including FedEx, Honda, Nissan, and England’s National Health Service.
Ransomware is a malicious program that encrypts every file in a system. In order to reverse the encryption and regain access to files, the victim is required to pay a sum to the attacker.
In addition to the price of the ransom, there’s the cost of the downtime to a business's operations, which averages 15 days after being hit by ransomware.
Ransomware attacks are most often deployed through email phishing, Remote Desktop Protocol (RDP) compromise, and software vulnerabilities.
PhishingPhishing is the practice of tricking a user into providing their sensitive information. The “bait” is often an email created to look like a message from your bank, the government, or even a family member in an emergency.
Given the message's urgency, an unsuspecting user will click a link to a fake (but convincing) website and provide information such as username and password, credit card number, address and phone number, social security numbers, and so on. The hacker will keep records of everything they’re given and sell the data on the black market.
Wireless Network Exploits
Hackers can upload infectious files when your network security isn’t up to date. For example, you may be using an obsolete router for your business’s Wifi. If your router is using the outdated WEP wifi security protocol, an attacker can more easily gain access to your network and steal information.
Even when your router meets security standards, you’re still at risk if the network isn’t password protected. Allowing unauthenticated connections means anyone nearby – even 100 yards away – can access your network.
Ransomware can be installed when a Windows Remote Desktop Protocol is compromised. This software is designed to control one computer from another computer over a network connection. Attackers are able to steal (or illegally purchase) a company’s credentials and access these connections. Once they can control a company’s machine remotely, they can execute an attack similar to ransomware.
Cyber Security Best Practices for Small Businesses
For a small- to medium-sized business, a cyberattack can be bankrupting. Vigilance is paramount. Here are cyber security solutions to defend against cyberattacks:
1. Antivirus Software
Antivirus software is designed to stop harmful programs from getting into your system and doing damage to your data. It detects malicious files like trojans, worms, and ransomware before they can poison your PC or network.
Our preferred business antivirus solution is VIPRE. We’re experienced in deploying their full suite of cyber security tools including endpoint security, email protection, and automated patch management.
While you might be familiar with Norton or McAfee antivirus, both software specialize in consumer-grade protection. They do not provide the resources needed for the robust cyber security solution your business needs. Rather, they give basic blanket protection. In the event of an attack, they might lengthen the disruption because you depend on their customer support for resolutions.
If your systems are attacked, VIPRE takes corrective action and immediately alerts our IT technicians. VIPRE is built so IT professionals can rapidly assess threats and choose the best course of action based on an organization’s infrastructure.
A firewall is a digital barrier around your network. Consider it the walls around a castle. It establishes rules that filter what goes in and out of your network. With these protocols in place, the firewall inspects the files going through the network for their source, destination, and content. It’s able to recognize files coming from malicious sources by cross-checking databases of reported harmful programs.
Firewalls give you the ability to monitor everything connected to your network and the internet. You can keep suspicious or unknown devices from connecting to your network. Likewise, you can see if a compromised app streams your data to the web.
Windows includes a firewall but there are third-party options available. Your router may have a firewall built-in, but you may have to activate it.
3. Guest Wifi Network
A guest network is separate from your business’s primary, internal network. It’s usually created using a virtual local area network (VLAN) which isolates it from the main network where your private data is. Though it sounds complex, it only takes a few clicks to set up in your router settings.
4. Password Policies
Strong passwords are the foundation of your cyber security plan. These are the minimum parameters we recommend:
10 Character Minimum
When creating a new password, make sure it has a minimum of 10 characters. Use a mix of letters, numbers, capitals, and symbols. That said, you don’t need it to be so complex that you can’t remember it. The number of characters is more important than the mix of characters.
For just a touch of complexity, substitute a couple of letters with numbers and symbols. For example, use an @ for an “a” or a ! for an “i” or a 3 for an “E” to create a password like @tL3astT3n!
Update Every 3-6 Months
Depending on the sensitivity of your data, you may need to update your passwords more often for security or even regulatory reasons. At a minimum, you should change your passwords at least twice a year.
No Repeating Passwords
Using a different password for each of your accounts creates layers in your security. If all your passwords are the same, one breach could be multiple breaches. It only takes one domino tipping to knock down the rest.
Require Two-Factor Authentication
Two-factor authentication occurs when an application or service sends a verification code to your phone or email after you’ve entered your login credentials. Then, you simply enter the code (which is usually short, 10 characters or less) and you’re logged in.
5. Updating Your Operating System (OS) and Applications
An outdated, unsupported operating system makes your network & devices an easy target for cyberattacks. To protect its users, Microsoft releases regular security updates to patch the bugs hackers could exploit. They go into the software’s source code, make the necessary changes, and deliver a new version to you via download.
There will come the point when Microsofts ends support for your OS and updates will end. In early 2020, Microsoft officially ended support for Windows 7 so users will no longer receive updates of any kind.
Furthermore, Microsoft won’t offer technical assistance or customer service if you have issues with your Windows 7 machine. Issues are more likely to arise since bugs aren’t actively addressed.
If you’re using Windows Vista or XP, upgrading to Windows 10 should be a priority.
You cannot ignore updates and delay your security. We recommend configuring applications to update automatically.
6. Training Your Employees
As sophisticated as cyber security technology is, the human factor prevents it from achieving near 100% security. Your employees are one innocent click away from compromising your business’s data. It’s vital to actively train your users to spot suspicious content and report it to IT support professionals.
cyber security training for employees should include instructions on:
- Password policies
- Phishing and email safety
- Social engineering tactics
- VPNs and safe web browsing
- Secure file sharing
Omnis Technologies is available for cyber security workshops. Our technicians can teach your employees best practices and provide examples of malicious content.
7. Backups for Cyberattacks and Disaster Recovery
Should all else fail and your business falls victim to a cyberattack, a data backup is the fastest way to get up and running again. Backups are crucial if you’re subject to a ransomware attack, your device suffers an irreparable failure, or your hardware is damaged in a disastrous fire or flood.
If a server becomes unrecoverable due to fire, theft, data corruption, natural disaster, or any other unforeseen event, it will cost you dearly to get back up and running, including the cost of:
- Trying to recover the data
- Getting another server up and running
- Lost productivity
A comprehensive backup strategy includes local storage hardware and off-site cloud storage. The scope of your solution depends on the size of your business:
Backups for Small Businesses (10 PCs or Less)
For small businesses, we recommend Google Drive or Microsoft OneDrive, at a minimum. These services save your files to an off-site network called “The Cloud” that you access over the internet.
Storing files in the cloud gives you the ability to access them on all your devices. Using the cloud, you can still access your documents from another PC if yours is out of order.
Google Drive and Microsoft OneDrive can be organized natively on your Windows PC File Explorer program. OneDrive will feel more familiar to Windows users.
If you’re concerned about security risks, Google and Microsoft use state-of-the-art encryption to protect your files from outside threats and have significantly stronger defense mechanisms in place than any small business’s data storage.
Backups for Medium-Sized Businesses (10-20+ PCs)
When your business grows beyond 10 PCs, it’s a good idea to have an on-site backup device that can replicate your data in the cloud. We recommend CTERA Global File System. They offer Hybrid Local and Direct-to-Cloud backups.
Upgrading to a dedicated cloud vendor gives you more control and flexibility over your data. They allow employees to share files across a whole range of devices while ensuring that everything – data, metadata, encryption keys, user authentication – is driven through your own firewalls and VPNs and not a third-party provider’s.
In the event of a data loss at your office, devices like the CTERA allow us to quickly recover data on-site rather than having to wait for data to transfer from the cloud.
The cloud component is an excellent insurance policy for instances where your on-premise device has a failure, or your office encounters a complete loss.
Large Enterprise Businesses (100+ PCs)
Due to the sheer volume of files amassed in an enterprise-level business, a specialized type of hardware called Network-attached Storage (or NAS) is required. A NAS is a computer built specifically to store files and share them on your network. Basically, they’re large-scale flash drives you can access on multiple PCs, with permission and access restriction capabilities.
A NAS can be used as a dedicated storage server or function as a backup solution for a file server. In a scenario where the NAS is the primary storage device for a business, we recommend having another backup device on-site to cover the NAS unit.
Even with a NAS or file server in place, we highly recommend an off-site component to augment the local device. In the event of a network attack, or complete loss of your office, having an off-site (commonly cloud) copy is extremely important.
Small Business Cyber Security Solutions
No business is too small to be hacked. Whether you employ three or 300, you need to implement cyber security solutions that keep your networks safe. You may not have the luxury of an in-house cyber security team, but small to medium businesses can get the same benefits for a fraction of the cost by partnering with a cyber security services company.
Need Help Creating Cyber Security Solutions That Work For You?
While all businesses need a robust cyber security plan, not all businesses have the same needs.
We can help you build a cyber security strategy to protect your business. Click the image below to sign up for a free assessment.