Simplicity is the friend of security. If a control is simple, it’s often understood and thus more accepted. Moreover, keeping things simple means actions can be followed and repeated by others and justified. Complexity is often the enemy of business and security. The simpler things are, the more control is possible. Regarding cybersecurity for small businesses, there is no space for complexity — so, it’s best to keep things as simple as possible. Cybersecurity is about access control, confidentiality, integrity, and availability (AC-CIA). By focusing efforts on these principles and not on the technology itself, simplicity can be maintained. Technology is a tool. It’s surprising how many people believe that the more money spent on technologies (tools) will equate to more security. This is not always the case. Spending money does not always equate to improved cybersecurity. However, using the right control and balancing the simplicity with the effectiveness of the control while layering the defense does.
Adequate security helps a business to avoid a breach — layering the controls helps to prevent a breach. Many simple steps, like not exposing systems and data that don’t need to be exposed and limiting access to only those who need access, can help immensely. It’s important to remember that no security layer is unbreakable. However, together the layers make the defense stronger — the more layers, the more resilient to attack, and thus the likelihood of preventing a breach.
Cybersecurity for small businesses: 7 steps to consider
First, educate the staff so that they know what to do and when to do it. Having some necessary awareness and knowing how to deal with a cybersecurity incident before being confronted with one will alleviate the panic when something happens, especially for small businesses that do not have the support of a high-budget IT team. It does not need to be a costly exercise. There are many resources on the internet to help with this initiative. It does not require the purchase of software or tools to educate.
NIST is a great resource, and this link can help with establishing a cybersecurity awareness program or improving one already in place.
Building a culture of trust is essential. If someone gets something wrong, the response should not be to reprimand the person but to educate them. Once educated, all staff should be tested, and the message reinforced. This reinforcement should detail what the organization is trying to protect and why it’s important to behave in a prescriptive way. With staff participation, employees begin to take responsibility, resulting in a more secure environment that everyone can trust.
Backup data and systems
Have a restorable backup — restoring is the essential requirement of a backup. If the organization utilizes backup, it must be able to restore from it. So, focus on restoring the backup and do it often to ensure that the backup is effective. Many free backup systems, which can be automated, are available.
It’s important to note that a backup is not a “set and forget” process. It requires some time, perhaps 15 minutes a month, to maintain it and to check that it is functioning as designed. Additionally, spend a couple of hours annually to ensure the data can be restored. It’s the best investment in security that can be made. By being able to restore the data and systems, no matter what happens, a reference point will be available.
Multifactor authentication (MFA)
No reason exists to not use MFA; it’s a must! It is a tough hurdle for attackers to overcome and should be used as the first line of defense. MFA is a commodity now and available on almost all cloud platforms that provide the functionality for free or at a minimal cost. It’s a simple and effective security tool.
Virtual private network (VPN)
Ensuring the access to systems is secure from a network perspective is also an essential part of cybersecurity for small businesses. Using a VPN or SSL/TLS level security to the central point is a more secure way than not having this protection. Third parties do not always have the equivalent or better level of security than your organization may have, and by protecting the access through encrypted networks adds assurance. It’s not the only control needed; a combination of controls should be implemented to mitigate the risk effectively. Some organizations tend to go with one control or another, but a combination is recommended.
Rule of least privilege
Ensure that staff only have access to what they need to fulfill their job function. Ensure that if an employee’s role changes that the access is reviewed and altered as required so that it continuously aligns with what is needed. Checking access privileges routinely is essential and being strict and firm regarding the process is necessary to maintain cybersecurity for small businesses. Once access is granted, it’s hard to take it back. Moreover, most employees don’t need the access that they think they need. Systems should be treated in the same way; they should only have the access they require. For instance, if a computer or device does not need access to a server, then don’t give it access.
Reducing the attack surface area
Refrain from putting resources online if they do not need to be there. This includes resources on a computer internally within the organization or on a cloud. Rather than putting everything online, take what you can offline. Some resources and assets do not need to be online. It’s a lot more secure, and the attack surface area can be reduced in this way. Remember, hackers can’t attack what they can’t reach.
Ensure that the latest software is always running on systems. From a security perspective, it has been proven that new software is often better than the old software. If the software is not being updated or no longer being supported, consider discontinuing its use. If the software is being updated, make sure the latest, most stable, and tested version is always installed. Remember that patching is not just for the operating system and the application. Patching should include the firmware, and devices must be kept up to date too. Although this fleet management is getting easier and is often free, it requires diligence. This process should be a priority and should encompass a large part of the time spent on the security initiative. Hackers tend to exploit this area a lot. However, vendors and manufacturers are improving how patching is delivered and are automating patching of devices, operating systems, and applications. Nonetheless, the process still requires diligence from an organization’s part.
Cybersecurity for small businesses: Spend time, not money
Keeping things simple makes for a more secure environment. With the layering approach, defenses improve, and the possibility of a breach is reduced. Incorporating a few simple functions, a sound security routine will add value and will go a long way to help achieve an improved cybersecurity posture for small businesses. Not all actions require colossal cost and complexity. Starting with a few simple security functions and ensuring maintenance and diligence will help form a good foundation on which additional security can be built.
Featured image: Designed by Slidesgo / Freepik