Cybersecurity for Small Business

It’s the same for massive multinational corporations as it is for Small and Mid-size Businesses (SMBs). Security is the #1 most important factor affecting network operations today. After hundreds of thousands of employees across most professions worldwide moved to a ‘Work from Home’ (WFH) status following COVID, cyber-attacks, and specifically Ransomware, have snowballed in epic proportions.

The IT Support and Services models used by SMBs varies greatly among the IT services community serving the Charlotte area Angeles, which encompasses the gamut of IT consulting services which serve the smallest to the largest of businesses. A small office with two or three employees will probably not use a Managed Services Provider (MSP), but rather a ‘Break & Fix’ (B&F) occasional IT services ‘guy’.

If your small business uses a ‘B&F guy’, your network security needs are most likely served only at a minimal level. Your ‘B&F’ guy works by the hour and simply fixes whatever breaks. They might make sure that your firewall, Antivirus (AV) and the security patches and updates for your Operating System (OS) are kept up to date – although it’s a huge mistake to take that for granted. In speaking with the owners and administrators of small businesses across the Carolinas and beyond, we hear this question far too often:

Do small businesses need Cybersecurity?

The answer is obvious: Yes (DUH!) Over 80% of all cyber-attacks and data breaches per year are aimed directly at SMBs. Another thing we at ITFirm.com hear all too often is: “I’m too small for cyber crooks to bother with.” NO… YOU ARE NOT. Think of Goldilocks and the Three Bears: If Goldilocks was a cybercriminal, she would find some crimes too small (like smart phone hacking), some too big (like governments and massive corporations), but she would find the crimes that are ‘just right’ – and those are the crimes she would commit against SMBs. For the cyber criminals launching over 80% of attacks, SMBs are ‘just right.’

Realistically, the vast ‘middle class’ of cyber crooks are looking for you, and sooner or later they will find you and hit you for an amount of cash (in Cryptocurrency) that is more damaging to your business than the 5 million dollars that were extorted from the Colonial Pipeline. Colonial will survive, whereas your business may not.

How can small business improve cybersecurity?

If you do not have a Managed IT Services firm looking after your network, you should start talking to them – interview a few and go with the best. In the meantime, there are a few common-sense steps that can be taken that won’t break your bank. The FCC goes into detail about these steps HERE, but in a nutshell, follow this outline:

1) Update! Keep all Firewalls, AV, and security patches up to date. Microsoft regularly sends these updates. Make sure your network is configured to have these updates performed automatically. Ask your IT support provider to do this or show you that it is being done. These updates MUST include your Operating System. For example, if you are still using Windows 7, your network is just waiting to be invaded since Microsoft stopped security updates for this platform long ago.

2) Backups! Even with preventive measures, if Ransomware locks up and encrypts your data, your backups are your ‘Get Out of Jail Free’ card. You should NEVER pay a ransom. Just shut infected devices down, wipe them clean and reinstall the data from your backups. Done!

3) Encryption! Encrypt your data. This is easy to set up to happen automatically. A data breach will be unsuccessful if the hacker is unable to read your data.

4) Strong passwords! Honestly, nobody really likes having to remember passwords, so many people either use one that’s child’s play to crack – such as ‘1234’ or use the same password for everything – once the hacker cracks one, they have the keys to every door in your kingdom. Read our sister company’s (IT Support LA) page on ‘Creating Strong Passwords’. Also, use a Password Manager – you only remember the password for the Manager, and it contains your passwords for everything else.

5) MFA! No, that’s not some kind of swear word from The Urban Dictionary. Use Multi-Factor Authentication (MFA) after the password is entered. Beyond questions like ‘What’s your mother’s maiden name’ or the like, other steps like sending a verification code to another device, thumbprint or even retinal scans add extra layers of protection.

6) Mobile security! Protect the weakest links in your device chain - mobile devices like smart phones, laptops, and notebooks. Extend all security measures to all mobile or remote devices, whether company-owned or ‘Bring Your Own Device’ BYOD. Remote connections are the first that cyber crooks examine for signs of weakness. Good IT support should prevent any vulnerabilities.

7) Physical security! What good are the best firewall and AV if the office door is open and there’s nobody at the reception desk? Network protection is one thing, but make sure your workplace is secure. No stranger should be able to walk in the front door unsupervised. Important information should not be left out in the lobby. Install security cameras. Shred all business documents before taking them to the trash.

8) Secure Wi-Fi! This is another weak link - both in the office and for field workers. With WiFi, your data is traveling through the air, where it’s easier for a crook to grab. Do NOT let your employees in the field use ‘free’ or public Wi-Fi___33, like at Starbucks.

9) Selective access! Delegate and limit employee access to data. All data should be on a ‘Need to Know’ basis. Everybody does not need to be able to see everything.

10) Security Awareness Training! This is THE most important step. All of your firewalls, AVs, and passwords are useless if an untrained end-user falls for an email ‘phishing’ scam and either clicks a bad link or opens a malicious attachment. This bypasses all of your defenses and opens the door for malware to enter your system. Once is not enough – ongoing training every three to four months is recommended.