5 Essential Cyber Security Pointers for Small Business

by Tony Richardson CISSP

5 Essential Cyber Security Pointers for Small Business

In our experience, small businesses tend to have excuses for not implementing cyber security measures, and they generally boil down to one of two reasons — it’s too expensive, and anyway hackers only go after large organisations.

In fact, the second excuse is completely untrue. Yes, breaking into a multinational would be ideal for a hacker, but they’re usually too well protected. On the other hand, hackers can make a very nice income by holding poorly protected small businesses to ransom — one at a time.

As for expense — well, the ideal would be to have the cyber equivalent of Fort Knox protecting your files, but that’s beyond a small business. On the other hand, there are five steps you can take to boost your cyber security that are within the budget of a small business — and certainly cheaper than being hacked.

1. Have Cyber Security Policies in Place

In order to make sure everyone in your organisation is keeping your data safe, you need policies in place. These should cover everyday access to systems and information, and will typically include:

  • Overarching Security Policy — explaining what needs protecting, why, and how. Make sure you have identified everything that needs defending!
  • Vulnerability risk assessment — establishing where hackers are most likely to target your systems, and what the effect would be if they succeeded. This will help you determine what level of investment would be cost effective.
  • Password policy — setting out guidelines for your people to create strong passwords, as well as protection of the passwords.
  • Acceptable Use Policy – detailing what the company systems are and aren’t for. The average time spent on non-work related browsing per employee is almost 2 hours per day!!!
  • BC/DR plan — ensure that you have a plan in place if the “unthinkable” happens. You need to keep calm and carry on!!!

Having cyber security policies is common sense, but it isn’t necessarily an optional matter. It’s likely that you’ll require them for compliance purposes. And this is not an exhaustive list!!

2. Educate Your People in Security Awareness

By far the majority of successful cyber-attacks are down to human error — people clicking on suspicious links, opening attachments from unrecognised sources, making their passwords too easily guessed etc.

The best way of slashing the risk, therefore, is to educate your people to recognise dangers and act accordingly. This isn’t a one-time training, though. Good habits tend to fade, and anyway the risks are constantly evolving, so it’s best to have your employees trained on cyber security annually.

A good way to identify your weak links, who may need extra training, is through a dummy phishing campaign that some cyber security firms offer. These are run exactly the same as a real phishing campaign — except that, instead of robbing you, these emails tell you which of your people might fall for the real thing.

3. Use Strong Email Filters and Endpoint Detection Systems

Since no security training is perfect, it’s also important to prevent as many dangerous emails as possible getting through to your employees. Be warned, 85% of successful cyber-attacks are initiated by manufacturing users through social engineering techniques like phishing.

Strong email filtering services, and not just a secure email gateway, have to be implemented, coupled with a way of visually advising users if an email is suspicious, and a providing a reporting capability.

Filtering emails can be a delicate balance. You want to get rid of dangerous emails, but on the other hand you don’t want the filter blocking anything remotely suspicious — perhaps including vital messages (known as false positives). This means that setting up the filters isn’t an instant process — they have to be “trained” over a matter of weeks to recognise what’s safe and what may not be.

And endpoints need to have advanced threat detection and response countermeasures deployed. Don’t rely on traditional anti-malware solutions.

4. Use Network Vulnerability Scans – patch, patch, patch!

Vulnerabilities can evolve over anything from days to years, as the programs and apps you have installed on your system change. For example, the version you have may have developed flaws and needs to be patched or updated to remain safe.

Network vulnerability scans, which can be performed at various frequencies, depending on how critical the data you hold is, identify any part of your network that’s at risk. You’ll be given information about how serious the danger is, as well as how to remove the risk.

5. Backup frequently

Even if you’ve done everything correctly, it’s unlikely that you’ll get a system that’s 100% invulnerable. That’s why it’s critical to ensure that regular backups and restores are sound. Apply the 3-2-1 backup strategy – which means having at least three total copies of your data, two of which are local but on different mediums (read: devices), and at least one copy off-site (read: cloud?). And make sure you can actually recover from these backups, and regularly.

Don’t Put Off Your Cyber Security

The consequences of your business falling prey to a cyber-attack could be devastating, and the time to put security in place is yesterday. These five strategies make up the minimum for a small business, but the good news is that it should be within your budget to implement them.

Cyber security is too important, though, to be left to a slap-dash approach, and it’s as well to have it overseen by professionals. Give us a call to find out how we can help you avoid becoming part of the statistics.