Owning a small business comes with its own unique multitude of challenges - financial management, staffing, customers, and regulations being just a few. So, it comes as no surprise that the ever-evolving threat management can sometimes seem too complex a subject to even wrap your head around. Although many often assume that bigger companies are the ones targeted by cybercriminals the most, this is far from the truth.
Recent statistics reveal that smaller businesses have become the main target of cyberattacks due to the lack of security measures in place to protect them. Being an easier target, small businesses make up 43% of cyberattacks, receive the highest rates of malicious emails, as well as experience 350% more social engineering attacks than employees at larger companies.
While it can seem not only complicated but also costly to implement adequate security measures to protect a small business from a cyberattack, it might cost even more to recover from one. Or even worse, not recover at all, as 60% of small businesses have reported going out of business within six months of a security breach.
As alarming as the statistics have become, not every small business owner can afford to implement the newest security controls or hire someone to do it for them. So, I have summarized a list of tools anyone can use to harden their security posture, and the best part, they don’t cost a thing!
Secure passwords are one of the simplest ways to protect a business against unauthorized access to your devices. While this has been emphasized over and over again, it has not often been made clear exactly why using a certain type of password is so important.
One of the most common ways a cybercriminal can gain unauthorized access to an account is by using brute force attacks. This means a threat actor will submit different credentials until they guess the right one. It might seem like a time-consuming practice; however, there are intelligent software tools out there that are capable of trying millions of passwords in seconds, making the process a lot easier to execute.
This is where strong passwords come in. Brute force attacks often use popular words, which means that commonly used passwords such as the word 'password' would be cracked easily, thus giving away access to the account using it. So, to guard against this, using passwords that are at least 7 digits long, include upper and lower cases as well as numbers and symbols, can greatly help against the password being guessed, as they would less likely be found in a database used for these attacks. The National Institute of Standards and Technology (NIST) has a publication on strong password policies with more specific suggestions.
Another way to guess passwords is by using ones leaked during data breaches. While many wouldn't expect their credentials to be a part of the ones leaked, it is estimated that over two billion of them were released online in 2021 alone, so the chances of one's password floating around on the internet are higher than they might think. Due to this, it is highly important to change passwords regularly, as well as never use the same ones for personal and business use, as a leak of one password could result in the compromise of multiple accounts.
Employee training can vary depending on the goals and needs of the business; however, basic security training should always be considered, as social engineering attacks are the most common ones in cybersecurity.
There are many different social engineering attacks leveraging the use of emails, texts, or even calls, in order to get a victim to open an infected link or trick them into giving away personal information. These attacks vary, but what they all have in common is that they try to exploit human error. While some social engineering attacks can be easily identified, many have become increasingly sophisticated and hard to spot. These can include forged invoice statements, almost identical replicas of websites, and even someone posing as a technician to gain physical access.
Successful social engineering attacks can be detrimental to a business, so it is important to stay up to date with the latest attacks and conduct training for anyone involved in the business. This can be as simple as sharing the most common signs of phishing emails or going over the procedures that involve dealing with sensitive information. Just being aware of the type of things to look out for can significantly reduce the possibility of someone falling prey to a social engineering attack.
Keeping personal devices and software updated is another way to help keep yourself and your business safer, especially if personal devices are used in business operations. Outdated software has known vulnerabilities, and as soon as a patch is released, those vulnerabilities become known to everyone. This means that if there is an update available and you don't install it, your device now has an exploitable vulnerability known to threat actors. So, keeping up to date with the latest patches and updates eliminates being exposed to these well-known vulnerabilities.
Imposing policies among staff is another way to make a business less exposed to threats. This can include requiring everyone to follow rules about social media and how much information is allowed to be disclosed to the public. Having everyone sign contracts about following the rules and guidelines outlined by the business is something every owner should consider. This ensures that there is no confusion about what is expected of each individual as well as what the consequences are if those rules are not followed.
Refraining from using public Wi-Fi, especially when working with sensitive information is something that should be more discussed in small business settings. Public Wi-Fi networks are open to the public, which means that anyone can gain access to them. This, obviously, poses a great security risk. Public Wi-Fi is an easy target for a Man-In-The-Middle attack, which is an attack where a malicious actor that has access to the same network is able to capture all traffic coming from your device. This can include anything from passwords to credit card information. Such information getting stolen can greatly damage a business’s reputation as well as possibly result in fines.
Using a VPN is a way to protect yourself against these attacks, as it creates a secure connection between your device and a VPN server, so even if someone is able to intercept data being transferred over the network, it would be encrypted, and the attacker wouldn't be able to read it. While there are free VPNs available, they are known to have vulnerabilities. So, it might be safer to simply refrain from using public Wi-Fi while conducting business operations altogether.
While these are only a few cost-friendly ways a small business can protect itself, there are many great resources out there that provide much-needed information, such as the NIST IR 7621 Rev. 1 Small Business Information Security: The Fundamentals, blogs about cybersecurity, or even podcasts covering the newest and most well-known attacks everyone should be aware of. These diverse sources allow everyone to learn more about the security side of things.
So yes, as overwhelming as the security landscape can be, investing time in educating yourself on these topics can significantly impact the safety of your business. With so many different ways to harm a business, it is more crucial now than ever to be mindful of everything owning a business includes and just how important making security a part of that is to the continuity of it.