A Plan to Protect Your Small Business IT Network
Table of Contents
According to the US Office of Advocacy, there are 36.2 million small businesses in the USA, accounting for almost 46% of private sector employment. These small companies play a crucial role in keeping the economy running. However, they may be small, but they do not go under the radar of cybercriminals.
The latest research from the Verizon Data Breach Investigations Report (DBIR) shows that companies with fewer than 1,000 employees are as much at risk of a cyberattack as larger enterprises, and in many cases, they are at greater risk. For example, where larger enterprises are likely to see 33% of breaches related to ransomware, smaller companies are experiencing 88% of similar breaches.
Small businesses can fight back by developing a network protection plan.
Why Does a Small Business Need Network Protection?
A small business owner must make some hard decisions about the direction and strategy of their company. Most of those decisions will revolve around core business and staffing needs. Notably, both of these areas are directly connected to cybersecurity concerns. For example, the expansion of the network to include mobile phones and the prevalence of cloud computing infrastructures and software-as-a-service apps have created a complex attack surface. Changes in working conditions, such as remote working, traveling for work, and the use of personal devices for work tasks, have added complexity to protecting data and other IT resources. As a result, small companies are seeing increased cyber threats.
The Coalition Small Business Cybersecurity Study found that 87% of small businesses were somewhat or very concerned about cyber risks affecting their companies.
How concerned are you about cyber risk impacting
your business in the next year?
Source: Coalition
These cyber risks can have multiple impacts, including the following:
Supply Chain Attacks
Many small organizations are supply chain members. Supply chain attacks are increasingly common and can impact the entire chain. Small companies can be materially and financially damaged if they are targeted by a criminal who wishes to access the chain members.
Customer Data Protection
Small companies, like their large counterparts, must protect customers and clients. This means ensuring that personal and sensitive data is protected. Attacks like ransomware and account takeover can not only cause financial losses but also lead to reputation damage.
Compliance
Regulations affect both small and large companies. Depending on the sector, your organization may need to comply with multiple regulations and standards. Data protection regulations, such as the EU's GDPR, impact companies even outside the EU. If your company performs financial transactions, you will be subject to regulations such as PCI-DSS for secure money processing. If you work in healthcare in the USA, you may fall under the HIPAA umbrella. Whichever regulations relate to your industry sector, you will be affected by cyber risks.
How Can a Small Business Protect Its Network?
The costs associated with protecting a business network may seem excessive for something that is not core to the business, but the alternative is worse if your company suffers a cyber incident. Cyberattacks are costly. They impact a business across the board, causing damage to computers and phones, downtime, loss of sensitive data, and damage to the brand. Websites can be crashed, data encrypted and stolen, CEOs scammed, and much more. The financial costs alone can be staggering, with a data breach costing smaller companies an average of $120,000 to $1.24 million, depending on the severity of the breach.
How much you allocate to cybersecurity really depends on what your business can afford. However, the Coalition study found that more than half of small companies spend around 54% of their IT budget on cybersecurity.
What percentage of small businesses' overall budgets is spent on cybersecurity?
Source: Coalition
Using a Managed Service Provider (MSP) can help manage the costs of a robust network protection plan. An MSP provides the software and security needed to protect your IT network, whilst doing so in a cost-effective manner. An MSP will offer the delivery, management, and configuration of security measures on a subscription basis, helping a small company to spread the cost of security.
The important thing to remember is that IT network protection is not a one-stop shop. You must, therefore, choose cybersecurity measures wisely and know your risks.
Best Practice Methods to Protect Your Network
Knowing your risks is the fundamental starting point to protect your network. A risk assessment is typically conducted by a third party, such as an MSP, vendor, or consultant, to identify areas of weakness. You can protect your network in-house if you have skilled staff. However, most small businesses lack skilled security staff.
One of the best ways, and the most cost-effective, is to be informed. Even if you use a third party, having basic knowledge at your fingertips will help you evaluate needs and select wisely. The following measures are used as layers of security and are fundamental to protecting your small business IT network:
Understand Your Threats
Threats to small companies come in from many sources. Cybercriminals often search for companies to target by using dark web forums and similar online platforms. Dark web intelligence services, like those from Sentinex, delve into the dark web, looking for evidence that your company data is being used to gather intelligence in readiness for an attack.
This data could include general information about your CEO or other management, as well as system administrators or employees in accounts payable. Knowing the type of threats directed at your company will help you prepare for and prevent any potential attacks.
Create Backups
Ransomware encrypts data, often stealing it too. The resulting disruption and threat of releasing sensitive data are used to put pressure on companies to pay a ransom. By using secure backups, a company can prevent the disruption that ransomware causes and give itself time to react.
Educate Your Staff
Many cyberattacks begin by exploiting a human being, such as an employee. For example, social engineering of help desk employees by tricking them into "recovering passwords" led to major ransomware attacks in the UK. Security awareness training is used to educate employees about the dangers of risky security behavior. Topics should include:
- Password management and hygiene, which may include the use of password managers. Passwords should not be shared, and the same password should not be used for multiple apps.
- The use of secure Wi-Fi when traveling and connecting to the internet.
- Safety when traveling with company computers and mobile devices.
- Signs of phishing in all its forms. This may include the use of phishing simulation platforms that are used to test and train users on identifying and handling phishing emails.
Malware Protection for Small Businesses
Endpoint security is another essential area of focus. Endpoints include mobile devices, laptops, Point of Sale (PoS), printers, IoT devices, and so on. They all add to the network attack surface. Protection includes the following as standard: encryption, Next-Generation Antivirus (NGAV), and enforcement of access controls on accessing the endpoint and using and downloading apps.
Use Robust Access Control and Authentication
Cybercriminals look for easy ways into a network. One of the most successful ways is to steal login credentials. Preventing cybercriminals from gaining unauthorized access to sensitive data is crucial. Even low-level access rights can be abused by cybercriminals who can leverage this access to escalate privileges to the admin level.
Basic identity security measures include the use of strong passwords, multi-factor authentication, and restricting access to data and IT resources to only those employees who need it to perform their duties. Solutions like Microsoft Entra ID are designed to help small companies set up access control and digital identity. Specialist solutions, such as AccessOwl, provide SaaS app access control to help small businesses navigate this challenging area of technology.
Keep Software Updated
Attackers often use software vulnerabilities during cyberattacks. The best way to prevent software flaws that lead to data breaches, ransomware attacks, and other security issues is to ensure that these vulnerabilities are patched. Ensure that you regularly and promptly patch software.
However, it is worth noting that some attacks rely on zero-day vulnerabilities - these are software flaws that are not yet known to the vendor, and so no patches are available. This is why layers of security are needed to prevent incidents.
Encryption for Small Businesses
Encryption is used to protect data by scrambling the information so that only authorized users can descramble the data to gain access. It must be used for sensitive data when it is stored in a database or during transmission of the data over the internet connections. Encryption is usually included in databases and often in mobile devices, but it must be used correctly.
Firewalls for Small Businesses
Many vendors offer firewalls specifically designed for small companies. Vendors include Cisco and Fortinet. Firewalls use rules to allow or disallow network traffic. Suspicious traffic will be stopped or quarantined. Next-generation firewalls (NGFW) are AI-enabled, using machine learning to identify unusual behavior and emerging threats. Firewalls can be used to protect extended networks, including branch offices, hybrid work environments, and IT infrastructures.
Small Business VPN
Companies, like Proton, provide VPNs (Virtual Private Network software) to small businesses. A VPN provides an encrypted tunnel allowing employees to connect to a corporate network and access apps securely. The encryption protects all network traffic and any data shared over the VPN.
Explore Cyber Liability Insurance as an Option
If the worst happens, cyber insurance can help a small company to weather the storm of a security breach. Cyber liability insurance covers areas such as breach notification expenses, forensic investigations, identity recovery, lost income due to downtime, and may also cover ransom payments and regulatory fines. The cost of cyber liability insurance may be reduced if the company takes certain security measures.
The Federal Trade Commission (FTC) offers advice on choosing a cyber insurance company.
A small company owner would rather focus on the core business. However, the levels of cybercrime against small companies mean that tackling cyberattacks is no longer a nice-to-have. Protecting the expanded company network must be prioritized to reduce the risk of a cyberattack. Layered security measures are necessary due to the extensive attack surface of modern companies. A small company can implement its own network security measures. However, it may be more cost-effective in the long run to use a vendor-hosted service or a managed service provider to take the load off the shoulders of small company owners and their teams.
FAQs
What is small business cybersecurity?
Small business cybersecurity is the same as large enterprise cybersecurity. A small business is as much at risk of a cyberattack as its larger counterparts. This risk level indicates that the small company must take measures to protect its network. Security measures that are fundamental to network security include encryption, robust access control, security awareness training, and endpoint protection against malware.
What are small business VPN solutions?
Small business virtual private networks (VPNs) provide an encrypted tunnel, allowing employees to connect securely to corporate networks and applications. All data and network traffic are encrypted by the VPN. There are many free and paid VPNs available on the market, but a company should carefully evaluate the features of a VPN before making a choice. VPN features should include excellent speed and robust security. Business VPNs typically fall under the category of remote access VPNs, which use site-to-site VPNs for any branch offices.
What are the most important cybersecurity measures for a small business?
A small business should begin with some basic but essential measures to protect its network and data. The following should be deployed or switched on as a first step to a secure network:
- Teach your employees to use passwords carefully. Make your password strong by using a password manager to generate passwords or by using long strings of words, letters, characters, and numbers. Teach staff never to share passwords and to use a different password with each app. You can make life easier by using an identity access management system, such as Entra ID, which enforces password rules and provides Single Sign-On (SSO). However, you can begin with password controls.
- Teach your employees to identify phishing. There are free security awareness training resources from companies like SANS.
- Enable Multi-Factor Authentication (MFA) to add an extra layer of security when logging in.
- Switch on encryption in databases.
- Use a VPN.
- Patch software regularly and promptly.