Cybersecurity best practices for businesses
Information & Communications Technology and Media | 18 Dec 2020
For an SME (small and medium enterprise), it is tempting to assume we are too small to be a cyberattack target and so do not need to invest in cybersecurity. According to Security Boulevard, nearly half of cyberattacks are aimed at small businesses, but only 37 percent of small business owners reported believing they were at risk to a cyberattack.
Why are SMEs attacked so much? While larger companies have more data to steal, SMEs tend to have less secure networks which are easier to breach. CSO.com says that with automated attacks, cybercriminals can breach thousands of SMEs, so size is less of an issue than the network security.
CSO.com also says that the top reasons for the high rate of attacks on SME was a lack of time, budget, and expertise for proper security. Other reasons include the usual – not having an IT security specialist, not aware of the risk, lack of employee training, not updating security programs, outsourcing security, and failure to secure endpoints.
Strong cybersecurity policies can save millions of dollars for organisations. However, it does require an initial investment to set up a stable network and protect against intrusions. Now that we have established that no one is safe from cyberattacks, here are seven simple cybersecurity best practices you can implement for your business. Read more about the basics of cybersecurity HERE.
1. Use a firewall
One of the first defences against a cyber-attack is the basic firewall. In addition to the standard external firewall, many are starting to install internal firewalls to provide additional protection. Consider providing firewall software and support for home networks to ensure compliance, especially in this time when staff may still be working from home.
2. Document and communicate cybersecurity policies
SMEs often operate by word of mouth or even intuition for many processes or practices. However, it is essential to document your cybersecurity policies/protocols. Staff must be made aware or trained to follow the cybersecurity policies. Further, it is common to outsource to third-party partners. Your third-party contractors need to be aware of your cybersecurity policies and adhere to them. Some of these policies should include the following considerations:
Plan for mobile devices
A Forrester Research report indicated that: “In 2012 as many as 53 percent of employees were bringing their own devices to work. By 2018, those numbers increased another 12 percent. It’s clear that a BYOD (Bring Your Own Device) mentality is much more the norm than the exception.”
With at least 65 percent of businesses allowing BYOD, companies need a documented BYOD policy focusing on security. With wearables such as smart watches and fitness trackers with wireless capability gaining popularity, the company needs to include these devices in your policy.
Changing passwords regularly and using multifactor ID
Securelink cited 80 percent of hacking-related breaches are still tied to passwords in 2019, based on Verizon Data Breach 2019 Report. According to the Keeper Security and Ponemon Institute Report, 40 percent of companies were attacked involving the compromise of employees’ passwords. In fact, regardless of any preparation, an employee will make a security mistake at some point. Using a multi-factor identification setting on most major networks and email is simple to do and provides an extra layer of protection.
Company requirements and expectations regarding IT security should be clearly stated in employment contracts and the various SLAs (Service Level Agreements) and SOPs your company might have.
3. Back up business data regularly
Regular data back-ups are good practices in one’s basic security hygiene and should be mandatory. It is recommended is to back up word processing documents, spreadsheets, databases, financial files, human resources files, and accounts receivable/payable files. Data on the cloud should be similarly backed up.
4. Educate all employees on proper procedures and practices
Employees need to be trained on the company’s network cybersecurity best practices and security policies. Employees are the first line of defence against cybercrime. Surveys have found that two out of three preventable insider threat incidents are initiated by an employee or contractor (ObserveIT). Employees should be trained on how to create and maintain strong passwords, recognise phishing emails, avoid dangerous applications, etc. For example, many corporate employees have the dangerous habit of accessing corporate networks through unsecured public Wi-Fi networks. Training on options such as using VPNs during travels or installing anti-malware programs will tighten the security gaps.
5. Monitor user access and activities
One of the top security concerns for businesses is when the company’s data is copied, transferred, or retrieved from a computer or server without authorisation. Companies should control access, and monitor contractors/vendors and employees, to get a clear picture of how all parties access and handle data.
Developing a good user and file activity monitoring system is one of the best solutions available and technology remains the main tool for this. By regularly monitoring user activity, companies can verify user actions that do not violate security policies while flagging the ones that do.
For the company’s management, it is advisable to review the users who have privileged access to sensitive data, which is a necessary risk. Businesses should regularly look at permissions, adopt a system of temporary or rotating credentials, or develop a system of auditing privileged accesses.
6. Update software and systems
Your company’s network should always be protected. Plan for regular software updates and schedule hardware security maintenance. In addition, companies should protect their website with an SSL certificate. Google encourages businesses to use HTTPs to ensure secure and private connections to protect their user’s connection to their website. This extra level of security is a basic step in implementing site encryption, data integrity, and authentication.
We wrote about the danger of cyberattacks, including phishing attacks HERE, which involves installing malware on the employee’s computer. It is therefore vital to have anti-malware software installed on all devices and the network.
7. Conduct phishing simulations
As of 2020, phishing attacks are one of the most prevalent forms of cyber threats globally. Phishing simulations can train employees how to avoid clicking on malicious links or downloading unknown files. Simulated phishing attacks help raise cybersecurity awareness and create a safe space where employees’ knowledge is tested, to ask questions, and find out what the latest tricks are. As more SMEs move services or store data online, they put themselves at risk for cyberattacks.
Preparation is prevention
There are numerous cybersecurity best practices that a business can consider when creating a security management strategy. We mentioned some common practices as a starting point. A comprehensive cybersecurity program will protect you from lasting financial consequences, as well as prevent reputational damage, and is the key to modern-day businesses’ survival.
This article is contributed by Moses Ku, Manager (Engagement), IndSights Research.