Read on for 101 expert tips on cybersecurity for small to midsize businesses, plus practical advice for implementing effective cybersecurity measures.
Cybersecurity can be overwhelming for SMBs. From regulatory compliance concerns to protecting your company’s most valuable, sensitive data, there’s a lot at stake. SMBs often lack an awareness of the security risks they face, and even those that do understand the threat landscape may not have the resources available to effectively combat risks.
The cost of a data breach is high; so high, in fact, that many SMBs don’t survive following a cyber attack. That’s why it’s imperative for SMBs to make cybersecurity a priority. If you’re not sure where to begin, this guide is for you. We’ve compiled a comprehensive set of expert cybersecurity tips, including statistics and insights that highlight the importance of security for SMBs, tips for educating and training employees on cybersecurity, cybersecurity tools and solutions for SMBs, and cybersecurity best practices and regulatory compliance tips. Use the links below to navigate to tips in a specific section:
1. Small businesses are attractive targets for cybercriminals. “Cyber attacks are a growing threat for small businesses and the U.S. economy. According to the FBI’s Internet Crime Report, the cost of cybercrimes reached $2.7 billion in 2018 alone.
“Small businesses are attractive targets because they have information that cybercriminals want, and they typically lack the security infrastructure of larger businesses.
“According to a recent SBA survey, 88% of small business owners felt their business was vulnerable to a cyber attack. Yet many businesses can’t afford professional IT solutions, they have limited time to devote to cybersecurity, or they don’t know where to begin.” - Small Business Cybersecurity, U.S. Small Business Administration; Twitter: @SBAgov
2. Intelligence gathering is a common reason behind attacks. “The most likely reason for a cyber attack is intelligence gathering. A data breach is one possible result of a successful attack. Data breaches can involve a variety of information, from documents and intellectual property, to credit card and financial information. Sometimes, cybercriminals could even mine information about your staff and customers. According to a 2017 Ponemon study, the global average total cost of a data breach is U.S. $3.62 million.” - Cybersecurity tips for small businesses, Norton by Symantec; Twitter: @NortonOnline
3. Small businesses accounted for nearly 50% of data breaches in 2019. “The executive summary of the DBIR points out, ‘No organization is too large or too small to fall victim to a data breach. No industry vertical is immune to attack. Regardless of the type or amount of your organization’s data, there is someone out there who is trying to steal it.’ Too often Small and Medium businesses think that they won’t be targeted because of their size, but that’s simply not true. Small businesses accounted for just under half of the breaches in the 2019 DBIR.
“This is evidence that cybercriminals see value in small businesses. It makes sense as many small businesses don’t have the resources to spend on security programs or applications. It’s not uncommon for small businesses to be hacked as a part of the supply chain. This means that small businesses need to start thinking strategically about their security options.” - Dan Smith, 3 Key Takeaways from the 2019 Verizon Data Breach Investigations Report (DBIR), Zeguro; Twitter: @Zeguroinc
4. Small businesses have a greater risk of insider attacks. “Insider attacks don’t discriminate based on business size, but SMBs face a unique challenge: managing the rapid expansion of IT infrastructure and connected devices without the benefit of enterprise-scale resources.
“According to Gregory Touhill, a retired Brigadier General and board director of global tech association ISACA, this leads to ‘task saturation’ — small business owners and employees are constantly switching between roles and tasks to support daily operations, develop new strategies and manage growing cyber risk.
“The result? Speed becomes the watchword for SMBs. Touhill says that this creates the ideal environment for insider threats to flourish because when speed outpaces security, ‘trust is presumed, but it is misplaced.’ Staff are given broad access to critical company files and resources to streamline business functions, even if they don’t necessarily need it. Insider events become a matter of when, not if.
“While Touhill admits that ‘you’ll never get risk to zero,’ SMBs can reduce the rate of inside jobs by boosting cybersecurity across three key areas: people, processes and technology.” - Doug Bonderud, Avoid the Inside Job: How Small Businesses Can Boost Cybersecurity, BizTech; Twitter: @BizTechMagazine
5. Increasing use of IoT devices poses additional risks. “With the introduction of new technologies comes new opportunities for criminals to steal data. Cloud computing and the Internet of Things (IoT) are two clear examples of this, as small businesses jump to integrate new technology without considering the vulnerabilities. Many IoT devices, including WiFi-enabled coffee machines and smartwatches, have weak security settings which can be taken advantage of by criminals to access the main network at any business.
“Ways to prevent IoT devices from providing access to the main network include ensuring workers use a separate network for their personal devices so these devices don’t provide access to sensitive data. Cloud insecurity can be managed by ensuring that staff understand safe sharing protocols and responsibilities.” - Damon Culbert, Small business cyber security tips, Inside Small Business; Twitter: @insidesmallbus
6. Once breached, organizations face high costs that can last well beyond the initial breach. “The cost of a cyber breach is enough that a single event can lead to an SMB filing for bankruptcy within a year.
“According to the 2018 CISCO “Small and Mighty How Small and Midmarket Businesses Can Fortify Their Defenses Against Today’s Threats” report, the cost of a cyber breach for SMBs is significant.
“Meanwhile, the 2018 Ponemon Cost of a Data Breach report notes that the longer it takes to locate and respond to a data breach, the more it costs.
“While the cost of a cyber breach can lead to financial strain, a proactive cybersecurity program with continuous monitoring can help detect and contain a breach which leads to a significant cost savings.” - Karen Walsh, What is the Cost of a Data Breach?, Zeguro; Twitter: @Zeguroinc
7. Many small businesses make the mistake of thinking they’re too small to be a target. “We often assume that hackers are primarily interested in infiltrating large organizations as the payoff is enormous. And it makes sense. A rational person would invest their time and energy in the thing that will give them the highest return. It doesn’t necessarily work that way when it comes to IT security though.
“Large corporations have an army of IT security experts at their disposal backed by deep pockets. They can invest in sophisticated security systems. Since penetrating such systems is difficult and time-consuming, many hackers opt to shift their focus to small and medium-sized businesses (SMBs) instead because they expect to run into much less resistance.
“In any case, even small businesses today handle substantial volumes of confidential information including payment and bank data for thousands of customers. Therefore, companies no matter how small should see themselves as a legitimate IT security target and take appropriate, reasonable measures to protect their systems and data accordingly.” - Stephen M.W., 7 of the Worst Small Business Cybersecurity Mistakes, TechGenix; Twitter: @TechGenix
8. Many midmarket businesses experience hours of downtime due to a security breach, which impacts revenue. “Cisco’s 2018 Security Capabilities Benchmark Study shows that 40% of midmarket companies with 250-499 employees ‘experienced eight hours or more of system downtime due to a severe security breach in the past year.’” - 15 Small Business Cyber Security Statistics That You Need to Know, The SSL Store; Twitter: @hashed_out
9. Six out of ten SMBs go out of business following a cyberattack. “A cyber attack can put you out of business because the cost of cleaning up after a breach can be considerable. In fact, according to Malwarebytes, a global provider of malware prevention and remediation solutions, ransomware attacks caused nearly a quarter of small and medium-sized businesses hit by them in 2017 to completely halt operations. Recent statistics show that around 60% of SMBs forced to suspend operations after a cyber attack never reopen for business. The lost revenue due to downtime, the cash spent attempting to remediate the breach and the reputational damage can really add up.” - Ivy Walker, Cybercriminals Have Your Business In Their Crosshairs And Your Employees Are In Cahoots With Them., Forbes; Twitter: @Forbes
10. Cybercrime costs small and midsize businesses more than $2.2 million per year. “To broadly understand just how much cyber attacks cost businesses, consider that cybercrime costs small and medium businesses more than $2.2 million a year. These costs can come from various mishaps that occur in the wake of a cyber attack or vulnerability—not the least of which is downtime.” - Maddie Shepherd, 30 Surprising Small Business Cyber Security Statistics (2019), Fundera; Twitter: @fundera
11. Courts will uphold security laws like GDPR and CCPA regardless of business resources, putting responsibility firmly in business leaders’ hands. "A millennial that woke up this morning in any major city in the United States could have visited a gym that registers its clients for classes through a mobile app, then met with friends afterward at a coffee shop, paying with a loyalty app -- and, because of the low-latency tech in modern 5G, already shared a wealth of revealing and sensitive info with the retailers. If Equifax and Marriott can be easily targeted and infiltrated by standard hacker playbooks, believe that your gym and neighborhood coffee chain can, too.
"Because of this environment, and the speed of regulation matched only by the size of data ingestion, the risks of poor data management for small businesses are too numerous to list.
"The GDPR sparked a global conversation around data security, and I believe the CCPA will do wonders for getting data protection in front of customers through the news headlines it is likely to create. But make no mistake: The majority of small to midsized businesses are unprepared for the regulatory wave that is about to crash on their shores, not to mention the financial damage that could come from a data breach.
"The same technologies you depend on to help your business grow (the internet of things, the cloud, web apps, etc.) are already subjecting you to new kinds of security threats; hence, data’s double edge." - Dan Smith, Data's Double Edge, and How SMBs Can Take An Integrated Approach To Cybersecurity, Zeguro; Twitter: @Zeguroinc
12. 95% of credit card breaches happen at SMBs. “Visa reports that 95 percent of credit card breaches happen at SMBs, as thieves use systems hacks, malware, and even ransomware to drain business and customer money. In 2018, infected email delivered over 90 percent of all malware attacks. Your IT security should address each of these types of threats.” - Everything You Should Know About Cybersecurity for Small Businesses, TechWerxe; Twitter: @TechWerxe
13. More than half of data breaches take months (or even longer) to discover. “More than half (56%) of data breaches took months or longer to discover. Having the right data breach prevention and detection mechanisms in place is critical for successfully stopping and recovering from these types of incidents. Small businesses can’t afford to let these incidents go undetected. As we’ve noted before, sometimes they don’t recover at all.” - Ed Jennings, More Than Half of All Breaches are on SMBs, Mimecast; Twitter: @Mimecast
14. Take inventory. “Do the leaders of an SMB genuinely understand not just their business operations and products or services, but also the critical resources they need to support them? This step should involve discussions with key stakeholders and business unit leaders to document vital resources and the types of data the business creates, processes and shares with its partners.
“Answers to these questions will provide an SMB insight into the data types they have, who they share data with, and any compliance requirements the SMB must meet if they have a data breach.
“All of this information should be used by the company’s internal security team for risk management or a third-party managed service provider (MSP) or managed security service provider (MSSP) to provide risk mitigation services tailored to the SMB’s specific needs.” - Gary Hayslip, 5 simple steps for SMBs to ensure cyber resiliency, CSO; Twitter: @CSOonline
15. Conduct a security assessment. “Even if you have some basic security measures in place, like a firewall and anti-virus, it’s important to understand where your security gaps are. Perform an internal and external security assessment to determine where your vulnerabilities lie and determine what remediation and other safeguards should be in place but are not. This can include implementing stronger security policies, segmentation of confidential or sensitive information on the network, data backup procedures, etc.” - 10 Cybersecurity Tips for Small to Mid-sized Organizations, Advanced Network Systems; Twitter: @GetAdvancedVA
16. Security is a mindset. “The best software for cybersecurity is a company-wide mindset. Everyone should be vigilant, and conscious of security threats and the value of the company’s data and assets. This mindset is expansive and includes being careful when sharing on social networks, as well as when disclosing sensitive information through email or the phone.” - Erik Day, 7 essential cyber security tips all small business owners should know, Medium
17. Identify your most sensitive information. “Kelvin Coleman, executive director of the National Cyber Security Alliance (NCSA), says SMBs should start by identifying the assets and systems that are critical to the company's success. These so-called crown jewels, such as sales data and customer and vendor lists, are crucial for businesses to operate – and they're a high-value target for hackers. Coleman suggests SMBs create a detailed inventory list of their companies' data and physical assets and update it regularly. For all hardware and software assets, record the manufacturer, make model, serial number, and support information.” - Steve Zurier, 7 SMB Security Tips That Will Keep Your Company Safe, Dark Reading; Twitter: @DarkReading
18. Enable two-factor authentication. “No matter what advice you follow, the best thing for your business in terms of cybersecurity is two-factor (aka. multi-factor, two-step or 2FA) authentication enabled.
“You might be familiar with the concept of two-factor authentication already. Online banking typically requires you to enter a six-digit code from your mobile phone to confirm a new payee or a bank transfer. This practice is a strong security measure banks rely on to keep the accounts secure. According to proponents, two-factor authentication reduces the incidence of identity theft and online fraud.
“Conversely, 2FA can protect your favorite services as well. Business email providers (Office 365, G Suite), cloud drives (Dropbox, OneDrive, Box), accounting software (Quickbooks, Xero) and many others already support two-factor authentication out of the box.” - Gabor, 3 Cyber Security Tips for Small Business Owners, Security Boulevard; Twitter: @securityblvd
19. Limit access to sensitive information. “Layered security can help to keep the most sensitive data safe even if your system suffers a breach. This means limiting access to certain types of information and adding levels of protection such as additional passwords, encryption, and so on.” - 6 Important Cyber Security Tips for Small Business Owners, The AME Group; Twitter: @theamegroup
20. Put a mobile device security plan in place. “Require your employees to report lost or stolen devices, use password protection, and install security apps. Mobile devices could be especially vulnerable if they are used on public networks.” - 12 Cyber Security Tips for Small and Midsize Businesses, CyberReef Solutions; Twitter: @CyberReef
21. Keep your machines clean. “Keep clean machines: having the latest security software, web browser, and operating system are the best defenses against viruses, malware, and other online threats. Set antivirus software to run a scan after each update. Install other key software updates as soon as they are available.” - Angela Nadeau, 8 Cybersecurity Tips for Your Small Business, Small Business Trends; Twitter: @smallbiztrends
22. Use a VPN. “Another best practice to follow — both for small businesses and large corporations — is the use of a virtual private network (VPN).
“A VPN is a secure channel or network used to promote private, protected internet access. This encrypted tunnel secures your data and interactions online, making it impossible for hackers to decode and gain access.
“As BestVPN.com President, Peter Zaborszky, explains, ‘Once they [hackers] get hold of your personal information, they stand to make money by selling your personal information such as passwords, bank account numbers, and any other personal information you may harbor in your device. A more dedicated hacker may decide to use your personal information to gain access to your client’s network, damaging your reputation.’
“Everyone should use a VPN. This way, you have less to worry about when it comes to external threats because no one can trace it back to you.” - Matt Shealy, 5 Small Business Cyber Security Tips from the Experts, Small Biz Technology
23. Adopt the principle of least privilege. “It’s important to remember that cybersecurity doesn’t only involve defending your system against external threats – you also need to think about internal threats. Indeed, about 1 in 4 data breaches involves internal actors, according to figures collated by Verizon.
“One of the most effective ways to manage internal threats is to adopt the principle of least privilege, which essentially means that all users should only have the bare minimum permissions they need to get their work done. This minimizes the data that individual employees can access and reduces the risk of sensitive data falling into the wrong hands.” - Jareth, 9 essential cybersecurity tips to protect your small business, Emsisoft; Twitter: @emsisoft
24. Limit the number of password attempts. “A hacker will try all of the passwords randomly till they successfully open up your account. It means that your account is not safe even with a 6 digit pin creating a million unique possibilities.
“Remember, a password cracking software can guess your password in minutes. So, you must limit the number of attempts at all stages of your authentication process.” - Ahmad Hamidi, 10 Important Cyber Security Tips For Small Business Owners, Information Security Buzz; Twitter: @Info_Sec_Buzz
25. Don’t collect unnecessary sensitive information. “Here’s a foundational principle to inform your initial decision-making: No one can steal what you don’t have. When does your company ask people for sensitive information? Perhaps when they’re registering online or setting up a new account. When was the last time you looked at that process to make sure you really need everything you ask for? That’s the lesson to learn from a number of FTC cases. For example, the FTC’s complaint against RockYou charged that the company collected lots of information during the site registration process, including the user’s email address and email password. By collecting email passwords – not something the business needed – and then storing them in clear text, the FTC said the company created an unnecessary risk to people’s email accounts. The business could have avoided that risk simply by not collecting sensitive information in the first place.” - Start with Security: A Guide for Business, Federal Trade Commission; Twitter: @FTC
26. Keep your software up to date. “Keeping your software up to date can make sure that your website has the latest updated software which comes with hotfixes for loopholes found in earlier versions of the same software.
“As hackers evolve and their algorithms for penetration improve, they discover different online security holes in certain security measurements placed within software packages that could potentially lead to an attack. To combat this, companies keep improving their security and patch these holes.” - 11 Cyber Security Tips for Small Businesses, The Startup Magazine; Twitter: @thestartupmag
27. Focus on containment following a malware outbreak. “In the event that an organization observes a large-scale outbreak that may be reflective of a destructive malware attack, in accordance with Incident Response best practices, the immediate focus should be to contain the outbreak, and reduce the scope of additional systems which could be further impacted.” - Handling Destructive Malware, CISA; Twitter: @USCERT_gov
28. Rely on backups to recover data impacted by an attack, so you can wipe the affected devices. “Ransomware attacks have become increasingly common in recent years due to high-profile attacks such as WannaCry. This type of attack locks the user out of their data and, as the name suggests, demands a fee to return access. However, there is a risk that even if payments are made the data will have been corrupted or will not be returned at all.
“Thankfully, what could be a frightening situation can easily be rectified by recovering the data from backups and wiping the infected devices.
“Much like strong passwords, backups are something that have been encouraged for years but are not always implemented, giving threats like ransomware such potency.
“SMBs should ensure that all of their data is backed up and that the most sensitive data is secured, either remotely, on a local server or with a Cloud service. In many cases, this process can be automated, making it both secure and simple to manage.” - 4 IT Security Best Practices SMBs Need To Adopt Immediately, ByteStart; Twitter: @bytestart
29. Encrypt data on devices and drives. “Backing up is only safe if all of the backed up information is totally secure. The only way to stay safe is to install encryption on all devices and drives, and to encrypt emails that contain sensitive information.” - 10 SIMPLE Cyber Security Tips for Small Businesses, CMIT Solutions; Twitter: @CMITHartford
30. Always assume vulnerability. “No matter how safe you believe your information is, it’s always better to be cautious than to be overconfident. Each day, go about your work assuming you’re vulnerable and be on the lookout for anything suspicious. As we said before, hackers are constantly developing new ways to infiltrate security systems, so never assume that you’re 100% safe.” - 7 Cyber Security Tips for Your Business, Graffen; Twitter: @GraffenTech
31. Use strict controls over who has access to what information. “The truth is, staff can make mistakes. That’s why it’s important to train them up. Everyone who works for you should know about the business’s security programs and receive regular updates. It’s also worth reminding your staff of basic security measures like using passphrases instead of passwords.
“As a small business owner, you’re also more likely to allow your staff to use their own devices at work. This can be a great idea, but it’s important to have mobile security solutions and network access control (NAC) products in place. That way, they can safely access the company VPN and email from their own laptop or mobile – without putting your whole IT infrastructure at risk.
“It might be the last thing you expect, but you should also be aware of business espionage. It’s a touchy subject, but there are people who stand to gain a lot from your information. So to protect yourself from spies and insiders, you’ll need to control who can access what information.” - Nick Brogden, 8 simple cyber security tips for small business owners, Flying Solo; Twitter: @FlyingSoloAU
32. Performing a root cause analysis following an attack is easier if fewer people have access to sensitive data. “A company should limit the number of employees that have access to sensitive data. The more people you give privileges to, the higher the chances of getting hacked.
“Accessibility should be on the most minimal terms: just enough for an employee to be able to do their job and nothing more. For example, an employee must only be allowed to install software that’s related to their scope of work. Other privileges should be blocked.
“User rights should be carefully monitored on a regular basis, and user access must be revoked as soon as an employee leaves the organization.
“Access rights must be supervised and changed when an employee changes roles within the company. This will help prevent important information from falling into the wrong hands.
“Moreover, in the case of an information breach, performing a root cause analysis will be easier if fewer people have access to the company’s data.”- Dave Nevogt, Avoid Disaster With These 8 Small Business Cyber Security Tips, Hubstaff; Twitter: @Hubstaff
33. Force password changes frequently. “Implementing passwords to protect computer networks is a “no-brainer” but if you want to make the most of your password protection it’s important to observe more than the estranged number and letter sequences. Consider enforcing multifactor authentication that requires additional information besides a single password to gain entry. Prompt your systems to have these password requirements to change often. Keeping your data safe is what matters.” - 5 Tips to Improving Cyber Security for Business Owners, V-Soft Consulting; Twitter: @VSoftConsulting
34. Keep software patches up to date. “Patches are the updates that software manufacturers release on a regular basis to fix known system issues and protect against security vulnerabilities. Patch management refers to the process of making sure patches are tested, rolled out, installed and up-to-date on the technologies that need them. Keep devices up to date so hackers can’t exploit known security weaknesses. Just one machine without the latest patches creates an easy target and may put your entire network at risk.” - 7 Tips to Improve Your Small Business Cybersecurity, IEEE Innovation at Work; Twitter: @IEEELearn
35. Small business owners should be the administrator for all online services and sites. “I have learned the hard way that for ALL online services and for my company’s website, I – and only I – must be listed as the administrator. Sure, you trust your IT person, website designer, or your tech-savvy nephew, but things happen. If you’re not the administrator, one disgruntled techie can hold you – and your data – hostage. You don’t have to be a technological genius to be the administrator. Every small business owner should be listed as the administrator of every one of their online services and sites.” - Rhonda Abrams, Keep a safe and secure small business, in 8 easy steps, USA Today; Twitter: @USATODAY
36. Use authorization to control who has access to sensitive data and what they can do with it. “When authorization capabilities are built into security solutions, they allow administrators to restrict the scope of activity within their systems by giving specific access rights to groups or individuals for resources, data, or applications. By defining privileges, administrators can fine tune the level of access granted to each individual. This allows administrators to strike a balance between providing individuals with the access rights necessary to do their jobs efficiently and ensuring that they mitigate the risks associated with a potential data breach. This not only increases the security of the physical system as a whole, but it also enhances the security of other systems connected to it.” - Mathieu Chevalier, Small and Mid-Size Businesses Need to Focus on Cybersecurity, Security Magazine; Twitter: @SecurityMag
37. Protect data both at rest and in transit. “Network security is not just about having an anti-virus running on every desktop. It's all-inclusive. This means that any node on your network; wireless and wired, is protected. It also means that you have compliance rules that govern anything that is allowed to connect to your network. You must also have protective measures for data both at rest and in transit. This means protecting not just data on servers and user machines, but data that goes in and out of your network, with security methods like encryption. Finally, you've got to keep control of mobile devices on your network, too. We'll expand on these ideas in the tips that follow, but it's important to understand the big picture, too: you've got to start thinking about protecting all the layers of your network.” - SMB Security: Eight Tips to Protect Your Business Network, PC Magazine; Twitter: @PCMag
38. Take a risk-based approach to security. “The best approach is the right approach, and reverse engineering based on risk might be it. Too many companies put a lot of focus on compliance (checking off boxes), and they don’t realize that they are keeping their data unprotected. Instead, it’s best to do a risk assessment. You can identify your assets and liabilities, and look at your current security, and then figure out your threats.” - Robert Siciliano, Cybersecurity Best Practices for Protecting Your Company's Data, The Balance; Twitter: @thebalance
39. Run deep packet inspection on all network traffic. “Start running Deep Packet Inspection on all traffic on your network, both encrypted and plain text. This protection is typically run on a firewall and will spot the network traffic of ransomware that’s trying to communicate with its host. Deep Packet Inspection will then kill the connection, stopping the damage.” - Ultimate Guide to Small Business Cybersecurity, Palmetto Technology Group; Twitter: @palmettotg
40. Don’t login to devices for day-to-day activities under an administrative account. “Don't log in to your computer using an account with administrative privileges for day-to-day work and web browsing. Ever. An account with lesser privileges will notify you if a program tries to install software or modify your computer's settings, so you can actively decide whether it's safe before clicking. You can also use tiered administration or role-based access control to define permissions, to ensure users can only perform functions or access systems appropriate to their jobs.” - 10 Cyber Security Tips for Any Growing Business, Sunguard Availability Services; Twitter: @SunGuardAS
41. Rely on experts. “As many as 60% of small businesses go out of business within six months of a cyberattack. While it might be frustrating or seem unnecessary to commit funds to safeguard against cybercrime, the payoff is worth it. Just imagine the financial impact on a manufacturing organization if production was to halt for even a short amount of time.
“It’s becoming increasingly common for organizations to take out cybersecurity insurance or invest in an SSL certificate, which can be used to secure credit card transactions and data transfers. If full-time cybersecurity staff are out of the question, it’s also sensible to hire a security consultant to review and revamp your cybersecurity policies and processes currently in place.” - 7 Key Cybersecurity Tips to Keep Your Small Business Safe, Thomas; Twitter: @Thomasnet
42. Install smartphone apps that allow remote location and wiping on employees’ devices. “An important security feature widely available on smartphones, either by default or as an app, is the ability to remotely locate and erase all of the data stored on your phone, even if the phone’s GPS is off. In the case that you misplace your phone, some applications can activate a loud alarm, even if your phone is on silent. These apps can also help you locate and recover your phone when lost. Visit CTIA for a full list of anti-theft protection apps.” - Smartphone Security Tips, The Polish National Credit Union; Twitter: @PnuCU
43. Be aware of all applicable laws and regulations. “Being security compliant means your IT infrastructure protocols follow prevailing local and international industry standards, as well as adhere to any laws that apply in your locality.
“Examples include adhering to local privacy and security of personal information laws if, for example, you record your customers’ personal and/or financial details. There are also global standards, such as the ISO/IEC 27000 family, that relate to the security of information management systems and are considered best practice.
“These standards are there to help organizations keep their information assets secure. Your business could be subject to fines or worse if you don’t act to adequately protect your data assets.” - 5-Step IT Security Compliance for SMBs, Net at Work; Twitter: @NetatWork_corp
44. Go on the offensive to control security and compliance from inside your business. “While most small and midsize businesses (SMBs) cannot afford to hire dedicated security personnel and lack expertise needed to implement reliable solutions, the courts will uphold security laws regardless, putting responsibility firmly in the business leaders’ hands.
“As the co-founder of a cybersecurity insurance company, my suggestion is to natively control and manage this aspect closely from inside your business. Go on the offensive with an integrated approach to cyber safety that addresses best practices through people, processes and technology, and make sure you are covered with proper insurance in the event of a breach.” - Dan Smith, Data's Double Edge, and How SMBs Can Take An Integrated Approach To Cybersecurity, Zeguro; Twitter: @Zeguroinc
45. Create a compliance team. “Even in small to mid-sized businesses, a compliance team is necessary. Cybersecurity does not exist in a vacuum. As organizations continue to move their business critical operations to the cloud, they need to create an interdepartmental workflow and communicate across business and IT departments.” - Karen Walsh, Cybersecurity Compliance 101, Zeguro; Twitter: @Zeguroinc
46. Focus on standards compliance and certification. “SMBs need to decide which security standards they will focus on, says Information Security Forum's Durbin. For example, if they plan on using credit cards, they will need to become PCI DSS certified. If they plan to do business in the European Union, they should spend time learning more about GDPR. It also may behoove SMBs to learn more about GDPR because it will help them if they wind up handling sensitive data of any California residents given that the California Consumer Privacy Act (CCPA) goes into effect Jan. 1, 2020.
“’Once CCPA goes into effect, it will be the first time in the U.S. that companies will have to adhere to privacy requirements by law," Durbin says. "It will be interesting to see how it develops.’
“Along with California, Maine and Nevada have passed privacy laws, and many other states, including Massachusetts, Maryland, New York, and Texas, have privacy measures in progress.
“SMBs should also consult the NIST Cybersecurity Framework for guidance on standards.” - Steve Zurier, 7 SMB Security Tips That Will Keep Your Company Safe, Dark Reading; Twitter: @darkreading
47. Know what customer data you collect and store – and where. “The first step is to make a list of all the customer data you collect or have on file. That means things like names, physical addresses, email addresses, phone numbers, and billing information. Then list out where you store this information — whether it’s electronically or in a physical filing system. Make sure to be extremely comprehensive; you’ll want a full picture of everything you have access to and where it resides.” - Mallory A. Russell, Securing Your Customer Data: 9 Tips for Small Businesses, Square; Twitter: @Square
48. Implement security awareness training to boost compliance. “Regulations like Sarbanes-Oxley and PCI know that humans are the weakest link in information security. Security awareness training ensures full compliance with such regulations.” - Dan Virgillito, How Security Awareness Training Can Protect Small Businesses, Infosec Institute; Twitter: @InfosecEdu
49. If you handle customer cardholder data, your business must comply with PCI DSS. “Everyone storing, processing or transmitting cardholder information is required to follow the Payment Card Industry Data Security Standard (PCI DSS). It consists of 12 basic requirements grouped in 6 categories for establishing and maintaining a reliable and secure payment processing environment. Partner with your acquirer to provide secure transactions for all customers using the PCI DSS. First, review the guidelines, and then check to see that you meet the related requirements.” - PCI Compliance helps keep you and your customers data safe, Visa; Twitter: @Visa
50. Use encryption to protect customers’ financial information. “Visa USA and MasterCard International Inc. require most businesses operating online to verify that they have taken a number of steps, including data encryption, to protect customers who use their credit cards. If you meet those requirements, your online operation is likely to be fairly secure.
“Complying with the letter of those standards can be challenging for small businesses, which generally don’t have the resources or the security expertise of larger operations. So it can be a good idea to outsource payment processing to a company like eBay Inc.’s PayPal unit. Ensuring compliance for in-house payment processing can cost at least twice as much as outsourcing.
“Encryption is also important for protecting a company’s internal information — personnel files, financial accounts and product information and other data. It can foil a hacker who has gotten into the company’s computer system but can’t decipher the information.” - How to Keep Your Online Business Information Secure — Some Basics, Wall Street Journal; Twitter: @WSJ
51. Continuous monitoring enables a strong compliance posture. “All compliance relies on the governance-risk-compliance triad (GRC). As companies scale, governance becomes more difficult in the information security area.
“A lawyer, for example, may start out alone with a single computer. Tracking notifications from her anti-malware is annoying but easy. As her business grows, she adds a paralegal. The lawyer and paralegal must respond to alerts on their individual computers. Again, annoying but not time-consuming. As that business scales, the attorney adds another attorney and an administrative assistant.
“The number of client files increases. The small business quadruples in employee size. Four employees means four computers and four mobile phones, possibly four tablets, within the physical office. Most likely, the attorney now uses a cloud storage solution since the number of files and users requires additional data access. If employees work at home, the firm increases the number of data access locations even further.
“Protecting the information, devices, and access points can become burdensome for the individuals. They start to ignore notifications, the data protections lag. A breach occurs. The firm's reputation and finances suffer.
“Governance over the information security for this seemingly reasonable data environment failed. Continuous monitoring became impossible because the firm trusted people to update devices and secure data but had no ability to verify.
“Continuous monitoring of vulnerabilities provides better governance over your security that protects your data, business, and customers.” - Karen Walsh, For Cyber Security, Use “Security-First” to Approach Compliance, Zeguro; Twitter: @Zeguroinc
52. Isolate payment systems. “Work with banks or processors to ensure the most trusted and validated tools and anti-fraud services are being used. You may also have additional security obligations pursuant to agreements with your bank or processor. Isolate payment systems from other, less secure programs and don’t use the same computer to process payments and surf the Internet.” - Cybersecurity for Small Business, NY SBDC; Twitter: @nysbdc
53. Keep up with annual PCI compliance requirements. “To certify compliance, most merchants (except extremely large ones) must complete a Self-Assessment Questionnaire (SAQ) and provide an Attestation of Compliance (AOC) annually.” - PCI Compliance Requirements for Small Businesses, PaySimple; Twitter: @PaySimple
54. Know your level of compliance. “If you’re a merchant or service provider in the Level 2, 3, or 4 category, then you’ll most likely be able to self-assess against any number of the PCI DSS Self-Assessment Questionnaires (SAQ). While self-assessing is generally easier, less expensive, and less time-consuming than an official Level 1 onsite assessment, they still can take time and be operationally challenging. Don’t let the phrase ‘self-assess’ fool you into thinking the process is quick and easy – for most it may be – but for some, it can be incredibly challenging. You need help if you’re an organization that’s not too sure where to start, how to start, what to look for etc. Hopefully, you fall into a Level 2, 3, or 4, and hopefully you can make it through the entire PCI DSS SAQ process without needing much help.” - PCI Compliance for a Small Business – What you Need to know, PCI Policy Portal
55. Never store cardholder data in any manner. “You must not store any cardholder data in any way. This includes everything from storing it on a computer to jotting down a credit card number on a scrap of paper. If your credit card terminal and PIN pad are PCI-compliant, they are programmed to make sure you remain compliant with this requirement automatically.” – Yamarie Grullon, What is PCI Compliance? A Small Business Guide, ShopKeep; Twitter: @ShopKeep
56. Recognize other systems within the scope of compliance. “Understand the boundaries of the cardholder data environment and all the data that flows into and out of it. Any system that connects to the cardholder data environment is within the scope of compliance and, therefore, must meet PCI requirements. The cardholder data environment includes all processes, technology, and people who store, process, or transmit customer cardholder data or authentication data, as well as all connected system components and any virtualization components, like servers.” - Sue Marquette Poremba, Accepting Credit Cards? PCI Compliance a Concern for Small Businesses, Business News Daily; Twitter: @BNDarticles
57. Compliance is an ongoing process. “PCI DSS compliance is a continuous process, not a snapshot in time. Passing an assessment does not ensure you will remain compliant. Developing an understanding of the industry, the terminology used, the flow of payment card data on your systems and networks, and the processes required for compliance are all essential bits of knowledge that will enable you to manage a compliance program effectively.” - Julia Dutton, Eight tips for SMEs to improve PCI DSS compliance, IT Governance; Twitter: @ITGovernance
58. Keep an eye on regulatory news, particularly related to the recently introduced GDPR legislation. “Now that the Regulation is in full swing, there will be more cases of regulatory breaches and assessments of the way organizations fell short of their compliance requirements. By learning from others’ mistakes, managers can get a better handle on the way the Regulation is interpreted and adapt their processes accordingly.” – Luke Irwin, 3 GDPR compliance tips for small businesses, IT Governance; Twitter: @ITGovernance
59. Know if GDPR applies to your business. “The European Data Protection Board has stressed that the person’s nationality and status are irrelevant. If the person was physically present in the EU when their personal data was collected or tracked, GDPR applies. It doesn’t matter if the person is an EU citizen, an EU resident or simply a tourist.
“More importantly, a business doesn’t have to be physically present in the EU for GDPR to apply. If people can access your website from the EU, that’s enough. You’ll have to comply with GDPR’s requirements.” - GDPR compliance and small business, Microsoft; Twitter: @microsoft365
60. Review your security measures and policies to ensure compliance. “Look hard at your security measures and policies. You need to update these to be GDPR-compliant, and if you don’t currently have any, get them in place. Broad use of encryption could be a good way to reduce the likelihood of a big penalty in the event of a breach.” - Jessie Day, GDPR for small businesses, Simply Business; Twitter: @simplybusiness
61. If you have fewer than 250 employees, you may not be required to keep certain processing records under GDPR if your activities meet certain criteria. “GDPR requirements apply to all businesses large and small, although some exceptions exist for SMEs. Companies with fewer than 250 employees are not required to keep records of their processing activities unless it’s a regular activity, concerns sensitive information or the data could threaten individuals’ rights.
“As most businesses hold some form of personal information about customers – from email and postal address through to health and financial details – it’s essential that your business is GDPR compliant, no matter your company size. Serious breaches of GDPR regulations carry a steep fine of up to 4% of the turnover of your business or €20m – whichever is higher.” - GDPR compliance checklist for small businesses, Start Up Loans; Twitter: @StartUpLoansUK
62. Audit your data. “Auditing the data your business holds will not be a trivial task, but it will enable you to make many informed decisions on how to comply with the GDPR.
“Key questions to answer include locating where your data is stored; why certain kinds of personal data are being processed; what is the legal basis for processing; how long it is retained; who has access currently to personal data and who should have access moving forward; are the appropriate technical and organizational controls in place and how much duplication of customer personal data exists across multiple sites.
“All these areas need to be addressed before you can decide on the best course of action for your business. This first step in creating a holistic view of where all the different types of your customer data is residing is a critical one. If you don’t know what personal data you hold, you can’t make any plans around that data.
“DPIAs or Data Protection Impact Assessments may need to be carried out by businesses before new processing starts to ensure data protection by default and by design is in place, a key GDPR concept and examine any risks to data subjects around any new data processing. Most European Data commissioners give guidance on their websites around DPIAs and when they should be carried out.” - GDPR for Small Businesses: A Beginner’s Guide, Compliance Junction; Twitter: @ComplianceJunct
63. Be transparent about the collection and use of customer data. “At its core, GDPR is all about transparency -- and well, giving EU citizens control of their data. So if a small business doesn't already have transparency etched into its DNA, it's time for it to resequence its genes.
“Now, all companies need to clearly display exactly why they're collecting personally identifiable information (PII), and all the ways this data is being used. This needs to be in the most accessible language possible -- that is, no lawyer gibberish allowed. This is full disclosure. What data is collected? How is this done? How is it used? Is it provided to any third party? This information should be laid out neatly on the company website, but also be provided during the onboarding process in an application, or as each new piece of information is collected.
“And if a small business is collecting information, it's also necessary to give users the chance to opt in, or out. This GDPR website writes: ‘Consent must be clear and distinguishable from other matters and provided in an intelligible and easily accessible form, using clear and plain language. It must be as easy to withdraw consent as it is to give it.’” - Pavol Magic, How Small Businesses Can Survive in the Age of GDPR, Entrepreneur; Twitter: @Entrepreneur
64. Businesses must detect, report, and investigate any breach of personal data discovered. “Your company is obliged to detect, report, and investigate any personal data breaches you find. If a breach is likely to result in a high risk of crimes such as identity theft, you will also have to notify those affected directly.” - 5 Tips for Becoming GDPR Compliant, Small Business BC; Twitter: @SmallBusinessBC
65. Use layered security. “Security experts recommend using many different tools and techniques. A great first layer you can add is anti-virus and anti-malware. Consider adding a well-configured firewall. Restrict access to your data only to people you trust. Keep your software and patches up-to-date. You also want to physically secure your data and regularly backup all your data. Ideally, you want to put an automated backup and recovery strategy in place.” - Anthony Sills, Protect Your Business from a Data Security Breach, Business Know How; Twitter: @ProfessionalPen
66. Take advantage of cloud security. “By keeping your data on a local server, you can ensure redundancy and maintain full control over your information. Also, you'll have complete control over the security features of your network. However, cybersecurity is a full-time job.
“By leveraging cloud services, you can take advantage of built-in security protections. Moreover, cloud service providers are specifically in the business of securing and protecting client data. A reputable company will keep your data safe by ensuring redundancy and complying with the latest cybersecurity best practices.” - Ryan Ayers, 5 Tips and Tricks to Boost Small Business Security, Business.com; Twitter: @businessdotcom
67. Use a firewall. “Let’s be honest. When you are surfing the internet can you tell whether that picture you click on takes you to a local news site or a web site in China? That’s ok, because the firewall can. So even if you click the bad link, the firewall can block that traffic from going out or coming in.” - Cybersecurity Tips for SMBs : Part II (Firewall Solutions), BoostIT
68. Use automatic backups. “A backup is a digital copy of your business’ most important information, e.g., customer details, sales figures. This can be to an external, disconnected hard drive, e.g., USB or to the Cloud.
“An automatic backup is a default or ‘set and forget’ system that backs up your data automatically, without human intervention.
“Safely disconnecting and removing your backup storage device after each backup will ensure it is also not impacted during a cyber incident.” - Small Business Cyber Security Guide, Australian Cyber Security Centre; Twitter: @CyberGovAU
69. If your organization has a website or web application, you should regularly scan it for vulnerabilities. “Malicious users can easily take advantage of web vulnerabilities to steal data, jeopardize user identities, access confidential files or information, spam the site, inject codes, or even take over the server.
“Websites are attacked thousands of times per year; in fact, half of all website visitors are bots. If these attacks are successful, the damage they can inflict on a company’s reputation and financial standing can be massive. So, for every company maintaining a website or web application, understanding and preventing website vulnerabilities is critical.
“Periodic web vulnerability testing will enable you to repair your security weaknesses before cyber attackers get the chance to exploit them.” - Ellen Zhang, What is a Website Vulnerability Scanner and Why Should You Use One?, Zeguro; Twitter: @Zeguroinc
70. Conduct regular risk assessments. “Identify your organization’s critical assets and the associated impacts from cybersecurity threats to those assets to understand your organization’s specific risk exposure—whether financial, competitive, reputational, or regulatory. Risk assessment results are a key input to identify and prioritize specific protective measures, allocate resources, inform long-term investments, and develop policies and strategies to manage cybersecurity risks.” - Questions Every CEO Should Ask About Cyber Risks, CISA; Twitter: @USCERT_gov
71. Apply technologies, policies, and procedures consistently. “A chain is only as strong as its weakest link, so SMBs must work to apply security technologies, policies, and procedures consistently. This requires regular baselining and assessments of on-premises and cloud environments, then ensuring that policies and procedures are consistently applied and maintained over time. Configuration and compliance monitoring enables this, and provides assurances on the company's state of readiness.” - Greg Jensen, The Top 6 Tech Security Tips for SMBs, Oracle; Twitter: @Oracle
72. Use network segmentation. “It is a standard best practice to segment networks and split them into subnetworks. Not only will this improve security it can also improve performance. By preventing access between segments, if one part of the network is compromised, an attacker will not have access to all systems and data. Also make sure you limit access to sensitive data and restrict the use of admin credentials. Apply the rule of least privilege. Do not give employees access to data, networks, and software that they do not need for day to day work duties.” - 10 Cybersecurity Tips for Small Businesses, WebTitan; Twitter: @TitanHQ
73. Install anti-malware software. “It’s easy to assume that your employees know to never open phishing emails. However, the Verizon 2016 Data Breach Investigations Report found that 30 percent of employees opened phishing emails, a 7 percent increase from 2015. Since phishing attacks involve installing malware on the employee’s computer when the link is clicked, it’s essential to have anti-malware software installed on all devices and the network. Since phishing attacks often target specific SMB employee roles, use the position-specific tactics outlined in the Entreprenuer.com article ‘5 Types of Employees Often Targeted by Phishing Attacks’ as part of your training.” - Chelsea Segal, 8 Cyber Security Best Practices For Your Small To Medium-Size Business, Cox BLUE; Twitter: @coxbusiness
74. Choose a cybersecurity company that can grow with your business. “Your business will likely grow, and you need a cybersecurity company that can grow with you. Focus on companies that offer full suites of security choices, including those you may need in the future. Small business owners have always had long to-do lists, but now, cybersecurity is at the top of the list. Fortunately, there are steps you can take to protect your small business, and the right cybersecurity company can help mitigate your risks.” - Small Business Cyber Security Tips: Understanding the Basics, Kaspersky; Twitter: @Kaspersky
75. Protect every computer with antivirus and antispyware software. “Every computer terminal at your business is a potential gateway into cybercrime. If you don’t have every computer protected, it’s a bit like having none of them protected. Invest in business-grade antivirus software so you can add that software to each workstation.” - Dan Kenitz, Top Cyber Security Tips for Small Business Owners, Grasshopper; Twitter: @Grasshopper
76. Weigh password management software carefully. “There’s software out there that will create tough passwords, and remember them for you. If that feels like an interesting solution to the password problem, keep in mind that this could be akin to putting all your eggs in one basket. I am reminded of the LastPass episode from June 2015 where millions of passwords were probably compromised as hackers gained access to this password management software. The tip here is that you need to think hard before handing over your passwords to an online password management service.” - Ajeet Khurana, Top 20 Cyber Security Tips for Small Businesses, MasterCard Biz; Twitter: @MasterCardNews
77. Monitor for threats in real-time. “In addition to compliance, SMBs need to monitor and orchestrate real-time threats and remediate. With the influx of events that need to be processed and analyzed, too many attacks are missed. And for SMBs with limited IT resources, there are too many incidents to react to. Today’s new generation of security monitoring utilizes machine learning and advanced analytics to automatically discover hidden attacks, and provide automated remediation mechanisms that are easy for a small business to manage.” - Greg Jensen, The Top 6 Tech Security Tips for SMBs, Oracle; Twitter: @Oracle
78. Use email encryption. “Email encryption helps to protect personal information from hackers by only permitting certain users to access and read your emails. There are several methods of email encryption depending on the level of security—and convenience—you require. For example, you could download or purchase extra software that will plug in to your current email client. Or, you could install an email certificate like PGP (Pretty Good Privacy), which allows your employees to share a public key with anyone who wants to send them an email and use a private key to decrypt any emails they receive. Another simple solution is to use a third-party encrypted email service.” - The small business guide to secure email, Microsoft; Twitter: @Microsoft365
79. Secure all network endpoints. “It's vitally important to cover your network endpoints. What's an endpoint? Any single thing that can attach to your network, whether it's a server or a USB drive. Pay particular attention to those small portable devices like USB and external hard drives. They can be carriers of threats, sneaking them into and out of your business' network. For years, network security admins considered networks as closed, unified entities, and designed their defensive strategies accordingly. With the proliferation of portable devices, you've got to consider your network as an expandable, mobile one. That's why endpoint security is crucial. Patching endpoints, performing vulnerability assessments, remediation, and enforcing corporate compliance are all part of effective endpoint security.” - SMB Security: Eight Tips to Protect Your Business Network, PC Magazine; Twitter: @PCMag
80. Consider managed IT services. “One of the easiest ways to improve your cybersecurity is to outsource it to experts who know how to protect your systems. Today, many companies offer managed IT services that are designed with data security in mind, and these cover all aspects of business operations.
“It’s also worth reviewing the services that you already outsource, in order to make sure that your business partners are taking cybersecurity as seriously as you are.” - 5 Critical Cybersecurity Tips for SMBs in 2019, CloudBerry Lab; Twitter: @msp360
81. Safeguard your Wi-Fi network. “Your company's WiFi network can act as a point of entry for cybercriminals. However, there are steps you can take to secure your Internet connection. First of all, ensure you’re using a firewall and that all your data that passes through the network is encrypted.
“Password-protect the router, and only allow access to employees. Consider hiding your network so others can’t try to access it, which you can do by setting up your router so it doesn’t broadcast your network name.” - TheBest VPN, 5 Basic Network Security Tips for Small Businesses, Network Computing; Twitter: @NetworkComputin
82. Consider cyber insurance. “Demand for cyber-security insurance is growing. Coverage can mitigate losses from a variety of incidents including data breaches, business interruption, and network damage. According to Department of Homeland Security, a robust cyber-security insurance market could help reduce the number of successful cyber-attacks by: promoting the adoption of preventative measures in return for more coverage; encouraging the implementation of best practices by basing premiums on an insured company’s level of self-protection.” - John Christianson, Ten Cyber-Security Tips for Business Leaders, Highland; Twitter: @highlandprivate
83. Use a password generator to create ultra-strong passwords. “One of the tenets of cybersecurity is strong passwords for all your accounts and services. These days, even passwords based on your pet's name or your spouse's name and birthday come with risks. Random passwords are the way to go. Random.org features a random password generator that automatically creates strong, alphanumeric, case-sensitive passwords up to 24 characters long. Combine results or add your own touch for a super-secure password. You no longer have an excuse to use ‘password,’ ‘12345,’ or other ridiculously easy-to-guess passwords.” - Andreas Rivera, 14 Security Solutions for Small Business, Business News Daily; Twitter: @BNDarticles
84. Use a network perimeter firewall with logging. “The security tool most recommended for small businesses is a perimeter firewall.
“In its simplest form, a network firewall scans network packets and allows or blocks them based on rules defined by the administrator. Two well-known types are stateless and stateful firewalls.
“Stateless firewalls scan packet headers and compare their static values against a set of rules.
“For example, the administrator can set a rule to block inbound network packets to TCP and UDP port 3389 (remote desktop protocol). Then all inbound packets with headers listing port 3389 as a destination will be blocked.
“Stateful firewalls scan packet headers and also monitor the state of each connection – i.e., the stage of communication between the two end points. The packet headers and states are checked against a set of rules to determine if they’re allowed.
“For example, the stateful firewall tracks details about each connection in a state table. Any inbound packets not following expected behavior – such as by listing an unexpected destination IP – are blocked.
“Logging is an important feature for network firewalls – allowing the administrator to monitor current and past firewall activity for malicious behavior.” - Top 10 Cyber Security Tools for Small Businesses, Calyptix; Twitter: @Calyptix
85. Train your employees. “Employees and emails are a leading cause of data breaches for small businesses because they are a direct path into your systems. Training employees on basic internet best practices can go a long way in preventing cyber attacks.
“Training topics to cover include:
“Consider displaying materials in your workplace to raise awareness about cybersecurity. The Department of Homeland Security’s “Stop.Think.Connect” campaign offers posters, brochures, and other materials for download.” - Small Business Cybersecurity, Small Business Administration; Twitter: @sbagov
86. Get the right cyber insurance coverage. “To help prevent gaps and find some common ground, the Federal Trade Commission (FTC) compiled and published a series of lists on its Cybersecurity for Small Businesses website that should help small-business owners decide what they need to protect. The FTC suggests cyber insurance should include coverage for:
“The FTC website puts a finer point on what the above terms mean by differentiating between first-party coverage (benefits provided to the insured) and third-party coverage (benefits provided to someone, other than the insured, who has been affected by the cyber incident).” - Michael Kassner, The FTC's cyberinsurance tips: A must-read for small business owners, TechRepublic; Twitter: @TechRepublic
87. Continuous monitoring solutions are a cornerstone of effective cybersecurity, particularly for regulatory compliance. “Whether a business needs to comply with an industry standard or governmental regulation, continuous monitoring stands as a core principle since cybercriminals continuously evolve their methodologies.
“The underpinning of continuous monitoring as a compliance requirement lies in bureaucracy. While cybercriminals change their attack methods, regulations and standards need to go through long review phases that cause them to lag behind threats. As such, incorporating continuous monitoring as a requirement intends to prevent data breaches and give auditors a way to detect control deficiencies.” - Karen Walsh, Continuous Monitoring: a Core Principle of a Robust Cybersecurity Program, Zeguro; Twitter: @Zeguroinc
88. Don’t ignore cybersecurity because your team lacks technical knowledge. “If the reason your business avoids taking cybersecurity measures is a lack of knowledge, there are plenty of knowledgeable people out there willing to visit your business, either for a training or to share options for cybersecurity plans. Ignoring cybersecurity because your team lacks technical knowledge isn't a legitimate excuse.
“If you're strapped for time or have a remote team, you can take online cybersecurity classes to better train your team and also to understand in what areas your business lacks online protection.” - Bennett Conlin, How to Improve Your Small Business's Cybersecurity in an Hour, Business News Daily; Twitter: @BNDarticles
89. Keep cyber hygiene training simple. “More than anything else, most people find cybersecurity's jargon overwhelming. Phishing, malware, and ransomware may be part of today’s tech lingo, but SQL injection, cross-site scripting, exploit, vulnerability, and lines of green code on black screens move outside most users’ comfort zones. Employees need to understand the problems, not the terminology.
90. Train your employees in sound security principles. “Establish basic security practices and policies for employees, such as requiring strong passwords, and establish appropriate Internet use guidelines that detail penalties for violating company cybersecurity policies. Establish rules of behavior describing how to handle and protect customer information and other vital data.” - Cybersecurity for Small Business, Federal Communications Commission (FCC); Twitter: @FCC
91. Train employees to identify email scams. “The most common way to invade your system is through email. Studies show employees receive at least one phishing email every day. The messages include links or attachments that infect your network with viruses, ransomware, malicious programs that let hackers take control of your network and access your data, and more.
“Don’t assume everyone knows what to look out for. Phishing scams are getting more sophisticated, so it’s not always easy to tell. It only takes one click to let the bad guys in. So don’t just send a memo; hold a training session.” - Matthew Podolsky, Six Simple Cybersecurity Tips For Your Small Business, Forbes; Twitter: @Forbes
92. Train employees on best practices for avoiding phishing scams. “Phishing is a type of attack that uses email or a messaging service to fool you into taking an action you should not take, such as clicking on a malicious link, sharing your password, or opening an infected email attachment. Attackers work hard to make these messages convincing and tap your emotional triggers, such as urgency or curiosity. They can make them look like they came from someone or something you know, such as a friend or a trusted company you frequently use. They could even add logos of your bank or forge the email address so the message appears more legitimate. Attackers then send these messages to millions of people. They do not know who will take the bait, all they know is the more they send, the more people will fall victim.” - OUCH! Newsletter - Stop That Phish, SANS Security Awareness; Twitter: @SANSAwareness
93. Set clear policies for handling sensitive data with clearly outlined consequences for violating these rules. “It is important to set rules for protecting and handling sensitive information. The consequences for violating these rules should be clearly detailed.” - 9 Cyber Security Tips for Small Business, CertainSafe; Twitter: @Certainsafe
94. Instill the importance of keeping devices secure. “A top method for a cyber attack starts with the theft of important devices. Whether it’s a phone, computer, tablet, or even a notebook, these all can contain valuable information that might be used for a cyberattack. No matter how small your business is, keeping your devices safe is a best practice to follow. Devices such as laptops are very important to keep an eye on, as these can be used to stir up a great deal of confidential information. In addition, if you don’t need a password to enter into your device, it makes it that much easier for a cyberattacker to access very important material. Therefore, it’s always best to keep a close eye on your devices. If you have your devices in a public place, always have them in an arm's reach. If you have to step away for a few minutes, take your devices with you. However, watching your stuff doesn’t only pertain to being in public. Even at the workplace, things get stolen and devices get hijacked. Always keep a close eye on your phone, laptop, and other devices. While this mostly pertains to large companies with many employees, small businesses too are also at risk. It’s best practice not to get careless with your devices and to always know where they are.” - 5 Cybersecurity Tips For Employees, PACE Technical; Twitter: @pacetechserv
95. Restrict access to unsafe websites and explain why. “Limiting what your employees can look at on company computers can help to defend your network from any malware that lurks on unprotected websites. Some businesses go as far as implementing firewalls and actively blocking certain sites, while others just use an honor system and trust that their employees will be sensible with their internet use.
“Whatever you choose, communication with your team is key. Either let them know which websites are trustworthy and therefore safe for them to browse in their downtime, or explain where firewalls exist and why.” - Zoё Dunning, 7 Cyber Security Tips for Small Businesses, Power Admin; Twitter: @poweradmn
96. Teach safe social media practices. “When it comes to social media, the biggest security issue is spear fishing. And no, it’s not a sport – it’s a scam. Basically, it involves being sent an email that looks like it’s from a business or someone you know. It will often be highly personalized, addressed to you with your position, company, work phone number and other customized information. These emails will push you to open up a nasty URL or attachment, or ask for your banking details and passwords.
“But where do these fraudsters get all this info? Usually from social media sites like LinkedIn, Facebook, and Twitter. That’s why you should never post sensitive personal or business information on these platforms. To tighten your defenses, make sure you regularly train your staff and invest in quality software solutions that catch malicious emails.” - Nick Brogden, 8 simple cyber security tips for small business owners, Flying Solo; Twitter: @FlyingSoloAU
97. Develop a written cybersecurity plan. “Your cybersecurity plan should include an employee training program and an incident response plan. The first step to securing your network is to make sure your employees understand security policies and procedures.
“Training shouldn’t be a one-and-done deal; schedule yearly or semi-yearly refresher courses to keep security top of mind. Help your employees understand the importance of updating their software, adopting security best practices and knowing what to do if they identify a possible security breach.
“The faster you act in the face of a cyberattack, the better you’ll be able to mitigate the damage.
“An incident response plan will have crucial information such as:
“The Federal Communications Commission offers a cyberplanner to help small-business owners create a plan to protect their business. (You can generate a customized plan at the bottom of the page after you create it.)” - Jackie Zimmerman and Steve Nicastro, 7 Tips to Protect Your Small Business From Cyberattacks, NerdWallet; Twitter: @NerdWallet
98. Restrict Internet and email use to business purposes only. “Internet access in the workplace should be restricted to business needs only. Not only does personal web use tie up resources, but it also introduces the risks of viruses and can give hackers access to information.
“Email should be conducted through business email servers and clients only unless your business is built around a model that doesn't allow for it.” - William Deutsch, Security Policies Every Company Should Have, The Balance Small Business; Twitter: @thebalance
99. Require employees to keep mobile devices locked with a PIN or other authentication. “Whether you operate a BYOD (bring your own device) policy or you provide company devices for work, your business is open to new risks. The main threat comes from devices without a PIN (or a weak PIN) that get stolen.” - Small business: the targets of cybercrime, AVG; Twitter: @AVGfree
100. Have employees sign security policies to acknowledge their understanding. “Employees can make mistakes. What’s more, some mistakes can be costly, and they can compromise the system in whole or in part. This is one area where a security policy comes in handy. It outlines the consequences for not following the rules.
“Security policies are like contracts. They are to be acknowledged and signed by employees. This means no employees shall be excused from being unaware of the rules and consequences of breaking the rules. “Should an employee breach a rule, the penalty won’t be deemed to be non-objective. Security policies can also be used for supporting a case in a court of law.” - Ellen Zhang, What Are Information Security Policies, and Why Do You Need Them?, Zeguro; Twitter: @Zeguroinc
101. Build a cyber-aware culture. “Technology is one obvious target for cybercriminals; but your workforce can come under attack, too. Your staff can be your biggest asset when it comes to cybersecurity; so it’s crucial that you build a cyber-aware culture into the DNA of your company.
“Provide cybersecurity training on staff induction, assess their knowledge at appraisals and make sure company directors know the risks to ignoring such warnings.” - Joe Whitwell, Ringfencing your resources: simple security wins, The Telegraph; Twitter: @Telegraph