Five tips for securing small businesses against cyberattacks

May 8, 2023
The size of an organization doesn’t reduce its vulnerability to cybercriminals

With National Small Business Week having just ended, many SMBs mistakenly presume they’re safe from cybercriminals. For most, even the idea that they might be a target seems far-fetched. “We’re just a small business without much intellectual property,” they think. “Who would target us?” But what they often don’t realize is that even the smallest business can have monetizable information, including customer PII, or computing resources, both of which are attractive to bad actors, and could provide potential jumping-off points for larger attacks. They may even be part of a supply chain to a larger target and not realize that puts them in threat. As a result, to attackers SMBs offer an irresistible combination of valuable assets and minimal defenses, which is why they account for 43% of cyber attacks annually.

But if you’re a small business and think you don’t have the expertise or resources to protect yourself, there are steps you can take to prevent some common attacks. The following simple and effective cybersecurity tips for small businesses can help you defend your business and protect your online systems.

1.  Enable MFA

No matter what size of business you run, you should find a way to add multi-factor authentication (MFA) to your corporate and web-based logins, as well as any privileged access. By combining multiple factors of authentication, like something you are (biometric fingerprint or facial scans), something you have (like a hardware key or mobile phone) and something you know (like a password), even if an attacker gains access to one factor, like a password, through email phishing, they’ll have to gain additional access to a second (and sometimes third) authentication factor before they can take over an account.

MFA is not new. It’s been available for decades but is most commonly used by governments and large enterprises due to cost and complexity. However, over the past few years, it has become more accessible to even the smallest businesses, personal devices, and accounts. Today, it’s one of the most effective and important authentication best practices you can adopt. The latest cloud-based MFA solutions often require no specialized hardware and can use your employees’ smartphones to authenticate. If you combine the right factors, MFA can even be easier to use than traditional passwords, just requiring you to look at your phone (biometric) and press ‘approve’ on one push notification – totally passwordless.

2.   Use Strong Passwords & Password Managers

While authentication technologies like MFA are becoming more common, passwords still play a huge role in cybersecurity and strong passwords are essential. To increase their strength, create passwords that are at least 16 characters long with alphanumeric characters, uppercase and lowercase letters, and symbols, or use long passphrases. Most importantly, passwords should be unique for every login (never, ever reuse passwords).

Of course, having to create, remember and use many, long and complex passwords isn’t easy and can lead to some bad practices (like using slightly altered versions of the same password across multiple accounts). With literally billions of stolen passwords available online, cybercriminals can easily guess a password that’s based on an existing or old one. To make it easier for employees to practice good password hygiene, encourage the use of password managers to create and use unique and complex passwords. They make it simple to auto-generate and securely vault complex passwords, requiring you to remember only the master password for the vault. Combining strong passwords, password managers and MFA can stop the most frequently exploited cybersecurity weakness.

3.   Educate Your Workforce

Employees are an SMB’s first line of defense in the face of a cyberattack, so they need to know the possible dangers and techniques criminal hackers may use to try to break in. Employee training and education should focus on the best security practices for handling various online communications, such as email and web browsing, how to spot social engineering techniques threat actors commonly employ, and the acceptable use practices of your organization to ensure they don’t accidentally mishandle sensitive data or engage in behaviors that put you and your company at risk.

If you’re a business owner or leader, do your part to help socialize the importance of cybersecurity within your business. Make sure employees understand the potential consequences of a breach (loss of data, reputational damage, loss of revenue, etc.). Also, encourage employees to understand how their own personal cybersecurity awareness will affect their own private life too, as this approach often helps people better understand the risks and take them more seriously. Examples of this could include devoting time to sharing cybersecurity updates during company-wide “town hall” meetings, having leaders share their thoughts on upcoming training or even a quarterly award for best cybersecurity practices.

While cybersecurity is a serious topic, that doesn’t mean it has to be boring and dry. The best education programs use fun and play to encourage an engaging learning atmosphere. Use education and training programs that focus on employee interaction. Most importantly, reward the individuals who do the right things or are the most engaged. In my experience, carrots go further than sticks when it comes to changing behaviors.

4.   Update Your Devices

Malicious actors are constantly on the hunt for vulnerabilities in software and hardware that will allow them to infiltrate your devices and networks, which is why it’s so important to regularly update your software and devices with the latest patches and security updates. While it might seem tedious to do, a software update with the latest protections might be the only thing that stands between you and a cybercriminal breaching your network.

According to the data from our Threat Lab's quarterly Internet Security Report, a huge majority of network exploits attempted online are targeting old, unpatched software vulnerabilities. The simple act of updating your operating systems, software, and hardware greatly reduces the attack surface of your network, making it harder for criminals to steal data or deliver malware such as ransomware.

5.   Consider Outsourcing Your Security to an MSP

Many often assume that only large enterprises need and can afford to hire cybersecurity experts to protect them from cybercriminals and online threats. That might be true if you are talking about full-time employees who work directly for only their company. And traditionally, small businesses focus their limited IT resources on everything but cybersecurity. But now more than ever, small businesses need a strong information security program, too. While hiring a full-time, in-house cybersecurity expert or team might not be practical, many SMBs can get enterprise-grade security by working with a managed service provider (MSP) or specialized managed security service provider (MSSP). MSPs (and MSSPs) can provide SMBs with security services such as network, endpoint and server security, strong authentication security, and 24/7 security monitoring services like managed detection and response (MDR) through an affordable subscription with very little hassle or setup. The cost of an MSP will almost always be less than the cost of dealing with and recovering from a cybersecurity incident. If you can’t afford your own security team, you can benefit from the scale and affordable services offered by MSPs.

Small Doesn’t Mean Invincible

Remember, just because you’re a small business doesn’t mean you are a less attractive target to cybercriminals; in fact, it means just the opposite. SMBs often lack security resources, their IT teams are unprepared, their infrastructure is underfunded, and their employees are less informed. Events like Small Business Week are excellent opportunities to remind yourself that your size doesn’t reduce your risk profile.  Phishing attacks, ransomware, breaches, supply chain attacks, and more have affected many SMBs before. Take steps now to prevent cyber-attacks so you don’t have to pay the exponential expense of dealing with one’s aftermath.

About the author: Corey Nachreiner is the chief security officer (CSO) of WatchGuard Technologies. Recognized as a thought leader in IT security, Nachreiner spearheads WatchGuard’s technology and security vision and direction. He has operated at the frontline of cybersecurity for 22 years, evaluating and making accurate predictions about information security trends. As an authority on network security and an internationally quoted commentator, Nachreiner's expertise and ability to dissect complex security topics make him a sought-after speaker at forums such as Gartner, Infosec, and RSA. Find him on www.secplicity.org. 

About the Author

Corey Nachreiner

Corey Nachreiner, CISSP, is Director of Security Strategy for WatchGuard and an expert on this emerging form of DDoS attack. To request more information about Watchguard, visit www.securityinfowatch.com/10863399.