The Importance of Cybersecurity for Small Businesses
Larger companies generally have more robust implementations and trained workforces that disincentivize cybercriminals’ attempts. The difficulty of breaching their defenses has turned more attention to smaller businesses in recent years.
But preparedness can similarly help protect small and medium-sized businesses.
Cybersecurity ROI can be difficult to define, but, per IBM’s 2022 Cost of a Data Breach Report, a successful cyberattack leads to losses averaging $4.24 million. Adopting a proactive stance with implemented solutions, employee training, and documented response programs substantially mitigates the likelihood and damage of a successful attack.
These efforts not only prevent headaches and lost resources but could also be the difference in whether a business survives a data breach’s aftermath.
How Often are Small Businesses Targeted?
The frequency of small business attacks has been documented in Verizon’s Data Breach Investigations Reports, which combine forensic data from 83 partner organizations.
In 2020, small businesses—defined by the report as under 1,000 employees—were targeted by nearly 56% of known incidents and fell victim to 46% of known successful breaches. In 2021, these percentages jumped to 76% of known incidents and roughly 74% of known successful breaches.
The State of Small Business Cybersecurity Preparedness
Despite the risks, most small businesses are ill-prepared to fend off cyberattackers:
Yet, when asked about their concern over being targeted, 80% of small businesses stated they were “not concerned about being the victim of a hack in the next 12 months” or were “not concerned at all.” There’s a clear disconnect cybercriminals are exploiting.
Common Small Business Cybersecurity Threats
Many of the most common cybersecurity threats that small businesses face depend on social engineering and the ability to trick users into believing a malicious actor’s legitimacy. This is why employee training that helps users recognize these attacks is so crucial.
These attacks are often preventable with awareness and simple steps like making a follow-up call to the sender to confirm a message’s validity.
Some of today’s most dangerous cyberthreats that small businesses face include:
Ransomware – A specific type of malware (i.e., “malicious software”) that encrypts systems and data, locking out businesses until a ransom is paid. However, decryption often doesn’t occur following payment.
Of these attacks, phishing claimed the highest number of victims in 2021—323,972 per the FBI’s Internet Crime Complaint Center (IC3). However, BEC attacks, which exclusively target businesses, led to the heaviest losses at nearly $2.4 billion.
11 Tips for Small Business Cybersecurity
Although the cyberthreats facing small businesses can be daunting, proper training, awareness, and solutions will help bolster defenses. To that end, New Horizons has compiled 11 tips to help businesses defend against ever-evolving cybercrime techniques.
1. Implement a Cybersecurity Training and Awareness Program for All Employees
Particularly for social engineering attacks, a business' personnel comprise the most critical line of cybersecurity defense. Unfortunately, this is because if a user willfully shares credentials, sensitive information, or transfers money to a person or entity they believe is legitimate, there are little to no cybersecurity implementations that can help.
Crucially, cybercriminals continually adapt their techniques, so cybersecurity training is never a “one-and-done” effort. Training must recur periodically and following critical events or newly identified threats.
2. Adopt Industry-Applicable Cybersecurity Frameworks
Depending on the industry, there may be a dedicated cybersecurity compliance framework your business must implement (e.g., HIPAA for healthcare, PCI DSS for credit card activity). These frameworks provide thorough guidance for cybersecurity programs, specifying the controls and their restrictiveness.
However, not every industry must adhere to one of these frameworks. For businesses that don’t have a mandatory compliance obligation, they can always turn to “Special Publications” published by the National Institute of Standards and Technology (NIST), like SP 800-53.
3. Configure Strict Authentication Protocols
On top of strict password policies, businesses should configure multifactor authentication (MFA). MFA requires users to enter a second set of credentials (commonly a PIN code or “one-time password” on a timer) at login. This helps ensure that even if a password is compromised, intruders won’t be able to log in.
4. Provide IT Employees with a Path to CompTIA Security+ Certification
CompTIA Security+ is a globally recognized cybersecurity certification. Earning certification attests to the individual having the baseline knowledge that core information security roles require. The expertise gained meets US Department of Defense and ISO 17024 standards, so rest assured that certified individuals will meet the demands of their role.
5. Enforce Strict Password Policies
Without enforcing strict password policies, login credentials can be one of the weakest cybersecurity links in any organization. Per the latest guidance released by NIST in SP 800-63B, modern password policies should:
Adopting these user password guidelines will help secure critical entry points to your network and systems. For implemented systems, the most important step is always changing the vendor-supplied default passwords.
6. Complete Microsoft’s AZ-500T00 Course (or Equivalent)
Microsoft’s AZ-500T00 certification is similar to CompTIA Security+ in that it ensures Azure Security Engineers have the baseline knowledge their role requires. Particularly if an organization relies on Microsoft Azure for cloud infrastructure, having available cybersecurity professionals with this certification is a necessity.
7. Implement Automated Security Solutions
Small businesses need to maximize their cybersecurity return on investment. Automated solutions—like threat monitoring and vulnerability scanning—will enable cybersecurity professionals to gather the insight and assessment information they need without expending additional bandwidth.
8. Implement Robust Email Security
Security solutions like anti-malware scanners and integrated cloud email security (ICES) will help substantially reduce the threats of phishing, ransomware, and other email-delivered cyberattacks.
These platforms will scan incoming and outgoing email traffic for known threat signatures and quarantine any identified positively. Sophisticated solutions will also utilize artificial intelligence and machine learning to expand identification capabilities beyond recognizable signatures, helping to perceive and prevent unknown threats.
9. Enforce “Zero Trust” and the “Principle of Least Privilege”
“Zero Trust” is a cybersecurity model that emphasizes no implicit trust of users and devices whatsoever, even if they had previously accessed a given network. Every connection must first be verified and continually reverified throughout the connection’s duration.
Similarly, all user accounts should be provisioned access permissions according to the “Principle of Least Privilege.” This asserts that employees should only be granted the level of access strictly required for their role’s responsibilities—no more, no less.
10. Leverage Encryption
Encrypting hardware and data provides an extra line of defense should a breach occur. Without the cryptographic key necessary for decrypting information, it remains unreadable.
Encryption can even be used for HIPAA-subjected entities to demonstrate that a data breach did not occur because the cybercriminal could not actually read the information they’ve obtained.
11. Conduct Penetration Testing with Ethical Hackers
Once the implementation of your security program is underway, the best thing to do is conduct penetration testing to assess its strength and determine any vulnerabilities. Penetration testing is a form of ethical hacking where an individual attempts to breach a company’s security. They then compile advisory reports based on their findings that help inform your organization’s security program.
Before hiring or partnering with an ethical hacker, small businesses should first verify whether they'd earned the EC-Council (EC) Certified Ethical Hacker (CEH). This certification indicates whether the individual has acquired ethical hacking knowledge and is continually updated to provide training on the latest cybercriminal attack methods.
Steadfast Cybersecurity for Your Small Business with New Horizons
The cybersecurity threats that small businesses must contend with are very real and very dangerous for ongoing operations. However, ensuring personnel have the proper training and certifications to build and enforce a strict security program will substantially mitigate the threats.
Robust cybersecurity is easily achieved through certifications like CompTIA Security+, Microsoft’s AZ-500T00, and CEH. Check out our Top 10 Cybersecurity Courses >
New Horizons provides comprehensive training courses that help employees achieve these certifications. As the largest Cisco-authorized training partner and deliverer of 40% of all authorized Microsoft training, New Horizons is the most reliable way to earn cybersecurity certifications that substantially help cybersecurity for small businesses.
Contact us today to learn more about New Horizons’ certification training programs.