If you operate a small business, you are undoubtedly aware of the looming and ever-growing risks of cyberattacks. You’ve likely heard of large-scale data breaches, ransomware attack and theft of customer and other data from big enterprises like Home Depot, Target, and others. You probably assure yourself that you are not a target, because you are not a huge enterprise. Or, maybe you feel protected because you don’t handle customer data.
The truth is, however, that cybercriminals do not discriminate when they target businesses. These attacks are not always executed with precision but can be blunt force attacks merely looking to exploit any vulnerability of any user. Sure, they are looking for big targets, but will also exploit smaller ones that can present fewer obstacles. And no matter what technology you employ in your organization, users are the most significant vulnerability when it comes to cybersecurity. The best defense then is through user education and the implementation of clear cybersecurity policies.
Human error is the greatest risk
Small businesses need to enable basic-level technologies to protect their networks and systems. Firewalls and anti-virus software help block significant attacks. But, no technology will protect against human error. By far, the most common human mistakes regarding cybersecurity involve clicking unknown links, opening attachments, and entering login or other credentials into sites that seem legitimate but are, in fact, counterfeit. According to one recent survey by Experian, 66% of businesses consider their employees to be the weakest cybersecurity link.
This is not to say that employees are not intelligent. The way business is conducted has changed drastically, and emails with attachments are part of daily, if not hourly, life for most workers.
Policies help make security second nature
Creating a strong and easy-to-understand security policy helps facilitate more secure employee behavior. The most effective policies evaluate today’s risks and are flexible, allowing for revision as necessary. While there’s no one-size-fits-all solution, small business cybersecurity policies should include provisions on email security, passwords, multi-factor authentication, and the use of media such as USB drives. Let’s take a brief look at each of these risks and how a policy can provide ongoing protection.
1. Email can be an open door for cyber risks
Phishing, a fraudulent practice where emails are disguised as legitimate to induce people to give up personal information, such as passwords. A cybersecurity policy can address this by adding a layer of caution. Users can be trained on the signs of phishing, such as poor writing, odd email extensions, such as @mail.apple.work instead of @apple.com. It’s equally crucial for your security policy to state that it covers the use of personal and work email on work computers.
2. Passwords only protect when used properly
Strong password hygiene is an essential component of cybersecurity policy. Train users to avoid sharing passwords with others. Policies should prohibit using the same login credentials across various online services. Security experts recommend using complicated passwords that contain no “dictionary words” and use a mix of characters, numbers, and different capitalizations. Your policy should also prohibit using the same credentials for various services.
3. Enable multi-factor authentication where possible
Small businesses can increase their protections with multi-factor authentication (MFA). This technology requires a user to know something (a login credential) and possess something (a smartphone or other device.) MFA raises the bar for hackers considerably. According to Microsoft, 99.9% of account hacks are blocked by the practice. If MFA is an option on the programs and systems your business uses, enable it, and make sure your policy requires it for all users.
4. Addressing the use of removable media
Not all cyber threats travel via email and the internet. Some can sneak in on a removable USB drive. USB drives can help transport documents, but it is essential to protect your systems from malware and viruses that can jump from a home or other computer. USB drives also can be easily lost, leading to the risk of sensitive information getting into the wrong hands. A USB drive security policy should require encryption of files, at a minimum, but can also extend to other protections, such as ensuring that only a specific brand of drive is used, as malware can hit the drives during manufacturing in some cases.
These are just a few examples of how a cybersecurity policy can protect your small business. Cyber threats often change, with new risks identified almost daily. Your policies should respond to these changes. Hold frequent security meetings and ask for input, even if it is held once a quarter. With a clear and enforced policy, cybersecurity can be on your users’ minds throughout the day. Help spread enthusiasm for security, and you’ll make great strides towards a more secure business.