Cyberattacks are a concern for small businesses. Learn about cybersecurity threats and how to protect yourself.
Why cybersecurity matters
Cyberattacks cost the U.S. economy billions of dollars a year. They also pose a threat for individuals and organizations. Businesses can be attractive targets for cyber criminals. Small businesses in particular may lack the means to protect their digital systems.
Surveys have shown that many small businesses feel vulnerable to a cyberattack. Many small businesses cannot afford professional IT solutions. They may also lack time to devote to cybersecurity, or may not know where to begin.
Start protecting your small business by:
- Learning about cybersecurity best practices
- Understanding common threats
- Dedicating resources to improve your cybersecurity
Best practices for preventing cyberattacks
Train your employees
What is the leading cause of small business data breaches? Employees and work-related communications. They are direct pathways into your systems. Train your employees on internet usage best practices. This can help in preventing cyberattacks.
Other useful training topics include:
- Spotting phishing emails
- Using good internet browsing practices
- Avoiding suspicious downloads
- Enabling authentication tools (strong passwords, Multi-Factor Authentication, etc.)
- Protecting sensitive vendor and customer information
Secure your networks
Safeguard your internet connection by encrypting information and using a firewall. If you have a Wi-Fi network, make sure it is secure and hidden. This means setting up your wireless access point or router so it does not broadcast the network name. This is also called the Service Set Identifier (SSID). Make sure your router is password protected. If you have employees working remotely, they should use a Virtual Private Network (VPN). A VPN will connect to your network securely from their location.
Use antivirus software and keep all software updated
Install antivirus software on all business’s computers, and update them regularly. Antivirus software can be found online from a variety of different vendors. All software vendors provide patches and updates to correct and improve security and operations. It is best to configure your software to install updates automatically. Also update all operating systems, web browsers, and other applications. This will help secure all business data.
Enable Multi-Factor Authentication
Multi-Factor Authentication (MFA) is an important security measure. It verifies someone’s identity by requiring more than a username and password alone. MFA may require users to provide two or more of the following:
- Something the user knows (password, phrase, PIN)
- Something the user has (physical token, phone)
- Something that physically identifies the user (fingerprint, facial recognition)
Check with your vendors to see if they offer MFA for any of your accounts (for example, financial, accounting, payroll).
Monitor and manage Cloud Service Provider (CSP) accounts
Using a CSP to host information and collaboration services adds needed security, especially under a hybrid work model. Software-as-a-Service (SaaS) providers for email and workplace productivity can help secure data.
Secure, protect, and back up sensitive data
- Secure payment processing – Work with your banks or card processors to ensure you are using the most trusted tools and anti-fraud services. You may also have security obligations related to agreements with your bank or payment processor. It’s best to isolate payment systems from less secure programs. For example, do not use the same computer to process payments and casually browse the internet.
- Control physical access – Prevent access to business computers from unauthorized individuals. Laptops and mobile devices can be easy targets for theft and can be lost, so lock them if they are unattended. Make sure each employee has a separate user account, and that accounts require a strong password.
- Restrict privileges – Administrative privileges should only be given to trusted IT staff and key personnel. Perform access audits within your business on a regular basis. This ensures that former employees are removed from your systems. When applicable, former employees should return all company-issued devices.
- Back up your data - Regularly back up data on all your computers. If possible, perform data backups to cloud storage on a weekly basis. This will help minimize data loss. Critical data may include:
- Financial, human resources, and accounting files
- Word-processing documents, electronic spreadsheets, and online databases
- Control data access - Audit the data and information you are housing in cloud storage repositories on a regular basis. This can mean audits of your Dropbox, Google Drive, Box, and Microsoft Services. Appoint administrators for cloud storage drive and collaboration tools. Instruct administrators to monitor user permissions as well. Employees should have access to only the information they need.
Common threats
While it’s important to use best practices in your cybersecurity strategy, preventative measures only go so far. Cyberattacks constantly change, and business owners should be aware of the most common types. To learn more about a specific threat, click on the link provided to view a short video or fact sheet.
- Malware (malicious software) is software designed to harm a computer, server, or computer network. Malware can include viruses and ransomware.
- Viruses are harmful programs intended to spread from device to device like a disease. Cyber criminals use viruses to gain access to your systems. This can cause significant and sometimes unrepairable issues.
- Ransomware is a type of malware. It infects and restricts access to a computer until the owner provides some sort of ransom. Ransomware can encrypt data on a device, and demand money in return for a promise to restore it. Ransomware exploits unpatched vulnerabilities in software and is usually delivered through phishing emails.
- Spyware is a form of malware. It gathers information from a target and sends it to another entity without consent. Some spyware is legitimate and legal. It may operate for commercial purposes, like advertising data collected by social media platforms. Malicious spyware, however, illegally steals information and sends it to other parties.
- Phishing is a common type of cyberattack. It can use things like links in an email to infect your system with malware to collect sensitive information. Phishing emails can appear legitimate, or appear to be sent from a known entity. These emails often entice users to click on fraudulent links or open attachments containing malicious code. Be cautious about opening links from unknown sources. If something seems suspicious from a known source, don’t click on it – ask the source directly if it’s legitimate.
Assess your business risk
To improve your business’s cybersecurity, it’s best to understand the risk of an attack. It’s also important to know where you can safeguard your data and systems.
A cybersecurity risk assessment can identify where your business is vulnerable. It can also help create a plan of action. This plan of action should include:
- Guidance on user training
- Information on securing email platforms
- Instructions for protecting your business’s information systems and data
Planning and assessment tools
There’s no substitute for dedicated IT support, even if expensive. This can be an employee or external consultant. Here is a list of measures that all businesses can take to improve their cybersecurity.
- Create a cybersecurity plan. The Federal Communications Commission (FCC) offers a cybersecurity planning tool (The Small Biz Cyber Planner 2.0). This tool can help you build a custom strategy and cybersecurity plan.
- Conduct a Cyber Resilience Review. The Department of Homeland Security (DHS) partnered with the Computer Emergency Response Team (CERT) Division of Carnegie Mellon University’s Software Engineering Institute to create the Cyber Resilience Review (CRR). This is a non-technical assessment to test operational resilience and cybersecurity practices. You can either complete the assessment yourself, or request a facilitated assessment by DHS cybersecurity professionals.
- Conduct vulnerability scans. These are offered through the Cybersecurity and Infrastructure Security Agency (CISA). CISA offers scanning and testing services that assess exposure to threats to help keep systems secure. DHS also offers free cyber hygiene vulnerability scanning for small businesses.
- Manage information communication technology (ICT) supply chain risk. Use the ICT Supply Chain Risk Management Toolkit to help shield business information and communications from supply chain attacks. Developed by CISA, this toolkit includes resources designed to raise awareness and reduce the impact of supply chain risks.
- Take advantage of free cybersecurity services and tools. CISA has a list of free cybersecurity resources like open-source tools and services offered by private and public sector organizations, along with guidance for small businesses. Additionally, the FTC has guidance on how to protect yourself from scams and keep your customers’ data safe.
- Maintain DoD industry partner compliance (if applicable). Federal contractors and subcontractors should be aware of the Cybersecurity Maturity Model Certification (CMMC) program. Its purpose is to safeguard Controlled Unclassified Information (CUI) shared by the DoD. CMMC is a framework and assessor certification program for cybersecurity standards and requirements. Under CMMC, companies must implement security measures depending on the information’s sensitivity. These will be assessed accordingly. Rulemaking is currently in progress, but contractors should be aware of requirements. You will need to meet a certain CMMC level is as a condition of contract award.