Cybersecurity Basics for Small and Medium-sized Businesses

An overview of strategic best practices plus a checklist of high-priority tactics Small and medium-sized businesses (SMBs) are increasingly at risk from cyberthreats. Cybercriminals have ramped up attacks in both sophistication and scope, thereby placing businesses like yours in their crosshairs. Despite this grim reality, SMBs are not completely helpless against cyberthreats and can effectively protect their businesses if they take immediate action. But what specific steps can you take to protect your business and secure your data and systems from attacks? The first step is to develop a high-level cybersecurity strategy followed by implementing a detailed tactical cybersecurity checklist. Done right, your business will be well-equipped to secure your IT systems, ward off threats, and enable remediation and recovery in the event of an attack. Strategic Considerations: Prior to implementing a tactical checklist of activities and initiatives, it's important to develop a strategic framework of Cybersecurity objectives and policies including:

• Make cybersecurity a core objective for your company. As an SMB leader constantly juggling multiple priorities, demands and concerns, cybersecurity may not always be at the top of your list of priorities. But anything less can put your business at risk, so it's essential to make cybersecurity a C-suite and boardroom focus. And you should involve your entire organization through continuous training programs supported by a clear and accessible feedback loop.
• Never skimp on your cybersecurity budget. It's just not worth the risk. If you feel like your business can't afford it -- ask yourself, can you afford not to?
• Utilize the National Institute of Stand and Technology (NIST) Cybersecurity Framework (NIST CSF 2.0) as a basis for your strategic planning and cybersecurity roadmap. The NIST Cybersecurity Framework is exceptionally comprehensive and consists of 6 pillars; Identification, Protection, Monitoring, Response, Recovery and Governance. See also NIST's CSF 2.0 Quick Start Quides for additional insight on this powerful framework, and how you can apply it to your business.
• Enlist experts to guide your efforts - Because of the increasing sophistication of cyberattacks, it's nearly impossible for an SMB owner or manager to plan, build and maintain robust defenses - it's simply not a do-it-yourself project. Protecting your systems and data requires deep and current information on new types of cyberattacks, appropriate defensive technologies and processes, and organizational best practices. While your company may not have the means to hire a large cybersecurity staff or a full-time Chief Information Security Officer (CISO), an expert Managed Service Provider (MSP) and/or virtual CISO (vCISO) can provide the required expertise affordably and flexibly.

Cybersecurity Checklist: On a more tactical level, use this checklist to begin to shore up your cyber defenses.

1. Provide on-going security awareness training

According to a study by Stanford University, over 85% of cybersecurity incidents result from human error or activity. Most of these can be attributed to employee ignorance or carelessness, making it clear that your workers can be a vulnerability or a valuable a resource. Subsequently, detailed employee training, preferably on a regular basis, is a critical component of your defense strategy. Training should be comprehensive, covering all aspects of cybersecurity from recognizing a phishing attack to securing devices, files and data.

2. Establish no-fault incident reporting

The worst thing that can happen in the event of a phishing attack or other employee-caused breach is a worker failing to report the incident out of embarrassment or fear of repercussions. Time is of the essence in mitigating the damage of an attack and a delayed incident report only makes things worse. So, it's important to make incident reporting quick, easy, and consequence-free.

3. Log-off applications and lock or turn off devices

It may seem almost trivial, but it pays to require employees to log off applications and lock or turn off laptops, tablets, or phones when not in use. This simple rule is an easy way to eliminate vulnerabilities and reduce your company's attack surface.

4. Deploy multiple layers of security

Layered security deploys multiple components or layers to protect your organization's infrastructure. This best approach ensures that each individual security component has a backup, and each layer reinforces the prior layer or component. If an attack makes it past one layer, there's a good chance the threat will be neutralized by the next layer. A common security architecture would include a firewall, patch management, endpoint protection, web and email content filtering, and multi-factor authentication. Taken together, these redundant layers of protection act as multipliers to dramatically enhance the effectiveness of your business' cyber defenses.

5. Use a firewall and ensure security subscriptions are current

Consistently using of a firewall and ensuring that it is configured properly is key, especially when using applications like Remote Desktop Protocol (RDP). Just as important is maintaining current security subscriptions to ensure that harmful processes are blocked before entering your network. Remember, hackers often depend on these types of administrative lapses to give them an opening.

6. Review and update user accounts and security groups

Keep a handle on all user accounts and ensure that accounts are deactivated immediately when employees leave. Take the same approach for security groups to account for any changes in personnel, duties, and permissions. These activities are critical as bad actors look for recently departed employees and will exploit their abandoned accounts as an entry into your systems.

8. Activate Group Policy Lockout

Implement lockout procedures to repel "brute-force" attacks, whereby hackers may attempt to break into your systems by using multiple user ID/password combinations in quick succession. Properly implemented, a lockout will deny entry into the account after a set number of attempts within a specified period of time.

9. Implement Multi-factor Authentication (MFA)

Two-factor Authentication (2FA) or multi-factor authentication (MFA) add an additional layer of security beyond passwords and are well worth the extra effort and expense. 2FA and MFA add additional variables to login procedures to make malicious access that much more difficult. For instance, in addition to entering a password, MFA will require a user to enter a random code sent via text, or biometric reading to gain access to an application or system.

10. Replace legacy software and hardware

It's not uncommon for legacy software and hardware to accumulate over time - if it's seemingly not broken, why fix it? The answer is that legacy software, computers, and OSs are not supported by their OEM. Consequently, security patches are no longer issued, making legacy technology highly vulnerable to attacks.

11. Implement encryption mechanisms such as Windows BitLocker

Data and files should be encrypted to protect data whenever possible. While there are various means to achieve widespread data encryption in your company, Windows Bit Locker (along with Trusted Platform Module) is an effective and accessible tool installed on all the Windows devices you already use.

12. Install business-grade endpoint security software

We are all familiar with the purpose and function of anti-virus software on our personal devices and/or networks. Business-grade endpoint software is similar to anti-virus programs in that it protects against computer viruses and malware but can safeguard multiple devices. And it features additional capabilities like persistent threat detection and response, device management, data leak protection and more.

13. Mandate strong passwords and require regular updates

Strong passwords are essential to cybersecurity. They require a minimum of 8 characters and must include some combination of letters (including at least one upper case), numerals and special characters. Words found in the dictionary, names and personal information such as birth dates are also excluded. This complexity makes them 1,000x harder to guess than simple passwords and they can be randomly generated via a browser or other application Because even strong passwords become less secure over time, it's a best practice to require regular password changes. Password change intervals are typically monthly or quarterly.

14. Protect your finances using banking protection software

Banking Protection software defends financial information, transactions and money from cyberthreats. It activates upon the initiation of an online banking session, automatically disconnecting all untrusted applications from your network and prevents them from reconnecting while the banking site is engaged. When the online banking session is closed, Banking Protection automatically detects that the banking session is over and ends the session.

15. Complete a cybersecurity risk assessment

A cyber risk assessment is useful both for setting a baseline of the current security situation as well as building a roadmap of what needs to be done. Additionally, risk assessment is a starting point to meeting compliance standards including HIPAA, Sarbanes-Oxley and PCI DSS. In most cases, a cybersecurity risk assessment will include at least the following: identification of assets, threats, and what could go wrong, analysis of risks and potential impacts, prioritization of risks, and documentation of potential risks.

16. Data immutability

Conceptually, data immutability is information within a database that cannot be deleted or changed. Immutable databases are "append-only", meaning data can only ever be added. The database will not overwrite or change an item when new information is made available, but will document what's been added or changed while retaining the original data.

17. Automated detection and response (ADR) software

ADR leverages advanced technologies like AI and machine learning to detect and stop threats automatically, as well as proactively predict and prevent them. Rather than requiring more staff to manage it (as conventional Endpoint Detection & Repsonse solutions do), ADR augments the staff you already have, effectively putting time back in their days so they can focus their attention on business-critical tasks.

18. Deploy an adaptive ransomware defense

It's highly recommended that you deploy ransomware detection and recovery software to speed your reaction to an attack and recover as quickly as possible. Adaptive ransomware defense can be applied using toolsets like Microsoft 365 Advanced Protection and can stop ransomware cold by detecting suspicious activity through an endpoint sensor and terminating malicious processes.

19. Continuous data security and protection or rigorous data backup protocols

Data backup is crucial to business continuity and recovery from a cyberattack. At the very least, full data backups should be performed on a regular basis and stored safely off-site for retrieval. An alternative approach is the use of continuous data security and protection (CDP) software. CDP performs incremental backups that update only changes to data or files that have been modified. CDP software also delivers additional security-related benefits including detecting ransomware activity at the source. 20. Update software and patch systems Software updates and patch management systems are essential tools in the constant effort to thwart new types of cyber-attacks and compensate for vulnerabilities in software, hardware or firmware. In fact, 60% of breaches occur due to an unpatched vulnerability prior to application of the relevant patch. Patch management should be rigorous, systematic and even automated, if possible.

21. Implement a Business Continuity procedure

Even with the best security strategies, an attack may slip through and disrupt your business. In planning for that possibility, best practices dictate that your company implements a business continuity procedures designed to get back up and running quickly. The NIST CSF framework is recommended for designing your Business Continuity strategy. It includes the 4 phases of the incident response lifecycle starting with preparation through post incident activity. Speed in detection and containment is of particular importance to facilitate isolation of the attack and limit further damage.

22. Implement role-based access control (RBAC)

Not every employee needs access to all corporate systems and data regardless of their role. RBAC limits access to each IT asset to authorized users of that asset. It minimizes vulnerabilities and enhances security by enforcing employees' access to only the data, tasks and applications that are necessary to their job.

23. Forbid employee usage of personal devices for business

Virtually all workers have their own computing devices, and it can be tempting to allow them to use them on the job. But allowing employees to use their own laptops and phones opens a can of worms from a security perspective. Alternatively, issuing company hardware enables better control and security as devices can be easily monitored, legacy devices are eliminated, and appropriate security software can be installed and updated. Many companies build a standard device image (or a series of role-based images) and load the image onto devices when they are issued or updated. It's much more secure and consistent than depending on personal devices. Conclusion: Consider this checklist a good start in protecting your business from cyberthreats - but only a start. Effective cybersecurity is a journey - not a destination - encompassing coordinated strategy, tactics, and vigilance. It's critical to enlist the right expertise in building and maintaining your cyber defenses. Whether it's contracting with a vCISO or hiring dedicated internal cyber experts, hiring experts is a worthy investment in your business and is one of the most effective means of protecting your business and keeping it safe from escalating cyberthreats. K3 Technology has years of cybersecurity expertise and hands-on experience keeping companies like yours safe from cyberthreats. Contact us today to discuss your cybersecurity challenges.