10 Cybersecurity Tips for Small Businesses

A cyber threat is an attempt to maliciously steal data and cause disruption. In 2019, the number of data breaches in the United States amounted to 1,473, with over 164.68 million sensitive records exposed, according to Statista.

Awareness of cyberattacks has certainly increased. As individuals and businesses become more conscious of the need to protect their devices and data and take measures to secure what they can, cyber criminals have stepped up their game significantly. Cyber threats have escalated in number, complexity, and sophistication.

Cyber threats may or may not happen, and the fear of the unknown continues to pervade most organizations. However, taking precautions after a breach has occurred may be a little too late. PayPal CEO Dan Schulman is quoted as saying that in the cyber community, there are two types of companies: those who have been hacked and those who do not know they have been hacked.

The ways in which cyber threats infiltrate small business devices and networks continue to increase. Some of the tried and true, such as phishing, still plague organizations of all sizes. Here is a look at a few cyber threats small businesses need to be aware of.

A phishing attack usually targets users directly through email, although other forms of communication, including text messaging, have been used for phishing. Social engineering is at play in a phishing attempt, as attackers disguise themselves as trusted contacts or sources to get victims to part with personal data such as passwords or banking/credit card numbers.

For small businesses, phishing can have far-reaching consequences. If a single cyber criminal can gain entry to just a single device used by a business or its users, that cyber criminal can gain access to the entire network of devices, leaving the organization vulnerable to loss. 

For more information on the different types of phishing scams and what businesses can do to stop them, download our Phishing Education Guide.

Though not the most common cyberattack, in a watering-hole attack, the cyber criminal targets a specific group of individuals or businesses that share the same interests and frequent the same website types. It will then infect one of those sites with malware. The idea is that if one of the individuals or businesses visits the website and gets infected, then all of the others will as well.

Like with phishing, social engineering is at work in this type of attack. Since the individuals or small businesses in the group trust each others' choice of websites, there is no reason not to visit them—unknowingly downloading malware to their devices at the same time.

Drive-by downloads occur when a user downloads software to their computer inadvertently. Many times, the software might not be malicious, but other times, the download is intended to do one or more of the following:

1. Spy on activity, such as recording keystrokes to capture passwords
2. Hijack the device by exploiting security flaws
3. Infect the device by downloading even more software or files that ultimately render the device useless

Drive-by downloads often occur when operating systems have not been updated or software patches have not been installed.

Malware is an umbrella term for any form of malicious software. Viruses are the most common, but malware also includes spyware, ransomware/hostageware, malvertising, worms, and Trojans. Many businesses are unaware that malware has been installed on one or more of their devices, or even on their entire network. 

Small businesses have several opportunities to strengthen their defenses against a cyberattack. Below are a few that can be incorporated with little to no additional expense.

Most people never consider that software or systems need to be manually updated because they are used to automatic updates on their PCs and laptops, especially from Windows or Windows-based programs.

However, some software, such as the Wi-Fi router's firmware, needs to be manually updated. Software updates include security patches, which are necessary in the fight against cyber threats. Without these new patches, a router—and the devices connected to it—remain vulnerable. As such, businesses should update their wireless routers' firmware, in addition to all of the devices in the workplace—printers, scanners, and the like.

According to a study cited by a CNBC report, employee negligence is the main cause of data breaches. Nearly half, 47%, of businesses pointed to human error, such as accidental loss of a device by an employee, as the reason behind a data breach at their organization. Therefore, it is imperative that businesses take the time to train employees on cybersecurity measures.

Strong passwords that are hard to figure out—20 characters in length, including numbers, letters, and symbols—are a must in the fight against cyber threats. The more difficult to crack a password, the less likely a brute-force attack will be successful. As an additional measure, small businesses should incorporate multi-factor authentication (MFA) into their employees' devices and apps. 

There are password keepers, apps for storing and managing passwords, that not only keep track of passwords but also set reminders when they are due for an update.

Risk assessments might sound like something only large enterprises have time and money to carry out. Yet, small businesses should consider incorporating them into their cybersecurity processes.

Businesses should brainstorm "what if" scenarios for cybersecurity, especially as they relate to data storage. Data is most likely stored in the cloud. As such, businesses can lean on their cloud storage provider to help them perform a risk assessment to determine what threats, if any, exist and what measures can be taken to strengthen data security.

A VPN allows employees to securely access a company's network when working from home or traveling. This is necessary because employees often use the internet for access, which is not as secure as the company's network. 

VPNs mitigate the effects of a cyberattack because VPNs also encrypt data. As such, they can serve as an extra measure of security when employees are using their home wireless network, a network at another worksite or a café or restaurant, or a public internet access point. 

Backing up files might seem like a rather 1990s way to protect data, but even in the modern world of cloud storage and backup, it is relevant. According to the National Cybersecurity Alliance, small businesses continue to evaluate the decision to trust their data to AWS, Microsoft Azure, or Google, expecting these companies to provide backups. However, storing copies of data offline is not a bad idea and can even provide cost savings in the long run.

The number of viruses has multiplied exponentially over the years, so businesses should ensure that antivirus software is installed properly. Antivirus software should be installed not only on corporate-owned devices but also on devices owned by employees that are used for work-related purposes. 

The antivirus software also needs to be updated regularly. Updates could be automatic or may need to be performed manually.

Businesses must secure their wireless networks in as many ways as they can. Two easy things they can do is change the router's default name and password. It is important to change the router's name to a name that does not automatically give the name of the business away. 

Next, encrypt the wireless network to the strongest protocol available, which is currently Wi-Fi Protected Access 3 (WPA3), as advised by the Wi-Fi Alliance. Yet another way to ensure that the Wi-Fi network remains secure is to constantly check that all of the devices connected to the network are also secure—using strong passwords and data encryption. 

Small businesses rely on their banks and card processors to make sure that all anti-fraud measures are in place. In addition to physically handling customers' cards with extra care, the security protocol of the business's wireless network—again—needs to be set to the strongest, WPA3. 

The PCI Security Standards Council prohibits retailers from processing credit card data using the older Wired Equivalent Privacy (WEP) protocol, which was abandoned in 2003. 

As with access to a building or physical assets, unauthorized individuals should be prevented from potentially gaining access to laptops, PCs, scanners, and other devices the business owns. This may include physically securing the device or adding a physical tracker to recover the device in case of loss or theft.

For devices that are used by multiple employees, businesses should consider creating separate user accounts and profiles for additional protection.