Hackers have set their sights on small businesses because they often have weaker cybersecurity and can unknowingly serve as entry points to much larger corporations that they may have as customers. In fact, a staggering 71 percent of cyberattacks occur at organizations with fewer than 100 employees, according to the Small Business Committee.
At the same time, it's challenging for a small business to keep up with the wide range of potential cyberattacks. Small businesses often don't know they have become vulnerable to attackers until it's too late.
To help you navigate this cyberterrain, Business News Daily compiled the top tips and best practices from the pros on how to keep your business from falling prey to cybercrime.
Control admin access
Research has shown that unmanaged administrator privileges are some of the biggest IT security threats to an organization. Yet many small businesses still don't take the time to set up the proper access limitations for nonadmin employees, especially when those workers are using their own devices. [Cybersecurity: A Small Business Guide]
"Security policies and mechanisms must be put in place for company data access from personal devices," said P.J. Gupta, a mobile security expert and the founder and CEO of iPlum. "Tight control on who has the privileges to run which enterprise apps from which devices helps minimize the risk of data loss or corruption."
Gupta recommended enforcing time-window and location-based fencing for controlling access to sensitive information.
Layer your security
Security needs to be an ongoing process and not just a single event, said Marc Malizia, chief technology officer for the managed cloud solutions provider RKON Technologies. The best security consists of a layered approach, he said.
To secure your operating systems, you should perform ongoing tests for vulnerabilities and penetration by hackers, Malizia advised. He also recommended installing specialized security software to look out for abnormal web traffic, block attempted logins from out-of-the-ordinary locations or unknown devices, and authenticate your online activities in real time by correlating behavioral analysis, device profiling and data feeds from fraud networks. Finally, businesses should layer in application firewalls in front of external-facing web servers to further block malicious traffic, Malizia said.
Ask about cyberinsurance
In the past several years, cyberinsurance policies have become an increasingly popular option for small businesses looking to protect credit card information, customer names and addresses, and other sensitive data stored in online systems. Cyberrisks aren't typically covered under general liability insurance, so it's important to find out which types of coverage are available.
"Cyberinsurance is not a one-size-fits-all product," said Tim Francis, enterprise cyber lead at Travelers, a provider of cyberinsurance. "It's hard to identify what a 'small' business is when it comes to the world of cyber. Traditional measures, like revenue and number of employees, aren't good indicators of how much [risk] a company has in terms of data breaches. A small company can have very big exposure."
Cyberinsurance isn't a necessity for every company, but business owners should speak with their insurance agent about their options.
Secure personal devices, but don't overmonitor
Allowing employees to use personal devices for work means companies need some kind of monitoring system in place to protect any company data they're accessing. But policies that are too strict or overbearing won't sit well with employees, who may feel that their privacy is being invaded.
According to security provider Norton by Symantec, employers can take simple noninvasive steps to safeguard their security, such as setting up automatic security updates and requiring employees to regularly change their passwords. However, if a data breach does occur and a personal device needs to be investigated, Francis recommended handling the situation very delicately and getting HR and legal teams involved to ensure that the employee's private data isn't compromised in the process.
Have a process in place
Even if you take precautions, security issues may still arise at your company. It's important to have a process that all of your employees are familiar with, so that everyone can handle any incidents properly. Andrew Brooks, director of infrastructure reliability at SingleHop, an IT hosting company and service provider, advised considering the following as you think about your company's security process:
Minimize the attack surface: Owners should look at the technologies that power their operation and make every effort to minimize exposure to hackers. They need to always ask the following: Does this need to be online? What happens if it gets hacked, and how can it avoid getting hacked?
Install security patches: Because small businesses have a more manageable and contained infrastructure, security patches can be applied quite rapidly. Once security advisories and updates are available for the systems you use, evaluate their relevance to their system, and patch them immediately.
Have a backup: Small businesses should have secure off-site backups. Take the time to verify the integrity of the data routinely, so that if and when it's time to restore from the backups, the data is actually usable.
Finally, Brooks recommended that small businesses have a professional security assessment performed at least once a year, if not quarterly.
"It's helpful to have an unbiased and different set of eyes look at the security posture of an organization and its applications," he said. "This is a fairly inexpensive way to get some valuable peace of mind."
For a side-by-side comparison of the best antivirus software, visit our sister site Top Ten Reviews.
Additional reporting by Nicole Taylor. Some source interviews were conducted for a previous version of this article.