If you are operating a small business, it does not mean you are safe from cyberattacks. 81% of all cybersecurity breaches happen to small and medium-sized companies, as they are often unprepared.
To ensure your business is secure, review our recommendations (10 steps) you can take today with a minimal or zero budget and significantly decrease the risks of hackers` attacks.
1. Educate employees.
Humans are not the weakest link in your cyber defenses. In fact, humans are the best weapon you have against malicious hackers. You have to train them to deal with the most widespread attacks and repeat such training from time to time. If you do so, humans will empower, not weaken your company’s cybersecurity.
2. Enforce two-factor authentication.
There is no excuse for not doing so. Turn on two-factor authentication on every website, in every system, in every app you use, and this will do you a big favor in the future. Applications protected by multi-factor authentication are much harder for hackers to penetrate.
To do so, they need to phish not one factor (a password) but two (a password and a time-based numeric code). The attack of this sort is not just more sophisticated; it has a time-limited window of opportunity. All this makes 2FA-protected systems much better protected.
3. Use encryption to protect data and communications.
Nowadays, data encryption is widely used for sensitive communications. Use cryptographic data protection everywhere, and you will not regret it. Of course, manage your keys carefully and make backup copies of your password database, as losing it may cause more trouble than the actual sensitive information disclosure.
Simple, popular, and efficient ways to use cryptography to protect your business are:
- Embrace end-to-end encrypted instant messengers. Use Signal, Keybase, or Wire for maximim protection. Consult the guide on secure messaging apps for less secure alternatives.
- Use Virtual Private Network for sensitive communications. Sitting on VPN 24 hours a day may be sometimes unpleasant due to poorer connection. But using a VPN when connected to a public Wi-Fi or another insecure network is a must.
- Check HTTPS on all websites. There is no excuse for a website to ignore HTTPs in 2021. And there is no excuse for tolerating such configuration and using such websites.
- Encrypt the files in the cloud. There are several trustworthy means of end-to-end file encryption before syncing your data to the cloud. Chose one and ensure it is enabled in all locations where you store sensitive data.
4. Protect the endpoints.
Update the software regularly and install an anti-malware solution on computers, smartphones, and other electronic devices your employees use.
5. Abandon Earth
Move to the cloud: SaaS applications, IaaS hosting services, and other professional third-party services with good security practices.
You will never protect your MS Exchange better than Microsoft protects O365, or Google protects G-Suite. Mind your threat model, though.
6. Know when your business is hacked.
Use a logging solution or another way to get early notification about being compromised. Canary tools are a modern way to get such alerts, similar to how miners used actual canary birds for work safety.
“Amateurs don’t want to get hacked. Professionals don’t want to remain hacked.”
7. When ready, start using a control framework.
There are plenty of those out there, most of them available for free. CIS, NIST, ISO27k, PCI DSS, to name a few.
- CIS – Center for Internet Security
- NIST – US National Institute for Standards & Technology, SP800 series
- ISO 27000 series of Information Security Management standards
- PCI DSS standard and supplementary materials
8. Get cybersecurity insurance.
Cybersecurity insurance is still affordable to most companies. You should follow some basic cybersecurity practices and show them to the insurance company to lower the premiums.
9. Do backups
Back up your data regularly to save yourself the time and pain of recovering lost data.
10. Challenge your business security regularly.
The “what you don’t know can’t hurt you” principle does not work in cybersecurity. Cyberthreats are invisible, but their consequences are very much apparent. Without regular testing of your protection, you have no idea if it matches the attackers’ efforts.
Summary
During the last few years, internet crimes have increased dramatically. Businesses that are victims of cyber-attacks suffer from financial loss and customer trust – they lose the reputation of a trustworthy partner.
So, regardless of the size of your business, protecting your customers’ information should be your top priority.
To make informed and reasonable risk decisions, you must learn two things: the apparatus, e.g., how to reason, and the input sources, e.g., the correct data about the world. The former is a bit tricky and goes far beyond the topic of this webinar. However, the latter is much easier, as we could recommend quite a few data sources. You can check them out here on our Slideshare.
If you want to take the security of your online business to the next level and protect your customers’ sensitive information from cyberattackers, be sure you follow the basic ten steps mentioned above. Watch our webinar to learn more (recorded in Ukrainian).
Email us at hello@bsg.tech if you need professional security advice or have more questions and suggestions.
Stay safe.