Small Business Cybersecurity Protection + Best Practices

Featured article by Katherine Luk, Community Outreach Coordinator for HP’s Small Business Solutions

Cybersecurity has become a critical concern for businesses of all sizes. 2016 saw a number of high profile cyberattacks gain increasing attention and concern among the business community, with many larger businesses starting to heavily invest in active threat detection and prevention. However the most at-risk segment of business is now small businesses, and with half of SMBs experiencing a data breach last year, protecting your employees and your customers should be a top priority at business of any size. This can be a challenging assignment particularly for small businesses, which often lack the resources or capabilities of their larger peers. That being said there are still several ways that startups and small businesses can take preventative steps in data security through smart investments, employee education, and practical policy. Check out the tips below for SMB cybersecurity and data protection policy.

Starting with a Strong Base

Investing in digital security can be painful for many startups, but the potential threat cost is too great to ignore. According to a recent report from the Ponemon Institute, victims of data breaches spend an average of $955,429 cleaning up after an attack. For many small businesses, that price could close the doors. Starting with a strong and secure base is one of the best ways to create and maintain a strong cybersecurity policy. For many startups this can mean sacrificing a potentially compromising “Bring Your Own Device” policy. While popular, allowing employees to access sensitive or confidential information on personal equipment creates a wide range of problems, especially mobile devices; 44% of businesses in Ponemon’s survey report accessing business-critical applications through phones or laptops. If your team needs to stay mobile, consider shifting to specifically-designed business laptops like these from HP. Professional grade laptops come with baked in hard drive encryption, BIOS protection, biometric security features, physical privacy filters, and many other security components that consumer grade laptops don’t offer. Your company cybersecurity policy is only as good as the weakest link, so keeping your hardware consistent and secure is essential.

Setting Clear Boundaries

Following the weak link concept, another essential when starting out is setting unique accounts for each company individual, along with granular access permissions. Unfortunately, although malicious insiders are not the most common form of attack, they are one of the most difficult to detect, with most internal breaches taking months to discover. These attacks are overwhelmingly carried out through employees abusing account privileges that they shouldn’t have had in the first place. The National Institute of Standards and Technology (NIST) recommends stripping all employees of administrator privileges for typical work duties to mitigate potential privilege abuse as well as facilitate data loss investigations. By only giving employees access to their work-critical data, there is less potential for malicious access into customer or company records.

Employee Education

Many tech-savvy startups think that their employees need little education in technology, especially younger employees who have grown up surrounded by the latest in digital devices. This is a dangerous misconception; just last year Snapchat Inc fell victim to a spearphishing attack that compromised their payroll department. This is not a one-off occurrence either–Spearphishing and ransomware attacks have been used to steal 700,000 IRS records, extort $28,000 from hospitals, and compromise over 4 billion records in 2015 alone, a trend that is only increasing. A recent Sophos ransomware report details a common attack path through malicious file downloads, and an oft-used spearphishing strategy relies on employees clicking through and entering credentials into a fake website. Both of these attack methods can be mitigated by educating employees on what to look out for in suspicious emails, along with keeping communication up and reporting potential attacks. With only 3% of suspicious emails currently being reported to management, there is considerable room for improvement.

Employee education is difficult to implement if your small business doesn’t have the personnel resources; the largest challenge reported by SMBs when creating IT security policy was insufficient staff at 67% of surveyed companies. At the risk of being repetitive, the upfront cost of hiring IT staff pales in comparison to the potentially massive damages of a successful attack. Ensuring your startup or small business has the right employees to successfully education and maintain cybersecurity policy is one of the most important cornerstones of company wide security.

These are by no means the only or even the best ways to keep your organization safe from cyberattacks. Multi-Factor Authentication has seen support from companies like Google and Amazon as a way to keep account access secure even in the event of passwords being compromised. Pushes for strong passwords and password policy have increased (although 65% of companies report not strictly enforcing password policy). And while most SMBs do not have the budget or in-house capabilities to provide comprehensive IT support, more are recognizing the importance of IT/Cybersecurity professionals and seeking outside help. Strong cybersecurity policy cannot take a set-and-forget approach–it requires continuous and extensive research, support, and maintenance. The importance of these qualities will only increase as more small businesses rely on digital infrastructure moving through 2017.

About the Author

Katherine is the Community Outreach Coordinator for HP’s Small Business Solutions team, focused on sharing technology and innovation.