What Your Small Business Cyber Security Plan Must Cover
According to research conducted by the Ponemon Institute, 66% of small and midsize businesses (SMBs) in the US, UK and Europe have experienced a malicious cyber attack in the past 12 months. This figure goes up to 76% when considering companies in the US alone.
What’s more, there appears to be a steady uptick in more sophisticated attacks that cause breaches of critical company data. 63% of SMBs surveyed in that same Ponemon study reported experiencing a data breach in 2019, marking a nearly 10-point increase in such incidents since 2017.
Cyberattacks and data breaches are not only disruptive for small businesses, but costly as well. Ponemon also reports that in 2019, SMBs spent an average of $1.2 million to repair and restore their IT assets and infrastructure after an attack, while losing an additional average of $1.9 million from disruptions to their regular operations. By some estimates, around 60% of SMBs go out of business within six months of suffering a cyber attack .
Phishing, social engineering and web-based attacks top the list of cybersecurity threats specifically targeting SMBs. These threats are largely facilitated by:
- Unmonitored and unsecured endpoint devices, especially laptops, mobile devices and IoT technology in a “bring your own device” workplace
- Weak passwords for user accounts
- Sharing information with third parties without a comprehensive data inventory
- Negligent employee and contractor behavior
Fortunately, you can mitigate the risks and vulnerabilities to your enterprise by implementing a strong security plan for small business infrastructure.
To carry out your own plan, first, identify the main cybersecurity threats that your company currently faces. Then, use this article to determine the best actions that you can take to boost your company’s network, data and endpoint security.
1. Establish Security Policies
Security policies ensure that all the personnel in your enterprise are on the same page when it comes to the handling, usage and storage of business-critical data. They also ensure that your IT specialists follow appropriate and agreed-upon protocols to safeguard data and mitigate infrastructural damage in the event of a cyber attack.
Your security policies should originate from the highest level of your IT organization and be clearly communicated to each and every one of your employees and contractors. Once disseminated and successfully adopted, security policies should effectively become embedded within the processes of your organization.
Data Security Policy
A data security policy protects both company and customer data by ensuring that:
- Only required data is collected
- Sensitive information is safely stored and accessible only to authorized individuals
- Data is securely destroyed when no longer needed
Your data security policy should also clearly spell out all the details and guidelines associated with network security, access control and incident response, among other data security concerns.
A password policy lays out the rules governing the security strength, usage and enforcement of passwords for user accounts. This policy can include requirements such as:
- Passwords must be a certain minimum length and include a combination of uppercase, lowercase, numeric and special characters
- Passwords cannot be reused and must be changed at regular intervals
- Failure to comply with the password policy will result in a denial of account access and other penalties imposed by your IT department
Data Classification Policy
A data classification policy forms the cornerstone of your company’s Information Lifecycle Management, which governs the proper retention, usage and destruction of your data.
All data assets should be inventoried according to their sensitivity level, access level, encryption requirements or other security-oriented category. This way, your data classification policy can work hand-in-hand with your data security policy in initiating the appropriate access protocols and breach investigations based on the type of data in question.
2. Educate and Train Your Employees
Employee education is key to protecting your data. For example, even if your company has an official password policy , it won’t help safeguard your information if your employees and contractors aren’t fully compliant.
Given the conclusion that employee negligence lies at the root of most data breaches experienced by SMBs, your small business cyber security plan template should include a solid program for internal training and security awareness. Make this education mandatory for your employees and contractors, and be sure to review and update your training material annually to stay abreast of the latest risks and potential threats.
3. Closely Monitor User Activities in Your Environment
To assess and enforce security best practices across your enterprise, it’s also important that you monitor employee activities. This can include such measures as:
- Tracking events like account creation and account logins, which allows you to identify suspicious activities and engage in proactive intrusion detection
- Expanding your audit procedures to cover all repositories of sensitive data in your private network, including file servers, SharePoint, SQL database servers and the like. Keeping an eye on both access attempts and activities that occur around sensitive data
- If you use cloud services, such as Office 365, monitoring logons to these services, as well as user activity on them
4. Aspire Towards Zero Trust
Zero Trust is a cybersecurity framework operating on the principle that nothing and no one, either outside or inside a company’s private network, can be trusted.
While few small businesses possess the budget or resources to engage the full arsenal of Zero Trust techniques and strategies, small business owners still have access to a range of proven best practices at their disposal to minimize their IT attack surface.
Regardless of your business size, you’ll want to implement these essential technical controls
Adopt and enforce a least-privilege model, in which each user has only as much access to systems and resources as they need to fulfill their duties.
Tighten your oversight and control by assigning access rights to groups of users who share a certain privilege level, rather than to individual accounts. By strictly enforcing the least-privilege model, you will limit the scope of a hack into a user account and also boost the effectiveness of your counterattack measures.
Keep a close watch on any anomalies or changes to your permissions structure. Track and disable inactive user accounts in a timely manner to eliminate weak nodes that might otherwise attract attack bots.
It’s also important to periodically review your permissions structure and shore up any vulnerabilities or inconsistencies with your current workforce structure. Monitor all changes to password policies, password settings and account settings, as an unauthorized change may indicate the presence of an attacker.
Strong Passwords and Authentication
Nearly half of the SMBs surveyed by Ponemon experienced a security breach due to weak employee passwords.
Weak passwords can allow bad actors to gain access to and control of multiple accounts through a single-password domino effect. However, as discussed earlier, a strong password policy eliminates this key vulnerability.
Depending on your office security and internet security requirements, you might want to augment your password policy with cybersecurity policies like multifactor authentication, which strengthens passwords by requiring one or more additional forms of authentication.
Remember that a password policy is only as strong as your enforcement of it. Here are some best practices to ensure that your users stay in compliance with mandated standards:
- Lock user accounts automatically after several unsuccessful password attempts
- Use group policy objects to enforce password policies for Active Directory domains
- Identify accounts with no password requirements (or passwords that never expire) and tighten these authentication requirements according to your policy
Email communication can easily become a vulnerable attack surface for cyber criminals and malware, as negligent or distracted users are frequently tricked into opening dangerous links embedded within messages.
Employee education over phishing and malware can help increase the security of your small business’s email channels. Other protective measures include message encryption, along with spam filters and antivirus software that screen out potential threats before they can reach unsuspecting users.
System and Network Security
Be sure to equip your IT systems with the most up-to-date security features by regularly installing patches and updates for your organization’s software and hardware.
Always monitor changes and access events on your critical systems, including file-sharing systems and database servers. Harden your company’s network perimeter with appropriate firewalls, and configure your internal Wi-Fi connection to maximize mobile security and endpoint protection. Set up secure VPN tunnels to enable remote access to IT assets as well.
System and Data Backup
Keep redundant backup copies of your critical systems and databases in a secure location outside your IT infrastructure. This practice allows you to quickly recover assets after an attack and prevent the incident’s impact from spreading to all copies of your valuable data.
For example, external backups can help your organization mitigate the damage caused by an instance of ransomware that renders your system inaccessible by encrypting its contents.
5. Secure Your Infrastructure with the Right Tools
Your small business solutions should feature a portfolio of effective technology and tools geared towards protecting your IT infrastructure from cyber criminals. Implementing and supporting sophisticated security tools can be a resource intensive exercise. However, implementing the following tools will sufficiently cover your bases:
- Firewalls: Firewalls are your first line of defense and can be standalone systems or be included in other devices, such as routers or servers. They are also available as solutions for both hardware and software.
- Anti-malware software with both business antivirus and anti-spyware functionality: This software scans, identifies and eliminates malware, such as viruses, computer worms, ransomware, rootkits, spyware, keyloggers, etc., from your systems and devices. It can be deployed on PCs, a gateway server or on a dedicated network appliance.
- Encryption solutions: Encryption solutions allow users to encrypt devices, email and data. They can be either software- or hardware-based. Encrypting devices ensures that the data stored on these devices is protected if the device is stolen, lost or incorrectly utilized. Encrypting emails ensures that your data is safe even if your email account or logon information ends up in the wrong hands. The same is true for data; encrypting data helps ensure it remains secure should it fall into the hands of unauthorized actors (unless they have a decryption key).
- Backup and recovery software: A solution against everything from accidentally deleting important documents to ransomware attacks, backup software that creates an off-site backup will help you ensure business continuity, as well as guarantee you’ll never have to pay exorbitant fees to attackers.
- IT auditing solutions: Tracking changes and access events manually or using your systems’ native capabilities is cumbersome and time-consuming, and time is a precious resources small business don’t have enough of. As such, it’s crucial for your security that you have a specialized solution that quickly grants visibility into activities and access events, keeps you alerted about threat patterns and helps you understand the current state of your infrastructure.
Netwrix Auditor offers a centralized platform for monitoring your IT infrastructure across a variety of systems, including Active Directory, Office 365, SharePoint, database servers and network devices. Learn how Netwrix Auditor can help ease the burden of tracking the various parts of your small business IT infrastructure.