cybersecurity advice for small businesses

What is Cybersecurity?

Cybersecurity is the practice of protecting systems, networks, and programs from digital attacks. Cyberattacks are usually aimed at assessing, changing, or destroying sensitive information, extorting money from users, and/or interrupting normal business processes. Implementing cybersecurity initiatives increases in complexity over time because of the number of devices per user as well as the sophistication of attackers.

Cybersecurity requires the use of multiple layers of protection across computers, networks, programs, and data. The most effective layer of protection includes the pillars of people, policy, and technology. The people pillar ensures that employees are educated on cybersecurity threats and the behavior that will best mitigate an attack. Policy is the organizational framework and processes about how an organization protects itself against an attack. And technology includes the tools that organizations and individuals can use to protect themselves from cyber attacks. The primary entities to be protected include endpoint devices like computers, smart devices, routers networks, and the cloud.

Why do I Need Cybersecurity for My Small Business?

Many of the cyber incidents reported in the news are about large corporations. One example is Colonial Pipeline, who paid $4.4 million in bitcoin to the attackers to bring its pipelines back online. Another is JBS Foods, who paid an $11 million ransom demand, which took down one of the biggest meat processing companies in the world. 

However, a significant number of cyberattacks happen to small and medium businesses. One survey published in 2019 found that about 20% of SMBs had fallen victim to one or more types of ransomware attacks, with average losses upwards of $141,000 in downtime and ransom requested. 

Since the pandemic, that number has exponentially increased. In 2021, 41% of small businesses that suffered a cyberattack reported that it cost them at least $100,000, up from 37% in 2019. However, fewer than half of the businesses surveyed (46%) said they have implemented defenses against possible cyber attacks, and only a quarter (24%) say they plan to purchase cyber insurance within the next year. 

In summary, cyberattacks for small and medium businesses are increasing in frequency and sophistication, the ransomware amount demanded is increasing, and businesses are not adequately protecting their businesses. Read below for the top nine cybersecurity tips to protect your business.

Top Nine Cybersecurity Tips for Small and Medium Businesses

1. Multi-Factor Authentication is Your Friend

Passwords act as the first line of defense in protecting your data. However, since they have a higher likelihood of being hacked, adding multi-factor authentication (MFA) or two-factor authentication (2FA) will double that protection. MFA/2FA is a method to grant users access to a website/application (usually after entering the password) only after successfully presenting two or more pieces of evidence. This is a process of knowledge, possession, and inherence. MFA/2FA methods range from facial recognition to fingerprinting and separate devices with authenticators. It is recommended to use a combination of these methods to ensure your information is protected.

2. Provide employee cybersecurity education

People are the weakest line of defense in any cybersecurity strategy. Why? Because hackers continue to become smarter about how to target and attack company employees. Take voice phishing for example, whereby a hacker takes a voice recording of an individual, such as a CEO or controller, and uses software to manipulate their voice to say certain things. For example, they might be instructed to wire large sums of money to an account disguised as one belonging to a client. Simpler initiatives are just as dangerous, such as hyperlinks that point to malicious destinations made up to look like authentic, trustworthy websites. Educating employees on what to look out for is incredibly important to a corporate cybersecurity defense.

3. Beware of Social Engineering Red Flags

Social engineering refers to the psychological manipulation of people into performing actions or divulging confidential information. It is much easier to steal information and resources from a company by ‘hacking’ the people instead of the hardware or software. Therefore, employees need to know what to look out for. Some common red flags include:

 

  • Email sender: Check the email sender for the validity of the email address. For example, an email from “Air Canada” with the email address from@souq.com.
  • Why was this sent to you? Did you receive an email from UPS, but you have no packages on the way? Be cautious of opening this message.
  • Email subject: If the email subject doesn’t match the content of the email message is a reply to something that was never requested, think twice before opening the email.
  • Date and time: Did you receive an email that was sent at a weird time? 
  • The hyperlink is weird: Before opening a hyperlink, hover your mouse over the link to determine the destination. If it doesn’t seem legitimate, don’t click it.
  • Content: Is the sender asking you to click a link or open an attachment? Be wary of the content inside.

4. Implement a password policy

Modern password crackers can brute force a standard English dictionary word in 30 seconds or less. The technology used to decrypt and guess passwords is becoming more advanced. Passwords should be as complicated as possible and changed frequently to avoid hacking attempts. A password policy enforced by your organization ensures that employees understand the importance of strong passwords and that they are created in adherence to the best practices required. Some of the most common passwords are the easiest to crack during cyberattacks. These include “abc123”, “111111”, and “password.” Strong passwords should follow the following parameters:

  • Should be at least 10 to 12 characters long
  • Should include at least: one capital letter, one lowercase letter, one number, and one special character
  • Avoid the use of dictionary words, birthdates, and addresses
  • Make common phrases more complicated (add numbers or symbols)

By outlining a corporate policy on password strength, your employee accounts and the important data within will be better protected.

5. Implement a corporate cybersecurity policy

A corporate cybersecurity policy should be comprehensive and cover the three most important areas of cybersecurity defense. These include people, policy, and technology. By covering all of the bases, your organization is protected to the highest degree possible. The people area includes cybersecurity education in the form of security awareness training and security reports. Policy includes the organizational framework for how employees conduct themselves, such as a password policy. Meanwhile, technology includes methods such as firewalls and anti-virus software.

6. Daily Computer Habits

Practicing safe computer habits can prevent your data from being compromised. For example, whenever you step away from your computer, make sure to lock your device. Check your surroundings to avoid “shoulder surfing”. If you work with confidential information regularly, use a privacy screen filter to stop people from looking at your display. In addition, restarting your device frequently ensures that security and software updates are applied. As mentioned before, using MFA/2FA will double the protection of your logins and data. Not sharing passwords with other users is key, and it’s even better if you store them in a secure password manager. Never store corporate data on your local laptops or PCs; opt for cloud-based storage to ensure data is protected. Lastly, remember to log out and shut down your computer at the end of the day, even if you are bringing your device home.

7. Internet Safety Habits

Not only should you practice safe computer habits, but tweaking your internet usage for safe browsing is equally important. Here are five internet safety habits to follow:

  • Be careful of what information you share online; once it’s there, it’s there forever even after you delete it. You should assume your data will exist somewhere in some form. 
  • If you don’t want everyone to know something, don’t post it online. Be mindful when completing quizzes and surveys (especially on social media), as they are a way for hackers to retrieve personal information from you. 
  • Be careful with what you download or browse, only use safe browsers (Google Chrome, Microsoft Edge, Safari, and Mozilla Firefox), and make sure the websites you visit are safe to download from. 
  • Avoid using the same passwords for all your online accounts; if one gets hacked, there’s a good chance the rest will be as well, especially if they share the same credentials. 
  • Most importantly, don’t add anyone on social media you don’t know or have never met in person. Once you agree to the friend request, they’ll have access to your information.

8. Mobile Device Best Practices

Mobile devices are prone to hacking as well. It’s important to implement password protection, fingerprints, and/or facial recognition to access your devices. They should have a password at a minimum. Setting up an invalid lockout and data wipe policy on the device in case it gets lost or stolen is best practice. To prevent shoulder surfing, add a privacy screen to your device to make sure your information is protected. 

Just like with computers, there are possible security vulnerabilities you could experience through your mobile devices. For example, don’t allow your device to join unfamiliar networks, especially public ones. Do not check your banking application when you’re using Starbucks’ public Wi-Fi, for instance. Public networks have minimal security and it’s a known target  for hackers. It’s a good habit to turn off your Wi-Fi when you’re not using it. When it comes to your applications, always download them from your app store (Google Play, Apple Store, etc.) instead of browsers. Be wary of apps made by unknown developers or those that have a lot of bad reviews!

When using your mobile browser, pay close attention to the URLs, and never save your login information unless your browser is secure. Watch out for ads and contests that are too good to be true; try to avoid clicking them when they pop up. Aside from browsers, the Bluetooth in your devices should be turned off when it’s not in use to further deter hacking attempts. It’s recommended to disable automatic Bluetooth pairing so they don’t connect to random devices nearby. 

Phishing attempts can occur on mobile devices, too! Do not trust messages that attempt to get your personal information. It’s a good habit to treat these the same way you would with  emails: think before you click! When receiving phone calls, don’t respond to the ones that request financial information (such as your credit card number). When this happens, end the call and check with your financial institutions directly. Avoid answering calls from unknown numbers unless you are expecting them. Blocking the scam number can sometimes help as well.

9. Employ Spam Filters (and Don’t Rely Solely on Them)

Spam filters are effective, but they do not stop 100% of spam emails. These use an algorithm to determine which emails are spam. Hackers are continually working to hack the algorithm to ensure their emails get past the filter. Therefore, you and your employees are the last line of defense for clicking on links or opening attachments in spam emails.

What Else Can I Do? 

At SysGen, we employ a three-pronged approach to a comprehensive cybersecurity strategy, emphasizing people, policy, and technology. If your business concentrates on one area but not the others, a gap will exist for a security breach to occur; it’s like locking all the doors to your house but leaving the window open. Focusing on these areas is your best defense against a cybersecurity attack. SysGen managed security offers three tiers of protection based on the needs of your organization: ESS, ESS+, and ESS+ Realtime.

ESS

ESS is a basic security package designed to reduce the chances of your technology or people being compromised.

ESS+

An advanced package designed to greatly reduce your security risks while developing corporate policies to manage security comprehensively.

ESS+ Realtime

The advanced security offering with the addition of real-time 24/7/365 monitoring, protection, and response.

Which Type of ESS Should I implement For My Business?

ESS provides the basic security package, whereas ESS+ offers forensics, enhanced detection and response, mobile device protection, data encryption, and governance. In the event of a cybersecurity event, forensics will provide a deeper understanding of who, what, when, why, and how. The enhanced detection and response will provide a complete endpoint security solution with further visibility and the ability to respond to endpoint threats. Mobile device protection operates software that manages and secures your employees’ mobile devices. With data encryption, information will be encoded and is only accessible to users with the correct encryption key. Meanwhile, governance provides a strategic roadmap to achieve your cybersecurity objectives. Finally, ESS+ Realtime will offer the aforementioned services along with real-time monitoring, which enables round-the-clock scanning and monitoring of your IT environment.

You can find SysGen’s cybersecurity services in Calgary, Edmonton, Red Deer, Vernon, and Kelowna. Connect with our team about protecting your organization with a managed security strategy today.

Contact Us To Find Out More

 

Headshot of Michael Silbernagel

Michael Silbernagel, BSc, CCSP, CISSP

Senior Security Analyst

Michael is a lifelong technology enthusiast with over 20 years of industry experience working in the public and private sectors. As the Senior Security Analyst, Michael leads the cybersecurity consulting and incident response (CSIRT) teams at SysGen; he is the creator of SysGen’s Enhanced Security Services (ESS), our holistic and comprehensive cybersecurity offering that focuses on people, technology, policy, and process.