Do you want to prevent losses in business due to identity fraud and cyber attacks? If YES, here are 50 best cyber security tips for small businesses in 2019.
The internet is indeed the biggest revolution of the 21st century and its uses is continuing to expand having already roped in every sector of the economy. While this revolution is amazing, the internet has an unfortunate downside which is its vulnerability to black hat hackers.
Research has found out that small businesses are appealing to hackers because these businesses have a moderate amount of data and they also do not see cyber security as a priority. Hackers usually use information gotten from these platforms or businesses to steal from many people.
Know that as a business, a data breach can damage your relationships with employees, customers, and vendors; and it has been estimated that approximately half of small businesses that have been victims of cyber-attacks go out of business within six months.
Do not allow your business to be part of this statistics. You should endeavor to build up your business’ cyber security. You need to protect your data, your network, your customer information, and your reputation. Listed below are a few tips that can help you boost cyber security for your business.
50 Best Cyber Security Tips for Small Businesses in 2019
- Ensure that business data that goes in and out of your platform is protected
If your business is one that functions online primarily, then the sending and reception of data is based online fully. To keep your business safe, you have to ensure the utmost safety of the data that you transmit and receive online.
To do this, you have to first determine which data is public information (and therefore doesn’t need to be closely guarded); which data has a medium importance and will not impact your business too much if discovered and finally, which data is most important and personal to your business.
It is this data that you have to make extensive plans to guard so as not to compromise your business. The final category of data will impact your business greatly if lost or stolen and should be guarded safely with the highest security and should be given least access rights from members of your business.
- Ensure that your business website is HTTPs enabled
This is maybe one of the first precautions to take to ensure the safety of your business online. HTTPs websites have an SSL/TLS Certificate installed onto their servers. This certificate will encrypt all data transmitted from browser to server, whether it is personal or financial info that’s submitted through the site or the contents of the webpage, from eavesdroppers (e.g. malicious parties, government surveillance). SSL Certificates can also tie your brand identity to your web presence, helping visitors know that your site is actually run by your company and not an imposter (i.e. phishing site).
- Update your business software from time to time
Software builders are always careful to update their software to continually plug any loopholes that can be taken advantage of by hackers. If your business makes use of these software, you should endavour to follow suit and regularly update your software.
Hackers are always looking for vulnerabilities in the software businesses use. This could be as simple as finding a way into your Windows network. Do your business a favour and continually keep up with these updates. If staff use their own devices for work (BYOD devices), make sure they’re running supported operating systems and software before they access your business network. Make sure they keep their devices up-to-date too.
- Educate your employees on HTTPs policies
Employees will, from time to time, use the corporate IT network to visit websites or sign up for services, either for personal use or for the company. Before submitting any information, they should always be on the lookout for the padlock and HTTPS in the address bar.
If the site is unprotected, they should not enter any private or sensitive information. This tip is very important because a lot of phishing websites have started using Domain Validated (DV) SSL Certificates to make their sites look more real and trustworthy. You should take the time to educate your employees about them.
- Teach employees to recognize phishing attempts
These days, phishing attacks are one of the most common ways cyber criminals target organizations. By educating your employees to recognize what phishing is through appropriate training, it will help to prevent such damaging malicious attack.
A phishing attempt that cyber criminals often try is creating emails that look like a legitimate communication. They often come camouflaged as something an employee might be expecting, like a password reset email, a notice from HR, or a shipping confirmation. Despite cybercriminals strong effort to disguise these emails, there are still several ways to identify phishing attempts. These ways include;
- Name check: it goes without saying that clicking on a link that is contained in an email from someone you don’t know is always a dangerous thing to do. No company will ever ask for sensitive information such as such as usernames or passwords, over insecure end-user messaging. Cyber criminals will go as far as using an email address that is very similar to a company’s official address, so closely checking who an email is from, is a critical practice.
- Spelling and grammar: check the body of the email for unusual spelling or characters as this can be a good indicator of a phishing attempt, particularly, if the sender of the email is requesting sensitive information. Misspellings and grammar issues should be a red flag when seemingly coming from a credible source.
- Intimidation tactics: Messages that start with “Urgent action required” or “Your account has been compromised” that require you to click on a link and enter sensitive information should be avoided. These intimidation and scare tactics are an attempt to get you to give up your credentials.
- Links: you should never click on a link from an email that comes from someone whom you do not know. Even though the hyperlink in an email may appear to look legitimate, it’s advised to hover over the hyperlink (without clicking) to see the real URL.
- Reporting cyber security incidents: irrespective of the security training that a company will have, there is still a probability that a security incident can occur due to human error. When this happens, it is important that employees know how to report these incidents.
By confronting a cyber-security issue as soon as possible, it can prevent it from escalating into something that is even more serious. Incident response training should be another integral part of your employee onboarding, and should be revisited company-wide on an annual basis. A good incident response plan includes the following; Preparation, Detection and Identification, Containment, Remediation, Recovery and Lessons Learned.
- Inculcate cyber security into your senior leadership
Change usually starts from the very top if it is to be adhered to by the rest of the people. You should ensure that you and your senior management start adhering to the cyber security laws that you have put in place, then you would see that it would be much easier for the rest of your staff to follow.
- Generate Phishing Simulation Tests to Keep Staff Alert
A lot of emphasis is placed on phishing incidents and with good reasons. When you have finished teaching your staff on the dangers of phishing and how to avoid such web links, you should take it a step further by conducting phishing simulation tests in your company to test employee’s awareness. This should be done before and after training in order to measure the improvement your employees are making.
- Choose the right cloud services for your business
Running a business is hectic. Using cloud services to manage your IT needs can make a lot of sense. Among other things, it gives you access to software without needing to buy it yourself, access to your data from any device, at any time, storage space and backups for your data.
There are a lot of cloud services providers out there, and you need to make sure you choose the right one for your business. Before you commit to a particular provider, make sure they can give you the kind of services and protection that is tailor-made for your business.
- Only collect the data you really need
It’s important to only collect the data you really need from your customers. Your level of risk is based on the amount of data you have, because the more you collect, the more valuable it is to an attacker. This means you carry a higher risk if you’re targeted by a security incident. By only collecting only what you need, you reduce your risk. Again, you have to make sure that you encrypt any data you collect, whether in transit or at rest.
- Secure any devices that are used to connect your database
You should endavour to enable anti-malware software on any device that accesses your business data or systems. This prevents malicious software — such as viruses or ransomware — from being downloaded into your systems. Devices being mentioned here include both company owned devices and any BYOD (Bring Your Own Device) devices that belong to your staff.
Malware’s easier to avoid than it is to fix, and there are some simple things you can do to minimize your risk. Again, you should never let your staff access your network with devices that are jailbroken or rooted. Their devices should only use apps downloaded from their phone provider’s app store, like the Apple Store or Google Play Store.
- Manually check financial details and contacts
A lot of business takes place over email, and it can be hard to tell when an email recipient’s behavior is ‘phishy’. If you’re doing business online and you get an unusual or unexpected request, check it manually before you go ahead with the transaction.
This means checking the request with the person or company you’re dealing with through another channel, probably by phone. Having manual checks will prevent you from getting caught up in online fraud, like invoice scams. Use a separate channel of communication to verify a transaction or change it before it happens. For example, if you’re doing business over email, follow up with a text message or phone call.
- Ensure to have adequate data backup
If you run a business, you should know how important it is to keep your data safe. If it’s compromised in any way — if it’s lost, leaked or stolen, for example — you need to make sure you have a backup, or copy, available so you can restore it. To make it easier for you, you can set your backups to happen automatically so you don’t have to remember to do it.
How often you do them depends on how important your data is. If you have new customer data coming in every day that would be impossible to re-create, set your backups to happen a few times a day. You should always backup your data in a different location so hackers cannot access both areas and you should also backup your data regularly.
- Always Follow Governmental Regulations and Policies on Retaining and Destroying Sensitive Data
Certain types of data must be stored securely for a set amount of time and then disposed of in a secure fashion. The amount of time for data retention varies from location to location and also depends on the nature of the information (such as medical or financial records).
Always be attuned to the data retention and destruction policies in your local jurisdiction as well as the information security policy. Determine whether data is public, private, or confidential when preparing it for storage and removal.
- Implement two-factor/multiple authentication (2FA) method
Authentication is the act of confirming an identity (whether a user, machine, or device) by comparing provided credentials against an existing database of authorized identities before allowing access to a given system or application.
As part of your business strategy, you need to think about how to protect both your systems’ and your customers’ accounts. Implementing 2FA is one way to do this. It means that anyone who logs in to your system will need to provide something else on top of their username and password, to verify that they are who they say they are.
Authentication factors include something you know (e.g. username/password, answer to security question), something you have (e.g. Digital Certificate, smart card), and something you are (e.g. fingerprint, facial recognition). You can implement it on internal systems and your customer-facing systems.
You can mitigate credential reuse, sophisticated phishing attacks, and many other cyber security risks by using 2FA. You can equally have it as a rule not to use systems that don’t support the use of 2FA. They should be a requirement for any new system that your business uses. Make this mandatory, not optional.
- Get Cyber Liability Insurance
Sometimes you simply can’t stop a disaster from happening, but you can certainly be prepared for one. Much of the business world has moved online, so it’s no surprise that cyber insurance is becoming increasingly popular. This is in fact one of the most important things you can do when it comes to protecting your small business from online threats.
Traditional liability insurance coverages are not equipped to deal with new internet exposures. An Insurance agent, however, can help put together a cyber-liability policy that covers a range of loss exposures to fit your unique business. Additionally, your agents should keep up with the ever changing world of cyber liability, to make sure your coverage adapts as technology and subsequent cyber threats evolve.
Before you decide on the level cyber insurance you need, weigh up the risks for your data. What would happen in the event of a security breach? How long can your business be out of action? Do your clients need 24/7 access to your services? Put simply – the greater the risks, the greater the need for insurance.
- Talk to your bank and payment processors
Cyber security is an issue a lot of other people you do business with need to be involved with to ensure that you are protected all round. In view of this, you may have to talk to your bank or payment processor to ensure that they are using the most up-to-date and trusted validation and anti-fraud services. Additionally, you should ensure that businesses that you share data with are equally protected.
- Use strong passwords
Many hackers will sell the data they hack, that one is for sure. This most times includes information on thousands, if not millions, of people and their passwords. If you are using the same password for every account, then it won’t be difficult for a hacker to gain access to all your systems. To avoid your business being a victim, you should avoid using obvious passwords like your address or any significant dates. Instead, use a combination of lowercase and capital letters, numbers and symbols.
If you have difficulty remembering passwords, try using a passphrase like “Ilovegettingtoworkat7:00!” Longer password are harder to crack than shorter complex passwords. It is recommended change the os to zeros, Es to 3s, I’s to 1s, as to @s, etc.
For example !10v3g3tt!ngt0w0rk@t7:00!. This one would be extremely difficult to crack but easy to remember once you are comfortable substituting some of the letters. You can also consider using a secure password manager to ensure you don’t keep forgetting your passwords.
All your employees should also be trained on the use of passwords. Examples of such training would include; making sure employees do not write passwords down (where they can be stolen), ensuring employees do not share passwords over any online communication, unless the communication is encrypted, having employees create strong passwords and use a company password manager, making sure employees do not re-use passwords for multiple company applications, or between personal and company use.
- Provide your employees Secure Devices
At times, you may find out that the weakest links are the users and as such, it will be up to you to protect them from exposing themselves to security risks. Unintentional errors and loss of/stolen devices are some common causes of security breach that can lead to loss of sensitive data.
If a device is corporate issued, it is up to the corporation to ensure that they have a high level of security built into the device. Organizations should raise awareness of the dangers associated with mobile apps and file-sharing services, and ensure that corporate alternatives are provided that meet employees’ needs.
- Be careful on what you post about yourself and your business
How you speak about your business and others online says a lot about who you are, and it can also get you into trouble with the law or even open your business up to theft or hacking. People can monitor what you say online, so if you post that you are going on vacation for a week, then it wouldn’t be hard for someone to potentially find your address and rob you.
Blur out any images that reveal personal information and avoid online interactions that seem unsafe to you. It’s easy to get tricked into a scam by a direct message or post on social media. Never click on anything you don’t trust. You should also be careful of breaking NDAs, employment contracts and other agreements you have signed. Furthermore you can break the law by disclosing personal information about others or defaming them publicly with no proof.
- Provide Firewall Security for Your Internet Connection
A firewall is a set of related programs that prevent outsiders from accessing data on a private network. Safeguard your Internet connection by using a firewall and encrypting information. If you have a Wi-Fi network, make sure it is secure and hidden.
To hide your Wi-Fi network, set up your wireless access point or router so it does not broadcast the network name, known as the Service Set Identifier (SSID). If employees work from home, ensure that their home system(s) are protected by a firewall.
Firewalls are designed to prevent unauthorized access from a private network. You can create a set of rules on your firewall so that it knows what to allow in and what to block out. A good firewall should monitor incoming and outgoing data.
- Create a culture of cyber security and frequently update your staff
When business leaders and stakeholders have cyber security on their minds, it helps to create a culture of cyber security that permeates all the way through the employee level. “Do as I say, not as I do,” has never been a saying that actually holds much merit in this sector. Employees learn cyber security habits best through the example of their leaders. If cyber security remains on the forefront of the minds of those within the organization, it will enhance security and lower the risk of human error.
- Frequently conduct insider threat analysis
An insider threat analysis will uncover any potential threats to your IT infrastructure that come from within your organization. This could be anything from employees and former employees to contractors, vendors, third party data suppliers or associates.
- Change default passwords on devices before use
Default credentials are login details that give the user administrator-level access to the product. They should only be used for the initial setup, and then changed afterwards. Unfortunately, this doesn’t always happen, which can cause problems later on. Default credentials are easy to find or guess or find online. Attackers can use them to get into your system.
Check for default account credentials on any new hardware or software you buy, or any devices that have been factory reset. If you find any, change the passwords for them. Make the new passwords long, strong, and unique.
- Have a contingency plan
No matter how well you prepare, sometimes things go wrong. Even if you outsource your IT support, security incidents will still be your problem. If your business has a cyber-security incident, you’ll need to know what steps to take to keep your business running. Having a clear plan in place will help you through what could be a stressful time. It’ll help your team respond to an incident quickly, and improve your business’s resilience.
- Invest in VPN
If you have remote, mobile or field workers, you need to provide them with a secure data connection to your network. Invest in a virtual private network (VPN) that enables employees to securely access company files, applications, printers or other resources via an encrypted connection. It will also keep them off a hacker’s radar while using public Wi-Fi hotspots.
- Encrypt records and confidential data
Encryption will help make your data more secure by converting it into complex codes that are not easily broken or guessed. You can encrypt data along with emails, texts or other sensitive information like employee or client records.
- Set up logs
Logging can help you find out a cyber security incident when it is about to occur. In the instance where you have had multiple failed logons to your network, or when an incident has occurred — like a logon from an unknown IP address, you should know there is an issue. You can set logs up to alert you to any unusual or unexpected events that you need to know about.
You can also set up logs to inform you of successful logins to your CMS and changes to any of the files in it (if you don’t change them often), changes to your log configurations, password changes, 2FA requests that were denied, anti-malware notifications and network connections going in and out of your network.
You should store your logs in a safe location and make sure they’re encrypted. Access to the logs should be limited to only those that need it. Consider archiving them to offline storage and keeping them for a while (like a couple of months) in case you ever need them.
- Beware of mobile devices
Mobile devices create their own unique security risks because they are more vulnerable and owners don’t care much about online protection. To protect your mobile devices, you should disable automated actions like location sharing, auto connecting to Wi-Fi networks and Bluetooth connectivity.
You should equally encrypt your data, and install security apps to prevent criminals from stealing information while the phone is on public networks. Always lock your devices and use strong passwords, and don’t forget to update operating systems as needed. Be sure to set reporting procedures for lost or stolen equipment for yourself and for your staff.
- Limit the number of people that have access to your systems
Unauthorized people should not have access to company computers and accounts. Even a well-known, trusted person shouldn’t be allowed to access computers and information that they are normally unauthorized to use. For example, you shouldn’t let a client borrow a company laptop to look something up.
Laptops can be particularly easy targets for theft or can be lost, so lock them up when not in use. Make sure a separate user account is created for each employee and require strong passwords. Administrative privileges should only be given to trusted IT staff and key personnel.
Employees of different ranks and positions might have different access to technology. Employees shouldn’t share information to their accounts. For example, an accountant shouldn’t share their small business accounting software password with a salesperson. Have individual logins for employees whenever possible. This can help you limit the privileges of certain employees.
- Protect your business against viruses, spyware, and other malicious code
Make sure each of your business’s computers are equipped with antivirus software and antispyware and that these are updated regularly. Such software is readily available online from a variety of vendors. All software vendors regularly provide patches and updates to their products to correct security problems and improve functionality. You can consider configuring all software to install updates automatically.
- Know when an attack has occurred
The best way to protect your business from a cyber-attack is to know what an attack looks like. Without such knowledge, you may never know when your business is under attack. It is important that you educate your employees and team members of what a cyber-attack looks like.
Attacks can look different due to the different hacking systems. Show employees and regularly communicate on what to look for when an attack happens and discuss how important it is to tell the IT team when you see an attack. Keep reminding everyone on not to fear when it happens and what to do.
- Hack your business
One of the best ways to find vulnerabilities is to hire appropriate consulting firms or IT specialists to practically hack your business to find out where your network has weaknesses. Vulnerabilities within an organization’s computer network act as unlocked doors that can provide easy access to critical systems.
That is why it is essential to conduct regular penetration testing. By doing so, an organization can identify and fix vulnerabilities to prevent a hacker or other malicious person from exploiting them. By simulating a cyber-attack, a penetration test will safely reveal the unlocked doors within a network and provide the locks and keys to fix them in the form of a prioritized roadmap or task list.
- Practice regular network cleanup
It is very advisable to carry out a network cleanup from time to time to remove anything that look suspicious. Schedule with your IT team a time to do a network clean and include any major software your company uses.
- Protect your Content Management System (CMS)
No matter the CMS (Content Management System) you’re using, hackers would always find ways to discover loopholes and get inside your system. But you should know that there are ways to make your CMS as secure as possible. Here are few simple tips:
Get rid of front-end login. Many CMS attacks happen through front-end login. You should configure your systems in such a way that those who need access to your CMS can go in through the back-end admin screen. Don’t use default admin. The default username of ‘admin’ is all too common. To boost your security, come up with a unique ID instead.
Hide the ‘wp-includes’ folder. If you’re using WordPress, the ‘wp-includes’ folder is often accessible to the public. This means it’s availabe for hacking. To counter this, simply add a blank ‘index.html’ file to the folder. Other methods to consider include keeping your systems updated, regularly scanning your files, and using spamming protection software.
- Mandate the use of on-screen keyboard for codes and passwords
Nowadays, hackers are so sophisticated that they can record your keystrokes with the help of a keylogging software, especially when you are using shared networks. What you can do to avoid your information leaking to other ends is by using virtual or on-screen keyboard.
Keylogging software can’t keep track of the on screen keyboard being operating with the mouse clicks. Many financial institutions offer virtual keyboards as an input option you must use. You must insist that your employees and staff follow this tip, too.
- Never hold on to a customer’s CVV number
Getting the customer’s card details, with customer’s consent, can help you make the future checkouts convenient. On the flip side, this practice makes your customers data exposed to a lot of people including hackers. The way to go is that you can store all credit card information without keeping the CVV number. It would not bother the customer at all to enter the 3 digits during transaction, but keeping the credit card information safe would be far more important for your customer.
- Be vigilant with your password manager software
Password manager tool creates strong passwords and remembers them for you. This is why many businesses prefer using password manager software. If you are considering the same, you have to think many times because of the various concerns that come with it. For example, your all passwords are stored in its database, meaning a hacker can get all if he goes for just one.
- Limit the number of people with admin access
The first step toward improving your cybersecurity is to limit the number of people with admin access. Unfettered admin access across employees who don’t need it is one of the biggest threats to business security. You should endavour to invest time into setting up proper administrative security, logins and passwords and to enforce time window and geo-fencing measures to limit access to secure information, particularly from personal devices and when not on company premises.
- Communicate via fax
Many companies use email as their main way of communicating with employees, and they usually transfer secure information and data via email which can so easily be compromised. The most secure way to transmit information has been found out to be through fax. If employees have phones which they use for business and personal use, there needs to be a clear policy on the data that can be accessed and stored on those devices and clear guidelines as to when the device should be wiped clean.
- Train employees in security protocols
Establish basic security practices and policies for employees, such as creating strong passwords, and establish appropriate Internet use guidelines that detail penalties for violating company cybersecurity policies. Establish rules that describe how to handle and protect customer information and other vital data.
- Be careful with what you download
If you manage your own computer, be ultra-cautious when downloading and installing software or browser plug-ins. If it’s free, or not from a recognized, trusted software vendor, it may well include features that spy on your activity or install harmful programs. Ideally, your security policy and settings should permit users to install only those programs enabled by your system administrator.
- Beware of being held ransom
Ransomware is when hackers use a virus to encrypt files and hold them “hostage” until you pay up. This is starting to become a growing concern for small businesses. Frequently back up your data using the 3-2-1 rule: keep three copies of any important file on two types of storage devices, one of which must be in a different location and not connected to other back-ups. The cloud is a great way to provide instant off-site back-up and fundamental security protection.
43. Make outsourcing a priority
Every business that has any kind of online presence needs an expert to take care of its cyber security. But it is unfortunate to note that there is currently a shortage of cyber security professionals with the skills and qualifications necessary to fill the number of positions available.
This is especially problematic for small companies, as it means hiring cyber security professionals can be difficult and expensive. Most times, it is best to bear the expense and get a professional service rather than relying on your meager knowledge and doing things you may end up regretting.
44. Create an incident response strategy
An incident response strategy allows your business to stay ahead of an attack. You can never be sure you are 100% secure so it is always best to have a plan in case you are a victim of a cyber-attack. This will ensure that if you do have an attack, you can respond quickly enough to keep attackers from getting hold of sensitive data and you should alert the press or customers should the attack be larger than expected. You should also ensure there is someone responsible for handling the response plan.
45. Learn from past mistakes
After any breach and incident response, once you are sure that you are no longer being hacked and can go back to normal operation, you should conduct a review. The review should allow you to discuss your incident response plan and decide if you need to make any adjustments to the plan based on the mistakes you made the first time around. You must always strive to rebound stronger from any incident that happens in your business, if not, you would end up repeating the same costly mistakes.