Recommended Security Practices for SMBs

Threats to Small Businesses

Small to medium-sized businesses (SMBs) are increasingly becoming targets for cybercriminals. Many small businesses assume they’re too small to be noticed, but in reality, hackers often see them as easy targets due to limited resources and cybersecurity measures. Some common threats SMBs face include:

  • Phishing Attacks: Fraudulent emails or messages that trick employees into sharing sensitive information.
  • Ransomware: Malicious software that locks businesses out of their data unless they pay a ransom.
  • Data Breaches: Unauthorised access to sensitive customer or company data.

Understanding these threats is crucial to building strong cybersecurity defences.

Scam Messages

What Are They?

Scam messages, also known as phishing, can come through email, SMS, or social media. They often look legitimate and may trick you into clicking a malicious link or sharing sensitive information.

What Can You Do?

  • Be cautious of unsolicited messages asking for personal or financial information.
  • Always verify the sender’s email address before clicking on any links.
  • Use a spam filter to reduce phishing emails and malicious messages reaching your inbox.

Email Attacks

What Are They?

Email attacks like phishing or business email compromise (BEC) are designed to deceive businesses into transferring money or sensitive data to cybercriminals.

What Can You Do?

  • Implement email filtering to detect and block suspicious messages.
  • Train employees to identify phishing attempts, such as suspicious email addresses, poor grammar, and urgent requests.
  • Use email encryption to protect sensitive communications.

Malicious Software

What Is It?

Malicious software (malware) can infect your system and cause damage by stealing data, locking you out of your files (ransomware), or spying on your activities.

What Can You Do?

  • Install antivirus software and ensure it’s up to date.
  • Avoid downloading attachments or software from unknown sources.
  • Regularly scan your systems for vulnerabilities.

Secure Your Accounts

One of the easiest ways to protect your business is by securing all accounts with strong access controls. Here’s how:

Turn on Multi-Factor Authentication (MFA)

Why?

MFA adds an extra layer of security by requiring something you know (password) and something you have (e.g., phone, token). This ensures that even if your password is compromised, attackers cannot access your accounts.

What Can You Do?

  • Enable MFA on your email, financial, and business-critical accounts.
  • Use MFA apps like Google Authenticator or Microsoft Authenticator instead of SMS-based MFA, which can be more vulnerable.
Use Strong Passwords or Passphrases

Why?

Weak passwords are one of the biggest vulnerabilities for businesses. Strong passwords or passphrases make it harder for hackers to gain unauthorized access.

What Can You Do?

  • Use passwords that are at least 12 characters long with a mix of letters, numbers, and symbols.
  • Use passphrases—a combination of random words that are easier to remember and more secure.
  • Consider using a password manager to store and generate complex passwords.
Manage Shared Accounts

Why?

Shared accounts without proper management can be risky as it’s harder to track who is accessing them.

What Can You Do?

  • Assign individual logins wherever possible.
  • For shared accounts, ensure passwords are rotated regularly and access is limited to those who need it.
Implement Access Controls

Why?

Not everyone in your business needs access to every piece of information. By limiting access, you reduce the risk of internal threats or accidental leaks.

What Can You Do?

  • Set permissions based on roles, allowing employees to access only the information they need.
  • Regularly review who has access to critical data and remove unnecessary privileges.

Protect Your Devices and Information

Your devices store a wealth of sensitive business information, making them prime targets for attackers. Protecting them is essential for safeguarding your business.

Update Your Software

Why?

Outdated software often contains vulnerabilities that hackers can exploit.

What Can You Do?

  • Ensure that all software, including operating systems and applications, is regularly updated.
  • Turn on automatic updates to keep everything patched.
Back Up Your Information

Why?

In the event of a ransomware attack or data breach, regular backups are your safety net, ensuring you don’t lose critical information.

What Can You Do?

  • Back up data regularly and ensure backups are stored offsite or in the cloud.
  • Test your backup systems to ensure they work in the event of an emergency.
Use Security Software

Why?

Antivirus, firewall, and encryption software provide essential layers of protection against malware, ransomware, and unauthorized access.

What Can You Do?

  • Install reputable security software and keep it updated.
  • Use firewalls to block unauthorized access to your network.
  • Encrypt sensitive data to protect it from theft.

Secure Your Network and External Services

Many businesses rely on the internet and external services, which also need protection.

Harden Your Website

Why?

Your website can be a gateway for hackers if not properly secured.

What Can You Do?

  • Install SSL certificates to encrypt data exchanged between your website and visitors.
  • Regularly update website plugins and themes to fix vulnerabilities.
  • Use web application firewalls to block malicious traffic.
Reset Your Devices Before Selling or Disposing of Them

Why?

Devices like computers, phones, or printers store sensitive information. If not properly wiped, this data can be accessed by the next person who owns the device.

What Can You Do?

  • Perform a factory reset on all devices before selling or disposing of them.
  • Use data wiping tools to ensure all information is completely removed.
Keep Your Devices Locked and Physically Secure

Why?

Physical security is just as important as digital security. Lost or stolen devices can lead to data breaches.

What Can You Do?

  • Always use strong passcodes or biometrics to lock devices.
  • Store devices in secure locations when not in use, and never leave them unattended.

Protect Your Business Data

Data is the lifeblood of any business. Losing control of your data can lead to financial and reputational damage. Here are some steps to protect it:

  • Classify your data: Identify which information is most sensitive and apply stronger protections to it.
  • Encrypt sensitive data: Ensure that data stored or transmitted is encrypted, preventing unauthorized access.
  • Limit data retention: Only keep data that is necessary and securely delete what is no longer needed.

Prepare Your Staff

Your employees are on the front lines of cybersecurity, and their actions can make or break your security efforts.

Educate Employees

Why?

Human error is one of the biggest risks in cybersecurity. Educating your staff on best practices can prevent costly mistakes.

What Can You Do?

  • Regularly provide cybersecurity training on how to identify phishing attacks, use strong passwords, and report suspicious activity.
  • Encourage a culture of security awareness where employees understand the importance of protecting business data.
Make an Emergency Plan

Why?

Even the best security measures can fail. Having an emergency plan ensures that your business can respond quickly and minimize damage.

What Can You Do?

  • Develop a cyber incident response plan outlining the steps to take in the event of a breach.
  • Test your plan regularly and ensure employees know their roles during an incident.
Stay Informed

Why?

The cyber threat landscape is constantly evolving. Staying informed about the latest threats and security practices is essential for protecting your business.

What Can You Do?

  • Subscribe to cybersecurity alerts from trusted sources, such as government agencies or cybersecurity organizations.
  • Regularly review and update your security measures to stay ahead of emerging threats.

By following these security tips, small and medium businesses can significantly reduce their risk of cyber threats. Implementing these steps today will help safeguard your business’s future. If you need assistance, don’t hesitate to contact CyberGrade for expert advice and tailored solutions.