Cyber security for small businesses: A basic guide
Posted: Fri 6th Oct 2023
Businesses come in all shapes and sizes. But in today's world of serious and potentially damaging cyber threats, no organisation, large or small, can afford to ignore online security.
Whether you're a team operating out of an office, or an individual working from home, cyber security is an issue that every business should prioritise.
Cyber attacks generally grab the headlines when a huge multinational or government is the victim, but the smaller cases are arguably the bigger story.
In truth, any business can become a target. The good news is there's still a huge difference between being a target and a victim. And for the most part, keeping your business safe from cyber risks simply comes down to preparation.
Why is cyber security important?
The consequences of a successful cyber attack can be costly. For businesses in the UK, the average financial cost of a security breach in 2022 was £1,100.
Regulatory requirements are also evolving, with the aim of holding organisations more accountable for protecting the data in their care. The General Data Protection Regulation (GDPR) gives regulators the power to fine organisations up to €20 million (US $24 million), or 4% of their annual global turnover, for violations.
Beyond the direct cost of an attack, your business could experience reputational damage and a loss of credibility among current and potential customers. Altogether, these growing risks mean that when storing and sharing data and sensitive information online, it’s important to keep your cyber security knowledge up to date and maintain the right level of protection.
What you can do about it
Like many small businesses, you're no doubt running on limited resources. This can mean you lack the time or budget to prioritise security measures to the same degree as you would other tasks.
As a result:
maintaining cyber security becomes part of an individual's role rather than a dedicated position
training and software falls out of date
data security becomes an afterthought
Improving security doesn't necessarily mean going to huge expense. However, it does need to be a focus if you're to avoid becoming the next victim of a cyber attack.
By adopting certain cyber-security best practices, you can improve both your protection and your company culture when it comes to implementing effective security measures.
What's the best practice for small business cyber security?
Create a cyber protection policy
The purpose of creating a cyber protection policy for your small business is to outline the resources and actions you need to protect your data and make sure your business can continue operating if the worst happens.
As a result, your staff will be better informed and able to take appropriate action to prevent attacks. Your customers or clients will also feel reassured that they're working with a company that takes data protection and cyber-security threats seriously.
To make sure cyber security policies become a part of your business's culture, you should:
document them thoroughly
support them with schedules and checklists to make sure the new processes are implemented and that staff are aware of their responsibilities
Avast Business has a cyber security policy template to get you started.
Review access permissions
A simple but effective security measure is to restrict access permissions to shared files and essential applications. This is called access control.
You should only provide access to those employees who need it for their work. By the same token, you should revoke that access when the staff member no longer needs it. This means that no-one should have blanket admin privileges based purely on their seniority within the business.
What does it mean to restrict access permissions?
Limiting physical access to facilities and other physical assets (for example, a key card to unlock a door)
Implementing best practices when sharing documents with people outside the business
Establishing processes for revoking access as soon as an employee leaves or a contract ends with a freelancer or other third-party
Access control limits the risk of people without the proper authorisation getting access to your systems. It also forms a foundational part of information security, data security and network security.
Back up your data
Making sure all your data is backed up is particularly important for avoiding ransomware attacks.
A ransomware attack is when a hacker steals and encrypts your data and prevents you from accessing it. They then demand a fee to restore your access, and threaten to destroy the data if you don't pay.
With no guarantee that they'll return the data in a usable state, your business faces a dilemma and could end up paying a ransom and dealing with downtime it can't afford.
Cloud services such as Dropbox, Google Workspace and Microsoft Office 365 are popular options for backing up data. Not only does the cloud allow you to access documents from anywhere, but the security these services offer is likely to be far more sophisticated, making them an affordable way to significantly improve data security.
Consider remote working risks
Adding more points of entry to a network increases the potential risk of a breach because there are more angles for cyber criminals to exploit.
With that in mind, the recent shift towards non-traditional office working could be seen as a concern – though the concept of remote working has been growing in popularity for many years.
You should include a bring your own device (BYOD) policy in your data security best practices. This helps make sure that all employees maintain a high level of security on any device they use to access the company's documents and network – from installing security software to applying patches as soon as they are available.
Invest in training and education
Cyber criminals are becoming increasingly sophisticated, which means security cannot be a 'set and forget' solution. Educate yourself and your staff on the latest threats and security best practices, such as avoiding suspicious email attachments.
The Cyber Essentials scheme is a government-backed, industry-supported scheme to help organisations protect themselves against common online threats.
Keep in mind that people are often the weakest link in successful cyber attacks – those with an understanding of the basics of cyber security will be better equipped to protect themselves and the company they work for.
Watch this webinar to find out why digital security is so important, and why you should always be updating your digital security practices and procedures:
How to protect your small business from online threats
Conduct a security audit
The starting point for any cyber-security strategy is to assess the risks to the business.
Identifying your business's security gaps, strengths, weaknesses and opportunities for improvement will provide a good foundation for your future decision-making on appropriate technology and other measures to implement to keep your business secure.
Assess the following factors:
Staff (for example, habits, whether they keep to IT policy, ability to recognise scam emails)
IT infrastructure (web servers, network devices, workstations, etc.)
Data – intellectual property (IP), customer and partner data (where and how you store it, what might be of interest to attackers)
Suppliers (exposure to their systems, level of protection, their cyber-security IQ)
Email and other security policies (date last updated, how well policies are enforced)
Software vulnerabilities (including your policies for updating and installing security patches)
Administrative rights and network permissions (whether employees have access only to the data they need to be effective)
Be educated about browsing behaviours
Hopefully, you and your team understand that there are certain types of sites you shouldn't be visiting at work. However, you also need to be careful to only conduct sensitive business on secure websites and to be wary about attachments and links in emails and other forms of message.
Good habits include:
typing in URLs (web addresses) – don't click on links in emails
only entering confidential data on 'https' pages
checking that the web page's security certificate is valid
If you have employees who use work devices (such as a smartphone or tablet) for personal use, it's easy to become less security conscious once they've left the office. It's a good idea to block inappropriate sites to make sure people can't access them from business devices.
You and your team should also avoid using using untrusted public networks for conducting sensitive business. That way, you help prevent anyone with malicious intent from getting unauthorised access to your data and systems.
Have a strong password policy and use multi-factor authentication
Passwords
Make sure you have a strong password policy and your team use strong, unique passwords that mix symbols, numerals and letters of both cases.
Some hackers use a technique called "brute-forcing", where they attempt to gain access to your accounts by rapidly trying thousands of possible passwords. The stronger your password, the less likely they are to succeed.
And even if your password is strong, if a compromised password is used on a number of different websites, it can lead to an even bigger cyber security breach.
Multi-factor authentication
To add an extra layer of security, you should use multi-factor authentication (MFA), which requires two or more factors of authentication to access a system. These might include:
passwords
PINs
facial or voice recognition
fingerprints
phone notifications
You should use a different password for every account, website, or application you access. While this might not seem feasible, a password manager can help.
This handy tool encrypts and stores each of your passwords, allowing you to easily access them across all of your devices. You can also use it to generate random, secure passwords.
Keep your software up to date
Software can only ever be at its most effective if it's regularly updated to account for new vulnerabilities or types of attacks.
Digital security organisations detect a new type of malware (malicious software) every second. So you need to stay ahead and make your defence against cyber-security risks as strong as it can be.
That means not only using automated updates to top up your security software (such as antivirus software) every day, but updating your operating system and all of your other software too. Make sure everyone in the business does the same.
Remember, programs that haven't been updated are the number one route cyber criminals use to hack businesses. Making sure every device – from printers and laptops to smartphones – has the latest patches and updates applied could be a daunting task for a large enterprise, but is very achievable in a small or mid-sized business.
Communal devices, like servers, should be updated by the staff members who manage IT security as part of their role, while other employees should be responsible for their own devices.
Enforcing this responsibility through training and the company security policy helps make sure that known software vulnerabilities don't result in a data breach you could otherwise have prevented.
Make sure your banking is secure
Cyber criminals have a number of methods for obtaining your financial information, from directing you to fake versions of trusted sites to using malware to spy on your activity and capture passwords. You need to take active measures to stop them.
Stay alert for phishing attacks. 'Phishing' is when cyber criminals impersonate a trusted institution, hoping to obtain information (such as passwords and credit card details), which they could use to defraud you.
Often, phishing scam artists send emails impersonating your bank. Consequently, you should always take a close look at the URL before you enter your details on any site, and ideally use a secure browser.
It's also best to avoid including such information in emails, which may be seen by eyes they weren't intended for.
Protecting mobile devices
Working on the move is now part of our everyday life, and cyber crime is increasingly directed at mobile as well as desktop devices.
Because of their portability and size, mobile devices are very easy to lose or have stolen. If you don't protect yours properly, it provides an easy way for someone to gain access to your business.
Remember that on a mobile device, a weak PIN or password becomes a single point of failure, allowing easy access to everything you do on your device.
Use encryption
If you store sensitive data on your company computers, encrypt it. Encryption is when you scramble your data so people who get their hands on it can't read its contents without a code or cypher (like a digital key).
On external drives, portable computers or even desktops, encrypting the hard drive at operating system level means your hard drive is encrypted. If someone then steals your device, they won't be able to recover the data.
It's important to realise that as a business, the information you hold is a highly valuable asset that needs protecting.
Choose the right anti-malware protection
When it comes to cyber security, your small business is in a unique position. You face many of the same threats as any larger company, while sharing many of the same vulnerabilities as home users.
This unique position deserves its own approach to security. Simply repackaging a consumer product as a small business solution isn't adequate. For instance, it might offer no protection for servers, but many small businesses either use one or soon will.
Unlike home users, your business needs to protect a number of devices easily. But it's likely you don't have dedicated IT teams or the time to wrestle with complicated software built for specialists.
Choosing the right cyber-security software will allow you to feel relaxed and comfortable that your business is adequately protected, without the hassle of managing an expensive or overly elaborate security solution.
What cyber security software and tools should I use?
There are so many security tools available, it can be hard to identify which ones are essential and worthy of your investment. Here are some of the main tools to consider to keep your small business protected.
Virtual private network (VPN)
A VPN is an encrypted 'tunnel' through which your data can travel without third parties being able to view it or trace it back to your IP address.
Using a business VPN is extremely important for any modern company that has a flexible and mobile workforce. It helps protect your business data by keeping your company network and internet connections secure.
Since small businesses typically lack a large IT and cyber-security budget, VPNs are a low-cost solution, as they are cheap to set up and maintain.
Using a VPN will massively increase your security when using public wi-fi. Attackers on the same network can see your traffic and spoof a wi-fi router to force your phone to connect to it. When this happens, having a VPN will make sure they still can't see your traffic as it tunnels your connection through the VPN, and not across the open internet.
Firewall
A firewall is a vital first line of defence that provides a barrier between your network and cyber attacks. You should include it as a measure in any BYOD or remote working policies you create.
This important tool prevents unauthorised connections and malicious software from entering your network. It monitors incoming and outgoing traffic, and if a computer or program outside your network tries to gain access, it decides what to block or allow (according to the rules you've set up).
Again, this is very beneficial if your business has remote workers who need to securely connect to your network from outside locations.
Antivirus software
Antivirus software creates an extra layer of security. Even if malware manages to get to your or your employees' computers, you'll have something in place to detect and remove it before it disrupts the whole network.
This software works by not only detecting and removing viruses, but also by securing your data against various attacks. For example:
web security tools can help prevent phishing attacks and block malicious websites
anti-ransomware tools can protect the data on your devices from being encrypted and held to ransom
As a small business, you might find it more difficult to recover from a large-scale attack than a major company with an in-house IT department would. As a result, protecting company data with a comprehensive cyber-security solution is essential.