Most large companies out there are fully aware of the danger cyber crimes pose and invest heavily into creating a reliable cyber security system that can effectively protect themselves. This is largely due to the fact that data leaks from large companies are always publicized by the media, leading not only to huge remediation costs, but also damaging company reputations, which leads to loss of clients and hesitation of investors.
Small companies, on the other hand, do not always take their own security seriously. You almost never hear any reports of data breaches involving small companies, which leads many of them to believe that there is not enough value in them to become a target, thus they are safe from any potential cyber attacks on their business. Moreover, the cost of assuring a proper cyber security is often too high for smaller firms, making it too big of an undertaking to even bother with any security beyond the most basic compliance. Both of these views are unhealthy in the way that they leave the company and its data vulnerable.
It’s true, that when a small company gets breaches, usually not a lot of people get directly affected by it. You may see the client’s data exposed, but if you’re not a hugely successful startup with millions of users, you will probably not hear it on the news. The reality of the situation is that in case of a breach the company itself sustains the most damage due to loss of valuable data and high remediation costs.
In order to avoid this situation, you need to create a strong holistic security posture for your organization taking into account all major potential threats, from malware and phishing to malicious and inadvertent insiders. The trick is you need to do it cheap, fast and efficient. In this guide, we present a 12 cyber security tips for small business, allowing them to achieve this goal
1. Backup data
One of the key goals of IT security for small business is to get the most bang for your buck, or in other words, achieve the most results with each dollar invested. There are many small business computer security practices, that are extremely effective, yet highly affordable. Chief among them is the proper backup. Make sure that all crucial and valuable data has been backed up and can be restored at any point. Keep updating the backup in order to make sure, that company can continue operating smoothly with restored data. When your company will get hit by a ransomware, or some inadvertent insider will make some unauthorized changes to critical system configuration, you will see how invaluable a proper backup actually is.
2. Keep your software up to date
Another basic tip on how to improve your business security that usually costs company next-to-nothing is to keep their software updated. Most basic software vendors provide updates free of charge with any permanent license and it should be very easy to keep your software updated. Certain solutions, security ones in particular, may require some investment to resume support after a year or so has passed, but those are well worth it. All and all, updating software can seem tedious and it sometimes can make hardware unusable for a short time, therefore, its best to do it at non-critical times, like at mornings or even at nights. Such updates, however, are necessary, because a timely update is the only thing that makes a difference between being hit by a known exploit or keeping your data safely protected.
3. Use firewall, anti-virus and anti-spyware
One of the tips for cyber security that every company regardless of the size should definitely use is to secure your digital perimeter from external invasion by using conventional security software, such as anti-viruses, anti-spyware and a firewall. While such software can often be fairly expensive, it is paramount to use it in order to protect your data from malicious software. You can always find cheaper, yet still effective options if you look hard enough. Make sure to also secure your company Wi-Fi network access and protect it by complex unique password.
4. Conduct risk assessments
As discussed above, one of the biggest mistakes small companies make is they often don’t consider themselves to be a target. However, the truth is, every company nowadays is a potential target and every company will experience a data breach, sooner or later. It’s best to be properly prepared than to face consequences after the fact. Apart from basic security measures, described above, you should also prepare for situations that are specific to your case in particular. This is why it is so important to conduct an actual thorough risk assessment. You need to identify all valuable data that your company possess (which is not only client records, marketing data and IP, but also various internal documentation), identify potential threats and vectors of attack. This will allow you to evaluate the strength of your defenses, find gaps, and properly prioritize closing the most dangerous ones.
5. Have a response plan in place
One of the results of a thorough risk assessment should be formulation of a company cyber security strategy. Such strategy should not only include your actions to implement a proper cyber security, but also a plan in case all defenses have failed and sensitive data has been breached. Having a response plan is essential to quick mitigation and limiting the scope of the damage. When your employees know exactly what to do, they will be able to quickly move to mitigate the damage and potentially bring your company out of a deep financial and legal trouble. Make sure that such a plan is not overly complicated and that it is realistic to enact.
6. Assign a person responsible for security
Another often overlooked key component of an effective response plan is the person, that will be able to enact it when things go wrong. Even more than that, you need a person that will be responsible for actually implementing your security strategy in the first place – keeping software up to date, choosing, overseeing deployment and running security solutions, etc. Make sure that you assign security responsibilities to a particular person, even if this person will do it part-time. It is important because this way the company will always have somebody keeping in mind your cyber security at all times.
7. Educate employees
Apart from getting a particular person to be your chief of security, you also need to spread general cyber security awareness among your employees. Make sure that they know the best cyber security practices and take them into account in their day-to-day work. Educating them on things such as rules of safe browsing, how to properly use email, etc., can make them much less susceptible to common social engineering techniques, such as phishing, as well as make it less likely for them to commit inadvertent mistakes and put your sensitive data in jeopardy.
8. Use the principle of least privilege
It is important to control access to valuable data and make sure that only those with explicit need can freely access the data. Thus, each new account in your company should be created by keeping the principle of least privilege in mind. The core idea behind it is to give each new account the least amount of privilege and access rights possible and not allow them to access any sensitive data or system settings by default. Level of privileges is escalated only when it is absolutely necessary, thus ensuring that each person with an authorization to access sensitive data actually needs it. This principle allows to effectively limit the potential surface of attack from any account in organization to a selected few privilege users that you can secure more effectively.
9. Prohibit account sharing
However, principle of least privilege and any access control solutions that you may employ will not be effective, if your employees are able to freely access any account. This is often happens due to employees using a single account for work, or them freely sharing credentials when it is convenient. You must make sure that account sharing is prohibited in your company and that each employee has their own unique account for work that they absolutely cannot share, whether with other employees or their own family members (if they’re working from a personal device). Prohibiting the use of shared accounts is the first step in protecting your sensitive data not only from hacking attacks and inadvertent leaks, but also from your own employees with malicious intentions.
10. Learn to handle your password
Reliable password is the basis of security of your accounts and any small business should learn how to use passwords correctly. Start by changing all default passwords for any hardware and software that you employ. Those are usually public knowledge and freely available on the internet. Failure to change the default password on your Wi-Fi router is the gift from heavens for perpetrators, making it very easy to access your network and plant malicious software. Each user in your company should use their own unique sufficiently complex password that they should be prohibited to share with anybody. Such passwords should also be changed on a regular basis.
11. Conduct privilege user monitoring
However, properly securing accounts is not enough to fully protect the data. Actions of users with highest level of privilege also need to be supervised in order to both ensure that they are not conducting anything malicious and that their accounts have not been compromised. The reality of the situation is that a user with privileged account will be able to easily hide many malicious actions, as they are indistinguishable from their everyday job. They have full authorization to access sensitive data and it can be very easy for them to copy it to a remote storage, leak it online, edit it or even delete it without anybody noticing. The only way to detect such actions is to have a full insight into what privilege users are doing. This is why user action monitoring software is paramount for any small company. Not only it allows to detect insider threat, it can also aid in mitigating damages and conducting investigations during external breaches. Moreover, such monitoring is required by most regulations governing use and storage of sensitive information.
12. Secure personal devices
When your own corporate computers and network are fully secured, you still are not done securing your data. If your employees are accessing said data from their own personal devices (either by bringing devices to work or working remotely), you also need to take steps to ensure that such devices are properly protected. Make sure that employees have a separate account for work related purposes, and that it is protected by a unique password and is not shared with anybody. Install a proper security software and take steps to encrypt and backup any sensitive data, stored on personal devices. Moreover, you may want to use employee activity monitoring software in order to make sure that your users are not abusing their access and leaking sensitive data for their own gain. It can be very easy to hide any malicious actions with a personal device where the owner has all administrative rights, thus if an actual data is stored out there, it is paramount to monitor its usage.
Ekran System – affordable user action monitoring solution for small business
As mentioned above, user action monitoring solutions are just as useful for small business cyber security as a regular anti-virus or a firewall. They allow you to get a full insight into actions of privilege users, third parties, as well as regular employees, allowing you to detect malicious insiders and investigate incidents. However, such solutions more often than not are aimed at large corporations, thus they often prove too expensive for small businesses to use.
But with every rule there is an exception, and Ekran System is one such exception when it comes to pricing, but not when it comes to functionality or stability. Ekran System is a fully featured user action monitoring solution supporting Windows, Linux, and virtual platforms including Citrix, capable of recording everything user sees on their screen as well as relevant metadata, such as titles of active windows, visited URLs, and many other. Recordings can then be viewed in a DVR-like video player with searchable metadata by the side, allowing to easily find and investigate any incidents.
Ekran System can monitor privilege users and third parties, as well as regular employees. Moreover, Ekran System can automatically detect, report, and optionally block all connected USB devices, thus providing reliable protection from unauthorized use of mass storages and other tools that can be used to easily steal data or infect the whole system with malware.
Probably the most interesting thing about Ekran System from a small business standpoint is its flexible licensing scheme. Standard Ekran System license supposes only charge for the number of monitored end-points, with infrastructure server provided free of charge. Therefore, such a deployment is very cost-effective for small and medium sized companies that need to monitor only several endpoints.
With Ekran System you can get a powerful user action monitoring tool with functionality up to the standards of enterprise solution, yet with a price that is affordable for small companies.
As it stands, it is not often that sufficient efforts are put into small business cyber security. However, each company is a target, and dealing with consequences of data breach or leak by malicious or inadvertent insider can be disastrous for small companies. Thus, establishing reliable security is a must.
In this article we provided some tips on how to establish cyber security for small businesses with minimum time and money investment on your part. While, simple, set of measures described above is highly effective and will be able to sufficiently protect your data from most widespread threats.
However, remember, that small business cyber security is a constant struggle and you need to always stay vigilant and keep your eyes open for new cyber security trends and new dangers on the horizon. By introducing cyber security as one of the priorities for your small company and consistently working to improve it as your company grows, you will be able to save yourself a lot of headache in the long run and assure that your company has a healthy future ahead of it.
Read also about the best cyber security measures for your business.