Small businesses and startups are known to face some extra challenges when it comes to cybersecurity. Because they don’t have the size or budget to have a fully-fledged dedicated security team, it often comes down to a smaller staff that doesn’t have the time to do everything that is recommended or even required. Often security issues are just dealt with when the need arises.
There is the first issue right there. When the need arises, it’s often already too late. An infection has been found, a breach was discovered, or ransomware has disabled systems or made files unretrievable.
Small businesses also often do not consider themselves to be a target, but you don’t have to be explicitly targeted to get breached or infected. Depending on how small your business is, the tips below may be more or less important in your circumstances and for your threat model. Your threat modeldepends more on the line of business that you are in than it does on the size of your company.
1. Enable your staff
Your staff need to know what is expected of them, and what not to do.
- Make cybersecurity a company-wide issue, but also appoint a go-to person that has a responsibility, along with the time and the tools to perform that task.
- Train your employees in security awareness, so they can recognize phishing attempts and know what they can and can't do on company-issued hardware.
- Consider outsourcing time-consuming and specialized tasks. In the end this may turn out to be more cost-effective than trying to do it with your own staff.
2. Know your equipment
It is important to be aware of your networking equipment, endpoints, and devices. Not only to know what needs to be protected, but also to know where weaknesses may lie.
- Pay special attention to devices that are used to work from home (WFH)or included in a BYODprogram. Make it clear that mixing work and pleasure on the same device comes with security risks.
- Audit your environment on a regular basis, especially if you are a fast growing small business. That way you'll know what you are using and what may need to be upgraded, replaced, or updated.
3. Get your patches and updates asap
Once you have established the hardware and software in your environment you need to perform effective patch and vulnerability management.
If having specialized software for this task or outsourcing it is not an option, it might be a good idea to keep an eye on the Known Exploited Vulnerabilities Catalogwhich is maintained by the Cybersecurity and Infrastructure Security Agency (CISA). This catalog provides Federal Civilian Executive Branch (FCEB) agencies with a list of vulnerabilities that are known to be exploited in the wild and gives the agencies a due date by when the vulnerability needs to be patched in their organization. Even if your organization isn’t a FCEB agency that needs to follow the Binding Operation Directive 22-01, the CISA list acts as a good guide for your patch management strategy.
And keep an eye on security news sites (like this!) in order to stay alerted to the biggest and most important updates and patches.
4. Lock things down
Having a strict policy to protect your important assets with strong passwords and multi-factor authentication (MFA) should be a no-brainer. Consider making it easier for your staff by using a single-sign-on service or alternatively by providing them with a password manager.
Very important files and documents can be encrypted or stored in password protected foldersto keep them safe from prying eyes. A stolen or lost device is stressful enough without having to worry about confidential information.
5. Use a firewall and VPN
A firewall protects an entry point to a network while a VPN creates an encrypted tunnel between two networks. Both can be used to protect your network.
If your company has internet facing assets—and who doesn’t—it is important to apply network segmentation. The process of network segmentation separates a computer network into subnetworks, and allows for each segment of the network to be protected with a different set of protocols. By separating each segment according to role and functionality, they can be protected with varying levels of security. A common step for small organizations is to separate the systems that require internet access from those that don't.
Remote desktop protocol (RDP) is a network communications protocol that allows remote management of assets. It allows users to remotely login to systems and work on them as if they were physically there. RDP is a necessary evil sometimes, but there are ways to make it more secure.
6. Protect your systems
Make sure your servers and endpoints are all protected by anti-malware solutions, preferably EDR(endpoint detection and response). Logs created by your endpoint protection software should be easy to digest and easy to understand, regardless of whether the readers are your own employees or those of a provider. A lot of needless alerts will interrupt your workflow, but you do not want to miss the important ones. So balance is important, especially with a limited staff.
7. Consider your supply chain safety
Businesses need to understand what level of protection their providers or others with access to their resources have in place. Ransomware is contagious, so if your providers have it you likely will too. Supply chain attackscan come from your most trusted provider and still be disastrous.
Check for compliance and certifications. Depending on the type of supplier and the level of access to your assets, there is nothing wrong about setting some standards. For example, your IT services supplier can demonstrate a good level of cybersecurity by having achieved a cyber certification. It may also help to know that your supplier is aligned with a standard of cybersecurity deemed good enough by government organizations.
8. Have a recovery strategy
When a security issue arises despite all of your efforts to secure your environment, you should have a plan ready to contain and deal with the consequences.
- Backups. Make sure you have backups that are as recent as possible and that are easy to deploy. Create backups in an environment that can’t be ruined by the same mishap that destroyed the original (preferably on a different carrier, physical location, and network).
- Know what legal body you need to inform in case of a breach. This is especially important if Personally Identifiable Information (PII)is involved. It is hard to give guidelines here, since every US state has different data breach notification laws, so plan this ahead of time for your jurisdiction. And have a critical communications plan in place that details how you will inform your customers in case of a breach.
Stay safe, everyone!