Cybersecurity Essentials for Small Business

If you own a small business you probably have a lot of concerns. Bookkeeping, human resources, liability Insurance, customer acquisition, and customer retention are probably all top of mind. However, it is important not to let cybersecurity get lost in the noise. In this article, we are going to outline 8 essential cybersecurity strategies that you can employ to reduce the risk that your business suffers a catastrophic breach. In cybersecurity there is no such thing as being 100% secure, but taking a few simple actions can reduce your risk of a breach dramatically. So here are eight cybersecurity essentials that can leave you considerably safer at minimal cost.

Mandate Two-Factor Authentication

The vast majority of SaaS applications now enable you to activate 2FA. You should be using 2FA on every single service possible. While two-factor authentication does not reduce your risk to 0, it provides a massive reduction in risk with a very minor inconvenience. You should make sure 2FA is enabled on email, corporate accounts, accounting software, and banking. All employees should be required to use 2FA in order to log in and view any sensitive information that you wouldn’t want to be public.

Provide User Security Awareness Training

We have stressed this in other blog posts but training your employees can make the difference between suffering a security incident and a security breach. Network Administrators should receive detailed training on the importance of network security, as well as the steps they should be taking to protect your organization from a network perspective. User Security Awareness Training should include:

  • How to avoid falling victim to phishing attacks
  • The importance of keeping data confidential
  • Not sharing passwords
  • Basic security hygiene
  • Types of stored data
  • Cybersecurity regulatory requirements specific to your business

Defend Against Physical Attacks

Many organizations spend tens of thousands of dollars building a high-performance cybersecurity program while neglecting the physical dimension of information security. You should take physical security seriously too. Bad actors can easily infiltrate your network through shoulder surfing, or tricking an employee into plugging an infected USB device into a computer on your network. Some steps you can take to reduce the risk of a physical attack:

  • Keep doors locked during non-business hours
  • Any on-premise IT Infrastructure should be kept locked
  • Employ screen protectors to reduce the risk of shoulder surfing
  • Employ the principle of least privilege

Set Clear Cybersecurity Expectations

All employees should be familiar with the types of sensitive data your organization handles, and applicable requirements that may apply to its storage and transfer. Special attention should be paid to Personal Health Information (PHI) and Personally Identifiable Information (PII). All employees should clearly understand cybersecurity expectations the organization places on them, as well as any regulatory requirements that they fall under. Expectations might include:

  • Undergoing regular cybersecurity training
  • How to handle sensitive data
  • Rule of disclosure regarding sensitive information
  • Data deletion and media destruction policies
  • How to handle a security incident

Appoint a Chief Information Security Officer (or hire a virtual CISO)

You may think that your organization is too small to need a CISO, think again. Every organization should have somebody who is clearly responsible for the confidentiality, integrity, and availability of information. You don’t necessarily need to hire an outside expert, appointing a tech-savvy internal resource can be a solid option for small businesses, but you do need to have a designated individual responsible for maintaining good cybersecurity practices.

Understand your Regulatory Requirements

Every company in the United States falls under at least one cybersecurity regulatory requirement. All 50 states have data breach notification laws which require you to notify victims if you lose their data due to a data breach. In addition there are a myriad of industry specific cybersecurity compliance requirements. Some examples include:

  • PCI DSS
  • FERPA
  • HIPAA Security Rule
  • SOC2
  • NYDFS Cybersecurity Regulation
  • SOX

Understanding regulatory requirements that your company may fall under is extremely important. We recommend you consult with a qualified attorney to ascertain what regulations apply to you and what you should be doing to meet them.

Ask your MSP Tough Questions

The unfortunate truth is that many Managed Service Providers do not provide cybersecurity for their customers. You may assume that because you are paying another company to manage your IT infrastructure and IT assets that you are protected, don’t be so sure. MSP’s are a business like any other and some MSP’s may be tempted to skimp on building a robust cybersecurity program for your organization in order to come in at a low cost. Here are some good questions to ask a current or prospective MSP:

  • What current tools and technologies are you using to protect my data?
  • Do you provide any monitoring services for data?
  • What tools and techniques do you use to protect your own networks and infrastructure?
  • What employee screening techniques do you use?
  • Do you follow any Cybersecurity Frameworks such as the NIST Cybersecurity Framework?

If they don’t know the answers to these questions it’s probably time that you find a new Managed Services Provider. A breach involving your customer or employee data will cost far more in the long term than spending a bit more on a cybersecurity focused MSP.

Know a Security Company (Or use a Security Focused MSP)

No matter how many precautions you take you always run the risk of suffering a security incident. Having a security company on standby ready to help (or better yet using a cybersecurity focused MSP) can save you time, reputation, and money. At Touchstone Security, we offer fully managed IT with a security focused mindset so that you can rest easy knowing that we are always here to help. If you aren’t sure about your cybersecurity contact us for a 100% free no obligation assessment.

Get a free 60-minute compliance evaluation with a senior-level CISO

Contact Us