Cyber security is an important aspect of any business, regardless of size. However, with lesser budgets, and smaller workforces, the risks posed by cyber crime are arguably greatest for small businesses. With this thought in mind, we created this blog post – a list of cyber security tips for small business owners.
It is by no means an exhaustive list. However, these simple measures are a good place to start for any small business owner. If you’re a small business owner familiar with cyber security, this will also serve as a reminder of best practice.
It is important to remember that it doesn’t matter who within an organisation falls victim of cyber crime. The outcome will be the same, whether it is the receptionist, a contractor or the CEO. Therefore, we’d strongly recommend sharing any cyber security knowledge you have, with those you employ.
Cyber Security Tips for Small Businesses
Accept that your small business is a target.
Don’t say “it won’t happen to me” as it’s very likely that it will. In fact, in the last 12 months, 94% of UK businesses have been affected by a cyber incident.
There’s a common misconception that small businesses don’t need to worry about cyber security.
However, due to a lack of resource, capacity and manpower, small businesses are often at an increased risk. A lack of resource often means a lack of education. Therefore, as a small business owner, you must make yourself aware of the cyber security risks that threaten your business.
Be confident in your security efforts and if in doubt, consult with an expert.
Enforce good password management.
This advice is now bordering on cliché. However, secure passwords are one of the simplest ways to stop your small business becoming a victim of cyber crime.
Despite how frequently this advice is given, it is still largely ignored. More than 80 percent of adults reuse the same password across multiple accounts, whilst ‘123456’ was the most commonly used password in 2017. Other passwords in the most commonly used list include ‘qwerty’, ‘letmein’ and ‘football’.
As a small business owner, you should enforce good password management. Strong passwords are unique and contain a large mix of letters, numbers, and symbols. Passwords should never be shared with anyone, including management or IT teams. They shouldn’t be written down and they certainly shouldn’t be written on a post-it note and attached to a monitor.
If you or your team struggle with remembering long, complex passwords, consider investing in password management software.
Create a cautious environment.
In a recent survey of businesses affected by a successful ransomware attack, it was found that the malware bypassed antivirus software in 100% of cases, firewalls in 95% of cases and email filters in 77% of cases. Therefore, there’s a strong possibility a malicious email will find its way into the inbox of one of your employees.
As a small business owner, it’s your responsibility to create an environment whereby employees can feel secure in being cautious. They should be able to question the legitimacy of emails and seek second opinions, without fear of ridicule or reprisal.
There are scammers who will take advantage of spelling mistakes in common URLs to direct people to harmful domains. They may also use fake adverts, compromise reputable sites or even pretend to be a colleague. This means it’s imperative for your cyber security efforts to have cautious employees.
It is better to be cautious and verify a source over the telephone, than have ransomware lock your entire network.
Extend this caution to external devices.
Every person within your business also needs to be careful about what they plug into their computers. Infected flash drives, external hard drives, and even smartphones can cause malware to spread.
Devices should be scanned before they’re connected to another device within your network. This includes when employees connect personal devices to the company Wi-Fi.
Connecting personal devices to an IT network presents not just cyber security risks, but also privacy risks too. 21% of organisations have traced a data breach back to ‘Bring your Own Device’ (BYOD) initiatives, whilst 24% of organisations have found that employee-owned devices have previously been connected to malicious Wi-Fi.
Make regular backups.
Ensuring your data is regularly backed up, can mitigate some of the damage caused by a cyber attack. This will be determined by the quality of the backups, and the speed at which they can be recovered.
In a recent study, it was discovered that over 80% of businesses required more than an hour to recover from server failure, whilst more than 25% needed at least two. Being prepared will minimise this time.
We’d strongly recommend adhering to the Backup Rule of Three when considering your backup options. Also known as the 3 – 2 – 1 rule this accepted best practice dictates that you should have at least three copies of data, stored on at least two different media types, with at least one being offsite.
We have explained more about the Backup Rule of Three in another blog post, which you can read here.
Make use of protective software and hardware.
Earlier in this post, we mentioned ransomware bypassing protective measures such as antivirus software and firewalls. Whilst this is the case, it is worth remembering that different threats require different cyber security measures.
Therefore, protective software and hardware is still a must for any small business.
Given the abundance of free security software, it may be tempting to save budget on protective software and hardware. However, it’s often best to pay for these services. Free versions usually won’t offer you the same protection as full software packages. If you are going to use a free service, always check exactly what protection you will be receiving.
With this being said, it’s strongly recommended paying for an email filter as email is one of the primary methods used for cyber crime. F5 Labs studied 433 cyber security breaches across twelve years. 338 of those breaches had confirmed numbers, in relation to the data lost. From those 338 breaches alone, over 10 billion email addresses were compromised. It is likely that some of these will have been used for further illicit purposes.
Source: F5 Labs
Create a disaster recovery plan and don’t let it collect dust.
As a small business owner, a main consideration of your cyber security efforts should be a disaster recovery plan. A disaster recovery plan is a set of instructions for you follow in the event of a disaster.
A disaster recovery plan is going to be bespoke to your business. Whilst there are good resources to help plan for potential disasters, remember that your business is unique. Your budgets, resources, internal technology (and more) is different to that of other businesses. Therefore, you cannot rely on someone else’s plan to cover your company.
TechTarget offers a good overview of disaster recovery planning which will be a good place to start if your business doesn’t currently have a disaster recovery plan.
Whatever format your disaster recovery plan takes, it is important to keep it up-to-date. Your business needs to be well versed in the processes outlined within it.
Remember, technology moves quickly, and cyber security threats are developing all the time. This means that your disaster recovery plan is only as effective as it is relevant. As a small business owner it’s your responsibility to ensure your staff know what to do in a cyber attack.
Embrace a Cyber Security Culture Within Your Small Business
The importance of cyber security is not going to disappear. It is not a fad. Choosing to ignore cyber crime, or neglecting your cyber security responsibilities, will only be detrimental for your small business.
As a small business owner cyber security should be considered one of the primary threats to your business. This list of tips is by no means exhaustive. However, the advice, combined with the links throughout, will help you secure your company.
Should you have any questions or concerns about the cyber security provisions within your business, please feel free to get in touch.