Small- and medium-sized businesses, or SMBs, include entities with employees ranging from less than 100 individuals to just under 1,000; another way to distinguish which businesses are SMBs is by looking at revenue, where small businesses are organizations that make $50 million or less in revenue annually and medium-sized businesses generate somewhere between this figure and just under $1 billion.
There are over 33 million businesses in the US with 500 employees or less, and entities with 999 employees or less make up nearly 99.9% of all businesses in America today. Despite making up such a large portion of the workforce, only 14% of SMBs surveyed have a cybersecurity incident plan in place; this is especially worrying when looking at how likely it is that an SMB will be targeted in a cyber attack - 43% of all cyber attacks are targeted at small- and medium-sized businesses.
These companies can have as few as one employee and though the revenue for an SMB can be high, this is not always the case, particularly for those just starting out; for these businesses, any additional costs are likely not welcome and cyber attacks are very costly - on average, SMBs spend between $826 and $653,587 in response to a cybersecurity event. This shows that, while the idea of adding cybersecurity measures may be daunting to an SMB, it is crucial to implement elements of cybersecurity in order to protect your business and the essential information associated with it. Below are some key steps that anyone can take today to get their business started out on the right foot when it comes to cybersecurity so that they can be sure they are well-protected.
1 - Practice good password hygiene
The first step to any sort of cybersecurity approach is having good password hygiene. This means creating a unique password for each account login you set up and making sure that each password is difficult to guess. This means utilizing the whole keyboard to our advantage - uppercase letters, lowercase letters, numbers, and symbols. It can feel overwhelming to keep up with all of the various credentials needed to operate successfully today, however, there are a couple things you can do to make this task of remembering your unique passwords a bit easier.
One way is to utilize the passphrase approach, where you make each password a short sentence (without the spaces) and replace some letters with numbers and symbols while varying the cases of the letters included. Even though this can make it a little easier to recall a password for a given account, as a SMB owner or employee, you likely have a lot going on and remembering every login can be difficult on top of your full plate of work.
There are many free password managers available to you to use for keeping up with these credentials. A password manager acts as a database for you to store all of your logins safely, protected behind one password - if utilizing a password manager, be sure to use a complex, hard to guess password for this particular account, as it protects all of your other data. Practicing good password hygiene is the most basic cybersecurity step that should not only be taken in our work lives, but personally as well. It is a free step that we can all take.
2 - Utilize Multi-Factor Authentication
Once you have strong passwords in place, it can also be a good idea to set up multi-factor authentication (MFA) whenever it is offered by a website or application that you have an account with. MFA is typically in the form of a one-time code sent to an associated contact method such as a phone number or email address that you would have entered when setting up the account. Be sure to use up-to-date information when setting up your accounts (email addresses that you have access to and your current phone number, for example) so that when a code is sent for MFA, you receive it and can then login to your account. This adds an extra layer of protection because one not only needs your password to access data, but also this unique, one-time code as well. The more obstacles that can be in place for cybercriminals to be blocked from accessing your SMB’s data, the better - particularly one such as this, which does not take up much more of your time or effort to implement.
3 - Update devices regularly
Another simple, free step that can be taken that will benefit your SMB’s cybersecurity defenses is updating any devices used for your work. Updating on a regular basis ensures that any vulnerabilities that have been detected by the manufacturers of said devices are patched and no longer left open as potential entry points for malicious actors online to gain access to your business.
4 - Set up antivirus software
Once your devices are up-to-date with the latest and greatest updates offered, be sure to have antivirus software in place to help automate some of your threat detection. A virus or malware can infect your computer and then work its way into your network, so implementing an antivirus software (and keeping it updated too) can help add a layer of protection for your business without any added time needed from you to do so.
5 - Implement a firewall
To go a step further off of downloading antivirus software is setting up a firewall. A firewall acts as an automated fence (or wall) around your network - it monitors the flow of traffic in and out and identifies any abnormalities or suspicious activity. When a firewall is first implemented, you have the ability to establish security policies so as to protect your data even further. Where antivirus software protects the device it is on, a firewall protects the compound that is your company’s network.
6 - Backup your files frequently
Similarly to updating devices regularly is backing up your key files on a consistent basis. You can do this by linking to the cloud, however, some cyber experts are a little weary of trusting the cloud with essential data as they can be vulnerable to attack. Another way to do this is to save files to a server separate from the main server used for day-to-day operations. The reason that you will want to back files up to a separate location from your local network is that, in the event of a cyber attack, cybercriminals gain access to the network as a whole; if you keep your backups on the same network as the files and data you are operating with, they will be just as accessible. Another way to backup your SMB’s data is to save it in physical form via printed files - be sure that if you take this approach, you protect these from being easily accessible to anyone and destroy old versions of data that are no longer needed.
7 - Create an incident response plan
Though no one wants to think about it, a cyber attack may likely be attempted on your business at some point. Many SMB owners wonder why a cybercriminal would target their business when they do not have the money or power that large corporations have, when in reality, malicious actors are only after data - they can steal it and sell it online or hold it for ransom, their intentions are self-centered and they do not care about the impacts to the business, regardless of size. Additionally, due to the fact that SMBs often do not implement any sort of cybersecurity measures, they are easy targets for these nefarious folks. It is also better in this case to prepare for the worst so that you can keep operating at your best. Creating an incident response plan can be as basic or robust as your business allows. If you have a dedicated IT team, be sure they take on the task of creating a response to each type of cyber attack. If you are just starting out and do not have as many resources at your disposal, be sure to identify your key data needed for operating, then the next levels of important data, and so on. If this is a daunting task, which it understandably may be, be sure to get some help from local cybersecurity professionals so as to keep your business protected no matter what.
8 - Train employees
If you are an SMB of more than one employee, you will need to train your staff on many things, be sure that one of those things is cybersecurity. Teach anyone who works for or with you what the expectations are for operating in a secure manner for your business. Include some of the tips above as a base for your cybersecurity training and expand as needed. Be sure that key members know their roles in the event of a cybersecurity incident, and ensure all employees have the contact information of someone who can help them if they have any questions about a suspected vulnerability or issue.