8 Cyber Security Tips for Small Businesses

Many small businesses play critical roles in the communities in which they serve and within the larger scope of their industries. With the rise of cyber threats, its become increasingly important for these independent firms to prioritize data security. A data breach can cause significant harm including financial losses, damage to reputation, loss of protected health information (PHI), and legal liability. As such, it's crucial for small businesses to have a proper data security system and corporate policies in place, even if they utilize third-party cloud-based systems.

I've listed 8 tips (two of which are more on the advanced side) for businesses to consider in data protection.

(Please note my list excludes a few items such as having a firewall on all devices, employing an antivirus software, and using common sense)

1. Use a strong and unique password for all accounts and change it regularly.

In 2021, PC Magazine reported that 26% of those they surveyed do not regularly change their passwords. While the linked article argues against changing your password so often, I personally suggest once every 5-6 months is both beneficial and reasonable. Consider using a password manager to store or generate passwords. A good friend of mine uses a hard copy because "paper can't be hacked." Never store passwords written out entirely on a digital document. Especially if you use the same passwords for many accounts.

2. Implement two-factor authentication (2FA) to add an extra layer of security for accessing accounts.

This form of security requires users to provide two forms of identification to access their accounts. Normally, it's a password or PIN, as well as an additional verification factor such as a fingerprint, security token, phone call, or text message. This provides an extra layer of security that goes beyond traditional passwords. Although #1 is helpful, talented hackers can figure passwords out given enough determination and time. Adding this layer greatly reduces the likelihood of unauthorized access. 2FA can also protect against phishing attacks (where hackers try to trick users into revealing passwords by posing as trusted entities). Even if hackers find your password, this level will stop them in their tracks where you can change your original password and lock them out before any damage is done.

3. Conduct regular backups of important data and store them off-site.

Data loss can occur for a variety of reasons excluding cyber attacks. It could be from hardware failure, natural disasters, or simply human error. Backing up important data regularly ensures that if any of these events occur then the business can recover its data and operations can continue without major disruption. Most clients we service require some sort of business continuity plan. Having data backups is certainly an effective way to maintain operations if some catastrophe occurs. One option is using a cloud backup service such as Carbonite.

4. Ensure all software and applications are up-to-date with the latest security patches and updates.

Have you ever seen those annoying pop-up reminders on your desktop? The ones that make you restart your browser, computer, or application so it can update? How many of us ignore it to the last second? That's a big mistake. Browsers, operating systems, and other applications require updates that keep your system secure. On a budget, you can update each system yourself. If you're in charge of a department with hundreds of computers, you may want to look at something like Datto.

Datto is a cloud-based backup and disaster recovery service. Businesses can automate desktop patching to ensure that all systems are up-to-date with the latest security patches and updates. Additionally, Datto provides monitoring services to alert businesses of any potential security threats thus allowing them to take action quickly.

5. Use a managed SOC platform to monitor and detect potential security threats in real time. (Advanced)

A Security Operations Center (SOC) is a centralized team responsible for detecting, analyzing, and responding to security threats in an organization's IT department. SOC platform tools are used by the team to collect, analyze, and monitor security-related data from various sources (networks, servers, applications) in real-time. Some services, like RocketCyber, offer these benefits including 24/7 security monitoring and response capabilities. The platform can offer comprehensive threat detection and response capabilities which help find and respond to threats before they become a problem.

6. Implement a NextGen AV solution to protect against malware, ransomware, and other advanced threats. (Advanced)

Traditional antivirus solutions rely on signature-based detection to identify known threats, but NextGen AV goes beyond this by incorporating advanced techniques such as machine learning, behavioral analysis, and AI-based algorithms to identify and prevent emerging threats.

One example of a NextGen AV solution is SentinelOne Control. It's a cloud-based endpoint protection platform that uses behavioral AI to detect threats in real-time to indicate potential threats. They offer support on Windows, MacOS, and Linux.

7. Use Office 365 Mailbox Monitoring tools to monitor and detect suspicious activity in email accounts.

This is a built-in tool that you likely already have (assuming your company uses Office 365). Using this tool, you can enable auditing which allows for tracking all changes made to user accounts such as passwords, mailbox accesses, and email forwarding. One can set up alerts to notify you when certain events occur as well such as when a user logs into his/her account from an unusual location or a large number of emails are sent from a user's account. To set up those alerts, go to Office 365 Admin Center, Security & Compliance Center, and navigate to the Alert Policies section.

Office 365 also offers a Protection Center which provides tools to detect phishing or malware. It also has features such as Safe Attachments which scans email attachments for malicious content before you download it. There is also Safe Links which checks links provided in received emails against a database of known malicious URLs.

8. Ensure employees are trained on basic cybersecurity practices.

Training employees on the policies and cybersecurity practices is critical in protecting your company from cyber threats. Cybersecurity is everyone's responsibility and employees need to be aware of the risks and trained on how to mitigate them. One way to ensure your employees are properly trained is to have up-to-date security policies in place. These could include appropriate usage, computer access control, internet and email conditions of use, clear desk and clear screen, remote working, mobile storage devices, software, viruses, voice equipment, monitoring and filtering, actions upon termination, visitor, and a HIPPA policy. I will likely go into detail on each of these policies in a future article.

Another way of training is to have periodic in-person or online training sessions with your employees. As a former teacher, this author highly encourages such trainings (or meetings for that matter) to be no longer than 50 minutes.

Data breaches can be detrimental to small businesses causing significant harm. It's crucial for small businesses to prioritize data security and have proper data security systems and corporate policies in place. The 8 tips mentioned in this article are not all-inclusive, fail-safe ways to immunize your data. But they are a great start to help minimize potential cyber security threats. By following them, companies can better safeguard their operations and better serve their business partners and communities.

Disclaimer: I have not received any compensation, financial or otherwise, nor have I received any free products or services from any company mentioned in this article.