Small businesses and startups are known to face some extra challenges when it comes to cybersecurity. Because they don’t have the size or budget to have a fully-fledged dedicated security team, it often comes down to one person that doesn’t have the time to do everything that is recommended or even required. Often security issues are just dealt with when the need arises.
There is the first issue right there. When the need arises, it’s often already too late. An infection has been found, a breach was discovered, or ransomware has disabled systems or made files unretrievable.
Small businesses also often do not consider themselves to be a target, but you don’t have to be explicitly targeted to get breached or infected. Depending on how small your business is, the tips below may be more or less important in your circumstances and for your threat model, which will depend on the line of business that you are in.
Your staff need to know what is expected of them, and what not to do.
It’s important to be aware of your networking equipment, endpoints, and devices. Not only to know what needs to be protected, but also to know where weaknesses may lie.
Once you have established the hardware and software in your environment you need to perform effective patch and vulnerability management.
If having specialized software for this task or outsourcing it is not an option, it might be a good idea to keep an eye on the Known Exploited Vulnerabilities Catalog which is maintained by the Cybersecurity and Infrastructure Security Agency (CISA). This catalog provides Federal Civilian Executive Branch (FCEB) agencies with a list of vulnerabilities that are known to be exploited in the wild and gives the agencies a due date by when the vulnerability needs to be patched in their organization. Even if your organization isn’t a FCEB agency that needs to follow the Binding Operation Directive 22-01, the CISA list acts as a good guide for your patch management strategy.
And keep an eye on security news sites in order to stay alerted to the biggest and most important updates and patches.
Having a strict policy to protect your important assets with strong passwords and multi-factor authentication (MFA) should be a no-brainer. Consider making it easier for your staff by using a single-sign-on service or alternatively by providing them with a password manager.
Very important files and documents can be encrypted or stored in password protected folders to keep them safe from prying eyes. A stolen or lost device is stressful enough without having to worry about confidential information.
A firewall protects an entry point to a network while a VPN creates an encrypted tunnel between two networks. Both can be used to protect your network.
If your company has internet facing assets—and who doesn’t—it’s important to apply network segmentation. The process of network segmentation separates a computer network into subnetworks, and allows for each segment of the network to be protected with a different set of protocols. By separating each segment according to role and functionality, they can be protected with varying levels of security. A common step for small organizations is to separate the systems that require internet access from those that don’t.
Remote desktop protocol (RDP) is a network communications protocol that allows remote management of assets. It allows users to remotely login to systems and work on them as if they were physically there. RDP is a necessary evil sometimes, but there are ways to make it more secure.
Make sure all your devices are protected by cybersecurity solutions. Logs should be easy to digest and easy to understand, regardless of whether the readers are your own employees or those of a provider. A lot of needless alerts will interrupt your workflow, but you do not want to miss the important ones. So balance is important, especially with a limited staff.
Businesses need to understand what level of protection their providers or others with access to their resources have in place. Ransomware is contagious, so if your providers have it you likely will too. Supply chain attacks can come from your most trusted provider and still be disastrous.
Check for compliance and certifications. Depending on the type of supplier and the level of access to your assets, there is nothing wrong about setting some standards. For example, your IT services supplier can demonstrate a good level of cybersecurity by having achieved a cyber certification. It may also help to know that your supplier is aligned with a standard of cybersecurity deemed good enough by government organizations.
When a security issue arises despite all of your efforts to secure your environment, you should have a plan ready to contain and deal with the consequences.
We provide cybersecurity for sole proprietors, boutique businesses, and small offices – no IT skills required. Protect yourself with Malwarebytes for Teams.