Cybersecurity threats can be a real risk to your business. Here’s what to know — and actions to consider taking today.
Cybersecurity threats are more common than ever and a growing threat to small businesses. The shift to remote and hybrid work over the past two years has provided more opportunities for security breaches — ranging from malware to stolen customer data — that businesses need to arm themselves against.
Why should you be concerned? Forty-three percent of online attacks are aimed at small businesses. And the consequences of a cyberattack go beyond financial loss and damage to your reputation. According to research from the National Cyber Security Alliance, 60% of small and midsized business that are hacked go out of business within six months. At the same time, a 2020 study by the Ponemon Institute, LLC, found that many organizations feel they don’t have adequate budgets for cybersecurity protection.
The truth is many cybersecurity concerns can be addressed without incurring huge costs. Here are some key actions that small businesses owners in particular can consider that can make a dramatic difference in the fight against cyber threats.
Keep your software up to date
Out-of-date software can leave you susceptible to security breaches, so make sure that your software (including operating systems of your computers and mobile devices) is routinely updated or patched to fix bugs, and that your hardware is on a regular maintenance schedule. On top of that:
- If you haven’t already, install anti-virus, anti-spyware, and anti-malware programs for your computer systems, as well as a firewall.
- If you work with a technology vendor or service, see if they offer protective software for mobile phones or tablets.
- Use a firewall with a virtual private network (VPN) on your mobile devices, which may help protect them on public networks — such as the ones you or your staff are likely to use in airports, coffee shops, and convention centers.
Most mobile operating systems have a built-in VPN—you just need to switch it on in your device’s settings.
Use strong usernames and passwords
When setting up a device, make sure all the default names, usernames, and passwords are unique, and don’t reuse passwords across multiple sites. (“Admin” is a standard username, and easy to guess.) Some suggestions:
- Use long passwords (or “passphrases”) that contain a combination of letters, symbols, and numbers.
- Consider purchasing password-management software, which can help minimize unauthorized use of a login and manage various passwords across different accounts.
- When possible, use multi-factor authentication. For example, two-factor authentication may require a password as well as a passcode sent to your email or texted to you.
Change passwords every three to six months. If you think it has been compromised, change your password immediately.
Manage devices and usage
Define and create roles and needs for various devices so access is only granted as needed. This can help you track which hardware each employee can access and minimize access to sensitive information. On top of that:
- Outline your basic asset-management policies to understand what can connect to your network and who has access to what information.
- Train employees to keep an eye out for issues like suspicious activity, bad connections, pop-ups, or phishing, as well as how they should report those issues when they arise.
- Inform employees of the proper procedure for device setup, when they are prompted for device updates, and what to do if their device is lost or stolen.
- If you’re thinking about a “bring your own device” (BYOD) policy, consider the impact of employees using personal devices to access sensitive work information, and set rules or limits accordingly.
Remove employee or contractor access immediately after termination
This is about more than controlling what a former worker can access. Unused but active login information can provide another possible access point for a security breach. To prevent this:
- Make it part of the offboarding process to dedicate time to change passwords and close username profiles for any terminated employees.
- Also conduct a thorough review of a former employee’s computer or device to look for other profiles or accounts related to your business that may need to be changed or closed.
Don’t forget about your smartphone
More and more of us rely on our smartphones for most of our communications and day-to-day work needs. To keep all that information safe:
- Enable the settings to allow remote tracking and data wiping on your device, so if it’s stolen, you can render your data irretrievable.
- Have a passcode, only download applications from trusted developers, install updates regularly, and don’t open attachments or click on any links received in suspicious or unsolicited texts or emails.
Back up regularly
Your data and information should be backed up regularly, not just as protection from cyber threats, but to keep your data intact in the event of a technology malfunction.
- If you work with third-party technology and software vendors, talk to them about their policies for performing regular backups to make sure your information is secure.
Keep your backups disconnected from the internet so that hackers have no way to access them.
Be proactive — and customize as you go
Any cybersecurity plan begins with being proactive. The tips above can help you get started, but you should also put together a plan specific to your company, its needs, and all potential threats. When determining your cybersecurity needs, consider the types of breaches most common in your industry. For instance, if your business is cloud-based with numerous connected devices, you’ll need a plan detailing how your employees access and treat secure information.
Cybersecurity threats can be a risk to your business — and they’re more common than ever. But arming yourself with knowledge and taking simple actions can help protect your business from security breaches.
Source: “Cybersecurity in the Remote Work Era: A Global Risk Report (PDF),” Ponemon Institute LLC, 2020