13 Tips for Small Business’s Cybersecurity

The strength of your cybersecurity can make or break your business. A cyberattack puts your company at risk of data loss, reputational damage, and financial instability.

With strong cybersecurity, your business stays safe even when your attention is on other things. You can focus on growing your business while cybersecurity measures are always in place, working in the background to keep the company secure.

At Elliman Technologies, we partner with small to midsize businesses to preserve cyber safety. Here are our top 13 tips for maintaining high cybersecurity standards that protect your business.

1. Train Employees on Digital Safety

It’s a tough fact to face, but your employees are the top threat to your cybersecurity. They don’t necessarily intend to harm you, but they might inadvertently do things that put your company’s data safety at risk.

Take a moment to consider email phishing attacks where cybercriminals gain access to confidential information via email links. Almost everyone is familiar with email and feels skeptical about spam, yet successful email phishing still accounts for 41% of all cyberattacks.

Whenever cybersecurity is breached through human interaction, it’s known as a social engineering attack. Social engineering takes advantage of human psychology and behavior to steal information. For example, a cybercriminal might call into your business and act like a nice customer, gently prodding one of your employees for a password or other private data. 

Sometimes, the attack unexpectedly comes from the inside. For example, a Texas agency discovered that an employee was deleting sensitive data due to a mistaken belief that they were helpfully cleaning up the old files. The employee was eventually fired, but a huge amount of valuable information was already lost forever.

In another incident, a Pennsylvania law firm found four former employees were deleting data, copying files, and breaching confidential information long after they’d left the firm. Even these lawyers, who should have known better than to break the law, compromised their former employer’s data for months before anyone realized what was going on.

One of the best ways to protect your business from these kinds of incidents is to train your employees on the basics of modern cybersecurity standards and rules. Alert them to your latest data preservation standards, plus the common scams and techniques cybercriminals use to manipulate people and gain access to private data. 

Here’s a short list of trustworthy sources of cybersecurity information:

• FBI List of Common Internet Scams and Crimes
• FBI Cybercrime Tip Page
• USA.gov Online Safety Center
• US CISA 4 Steps to Stay Cyber Safe
• US Department of Justice Internet-Related Crime Reporting Center

Wondering how vulnerable your employees are to cybercrime? Some companies hire social engineering penetration testers to see how their employees respond to “secret shopper” style test attacks. These tests reveal where risks exist and where there’s room for improvement.

2. Keep Machines Clean

When it comes to cybersecurity, having clean machines is vital. We’re not talking about sanitizing your screens or dusting off your keyboards, although that’s always a good idea.

Clean machines run on the latest security systems and have up-to-date antivirus software, web browsers, and operating systems. They’re not bogged down by old, outdated technology and are well-protected with strong passwords, plus knowledgeable IT support staff.

How clean are your machines? How fresh is your entire IT infrastructure? To learn more about maintaining clean cybersecurity standards, keep reading the additional tips below.

3. Protect Your WiFi Network

If your employees and/or customers access your WiFi network, keep it safe with secure encryption and access.

Password-protect all access to your network and router. Instead of allowing all employees and visitors to share the same password, set separate employee and guest user accounts with individual passwords. Guest users typically only need limited access and their use should be restricted to certain digital areas within your network or systems.

Don’t allow access forever. The system should time them out after a certain period and former employee access should be terminated immediately. Set up systems that request strong password changes regularly.

4. Establish Mobile Device Rules

Many small business owners don’t realize that employees’ cell phones present a constant risk to the company. Any use of a personal or company phone presents a potential vulnerability as people use these devices to access company systems.

What if an employee uses the company’s clock-in/clock-out site on their personal smartphone? Even if this is allowed or encouraged, it’s a possible source of access that needs to have security procedures in place.

What about your employees’ daily work with the multiple systems your company uses? How do they access things like your HR system and vacation schedules? Are your employee portals properly password-protected? Does your app log them out after a period of inactivity, preventing unauthorized future access?

Also, consider what happens when a piece of equipment is lost or stolen. Do you have procedures in place for this? If someone loses a company phone, they need to be able to tell you immediately. Or, if they suspect someone used their login info online or saw private information on their laptop, they need a safe way to report it as quickly as possible.

5. Create Cloud-Based Backups

Part of preserving your company’s cybersecurity is ensuring you’re not vulnerable to data loss. Consider what would happen if your building burned down or your local computer network was seized by cyber thieves. 

What’s your backup plan? Many companies now address this issue through cloud-based storage, also known as distributed storage or remote data storage.

This is a type of off-site storage where your information is preserved at another location but is still accessible anytime and anywhere through the “cloud” of the internet. Cloud storage is part of a strong backup and recovery plan.

6. Set Up a Hierarchy of Access

Not every employee needs access to your most private information, like company financials and HR paperwork. This information should be protected behind a hierarchy of access, meaning various people are assigned access at various levels.

This is sometimes called role-based access. For example, your front-line customer service workers will likely have a much more restricted level of access than your company’s owners. 

These role-based standards can be set within your devices, networks, apps, data storage, and so forth. Only a handful of people, like your IT manager and top executives, need the highest level of access. And even then, their access should be controlled through passwords and authentication, which is discussed more below.

7. Maintain Password and Authentication Standards

Make it a company rule that employees should always keep their passwords secret and change them regularly. The Federal Communications Commission (FCC) recommends changing business-related passwords every three months. 

Use multi-factor authentication, which requires more information than just a password to gain full access to sensitive data. This is especially important if your employees will be accessing company information on their personal laptops, smartphones, and other devices.

8. Run Secure Payments

Any company that accepts or uses credit cards is at risk of processing-based vulnerabilities. Work with your bank and card processors to ensure you’re using the most up-to-date fraud protection tools.

This isn’t just a good idea; it’s often a compliance issue for your processing partners. Many banks and processors require businesses to follow certain standards to stay compliant with their business practices and to stay within the law.

For example, you might need to isolate your secure payment system from less secure web browsing because your processor demands it. Also, you might be required to submit proof of system security at regular intervals. Inquire about which rules you should be following and, if necessary, work with a cybersecurity firm to ensure nothing is falling through the cracks.

9. Avoid Ransomware and Malware Risks

According to the latest data from IBM’s security threat report, ransomware attacks are now the #1 most common type of cyberattack. In a ransomware attack, cybercriminals limit access to your private data until a ransom is paid for its return.

Ransomware attacks are a subset of a larger group of attacks known as malware attacks. The word “malware” is a shortened form of “malicious software,” which refers to the wide range of spyware, adware, worms, and viruses hackers use to crack into private and protected data.

The best way to avoid these attacks is to install the latest versions of anti-spyware and antivirus software. Work with a reputable IT and managed services company that follows the best practices in modern cybersecurity.

10. Review Physical Access Rules

As everything goes digital, it’s easy to forget that physical access is still a big risk to your business. If someone breaks into your building or steals something from your front counter, your data could be exposed in the process.

Set employee rules for physical access and device movement. If there are company phones, laptops, and other devices, label them all with tracking numbers and require employees to maintain data security. Devices should be fully enabled to allow security updates.

Ensure strangers can’t enter your building’s most vulnerable areas, like your server room. Store extra laptops and devices in a locked cabinet with limited access. If possible, install building security with passcards and video feeds for added protection.

11. Have an After-Hours Plan

What would happen if you suffered a cyberattack after hours? Do your employees have a way to report suspicious behavior, even in the middle of the night?

A US cybersecurity report recently found that 76% of ransomware attacks occur outside primary business hours, with 49% happening overnight when businesses are closed. These attacks often catch small business owners off-guard because the business might be shorthanded and out of communication with anyone who can help.

This is why you need an after-hours plan for cybersecurity troubleshooting and support. Most smaller businesses don’t have the staff to handle these demands, but a managed services company can offer additional support that keeps you protected 24/7.

12. Check New Laws and Trends

The world of cybercrime moves fast, so it’s challenging to stay ahead of new trends and the laws that address them. In June 2022, U.S. President Joe Biden signed two new cybersecurity bills into law.

• The State and Local Government Cybersecurity Act creates stronger collaboration among state, local, and tribal agencies in the name of preserving governmental data security. Certain companies that work with government partners may be required to provide more reporting and security control.
• The Federal Rotational Cyber Workforce Program Act creates the framework for a nationwide cybersecurity workforce that will expand career opportunities for people in the field. The goal is to create a new generation of cyber-literate workers. 

Another major global tech trend over the past few years involves data privacy and protection, including new EU standards known as the General Data Protection Regulation (GDPR). If you do any business internationally, these standards may impact how you run your website and collect data online.

Cybercriminals also update their methods over time, creating a constant need for vigilance. This is why the cybersecurity standards you had just a few years ago are probably already outdated. Or, if cybersecurity hasn’t ever been a priority at your company, online thieves could already have you in their sights.

Cyberattacks can be extremely complex and difficult to spot. For example, in an SQL injection attack, someone injects structured query language (SQL) into an application/database, which creates chaos or reads sensitive data. The average small business owner wouldn’t notice this type of attack until long after it’s already doing serious damage.

Some small businesses are dealing with the frustrating issue of stalkerware being installed on employees’ personal or company devices. Stalkerware is remote monitoring software that allows a stalker – who could be anyone, like a spouse, a former colleague, or a business adversary – to keep track of what someone is doing with their device.

Internet of things (IoT) cybercrime is also on the rise. Thieves crack into all kinds of individual devices like smart TVs, smartwatches, cameras, and environmental monitoring devices. Anything hooked up to the internet can become an access point for a determined cybercriminal.

Have you heard of a zero-day exploit? This is a type of cyberattack where hackers take advantage of a site or network flaw that’s still in the development or testing phase before the developers ever have a chance to address it. You have zero days to resolve the issue before the hackers are already interfering with your business and gaining control of your digital access.

13. Review and Update Your Standards Regularly

Finally, keep in mind that cybersecurity isn’t a set-it-and-forget-it plan. As you can see from the information above, it takes constant attention to stay ahead of cyber threats and maintain tight cybersecurity.

Set a reminder to review your entire cybersecurity plan regularly, at least once per year. Whether you’ve previously suffered a cyberattack or not, keep upgrading to the latest tools and standards. Your business always stays as secure as possible when cybersecurity is a year-round priority.

Never miss another cybersecurity tip. Elliman Technologies is your partner in protecting your business from dangerous cybercriminals and cyber attacks. Sign up for our cybersecurity emails today with more helpful tips for keeping your business safe.