Cyber Security Management: A Guide for Small Businesses

Cyber security management is an essential aspect of a successful small to medium business (SMB). This guide intends to help SMB’s develop the practices needed to protect themselves from the most common cyber security incidents. 

This guide is designed to be simple and easy to understand. After reading, you will be able to review and implement or support the implementation of any of the solutions. These three statistics will help get you started and ready to focus on the right areas for improvement:

  1. 95% of cybersecurity breaches are caused by human error. (Cybint)
  2. 45% of breaches featured hacking, 17% involved malware and 22% involved phishing. (Verizon)
  3. Data breaches increased by 68% to 1,862 in 2021, compared with 1,108 in 2020. (ITRC, 2021)

Human error, poor habits and knowing where the attacks are going to come from are the key to preventing any of the attacks. If you employ a simple strategy of reducing the chance of poor human habits like strict password management for your applications, then your chances of exposure are significantly reduced.

Check out our guide to deploying a password management system or our recommended cyber security tools.

A cyber security incident can have a major impact on the survivability of a small business, and many of these cyber security threats can be reduced and even prevented. 

Don’t assume that because it hasn’t happened yet, that it won’t. 

What is Cyber Security?

Cyber security is the practice of protecting a businesses systems, networks, and programs from cyberattacks. These cyberattacks are typically aimed at accessing, changing, or destroying sensitive business information, extorting money from users or employees, or interrupting normal business processes. Implementing effective cybersecurity measures is increasingly challenging, as cyber threats are always evolving and attackers are becoming more sophisticated. 

Why is Cyber Security Important for Small Businesses?

Every business, from a small bakery to a multi billion dollar company is at risk of cyber threats. With the number of cyber threats growing by the day, you can never be too confident in the security of your company’s data. Data breaches can happen at any time, even to the most technologically advanced company. There are a number of techniques that can be implemented to reduce the risk of a cyber attack on a small business, which include:

  1. Antivirus software
  2. Password management
  3. Encryption
  4. Scanning
  5. Network security monitoring
  6. Website attack prevention
  7. Phishing prevention
  8. Firewall tools
  9. CS training programs

What is a Cyberattack?

Cyberattacks are the unauthorised attempts to steal, expose, alter, disable or destroy information through unauthorised access to computer systems. Criminal organisations, state actors and private persons can launch cyberattacks against businesses. Cyberattack risks can be classified by outsider and insider threats.

Outsider Threats:

  • Organised criminals or criminal groups
  • Professional hackers, state-sponsored actors
  • Amateur hackers, self taught or hacktivists. 

Insider Threats:

  • Employees ignoring security policies and procedures
  • Resentful current or former employees
  • Business partners, clients, contractors or suppliers with system access

Types of Cyberattacks

Backdoor Trojan

A backdoor Trojan infects the victim’s system with a backdoor vulnerability, allowing an attacker to obtain remote, near-total control remotely. The Trojan can be used for additional cybercrimes as well as connecting a group of victims’ machines into a botnet or zombie network. Trojan horse virus “Ramnit” largely affected the financial sector in 2017, accounting for 53% of attacks. (Cisco)

Cross-site scripting (XXS) attack

Cross-Site Scripting (XSS) attacks are injection attacks in which malicious scripts are inserted into otherwise trustworthy and innocent websites. XSS attacks occur when an attacker utilises a web application to transmit malicious code to a separate end user, usually in the form of a browser side script. The flaws that allow these attacks to succeed are common and can be found whenever a web application accepts user input in its output without verifying or encoding it. 

Fake Accounts

The attack vectors can come from inside or outside of the organisation. So having a solid AML/KYC process and policy in place is critical for the longevity of your business. Anti Money Laundering (AML), also known as anti-money laundering, is the execution of transactions to eventually convert illegally obtained money into legal money.

Denial of Service (DoS)

DoS and distributed denial-of-service (DDoS) attacks overwhelm a system’s resources, restricting responses to service requests and lowering the system’s performance. This attack is often a set-up for a subsequent strike. According to Cisco, by 2023, the total number of DDoS attacks worldwide will be 15.4 million. (Cisco)

DNS Tunnelling

DNS tunnelling is a transactional protocol that cybercriminals employ to trade application data, such as extracting data discreetly or establishing a communication channel with an unknown server, such as a command and control (C&C) exchange.

Malware

Malware is a type of malicious software that can make infected computers unusable. The majority of malware versions destroy data by destroying or wiping files that are required for the operating system to function. 94% of malware is delivered by email. (CSO Online).

Phishing

Phishing scams attempt to steal users’ passwords or sensitive information such as credit card numbers. In this situation, scammers utilise phoney hyperlinks to send victims emails or text messages that appear to come from a reputable source.

Ransomware

Ransomware is a type of virus that takes advantage of system flaws and encrypts data or system functionality to hold it hostage. Cybercriminals use ransomware to extort money or assets in exchange for the system’s release. 

SQL Injection

Structured Query Language (SQL) injection attacks inject malicious code into vulnerable applications, resulting in backend database query results and the execution of commands or similar activities that the user did not request.

Zero-day exploit

Zero-day exploit attacks take advantage of unknown hardware and software flaws, before developers are aware of the defects, they can remain for days, months, or even years.

How Can a Cyberattack Impact Your Business?

A successful cyber attack can cripple a small business, causing major economical and reputational damage. It can affect your bottom line, as well as your business’s standing and consumer trust. Cyber attacks often result in a substantial financial loss arising from:

  • Theft of corporate sensitive information
  • Theft of financial information
  • Theft of money
  • Disruption of trading (e.g a DoS attack preventing online transactions)
  • Loss of business 

Reputational Damage

A consumer connection cannot exist without trust. Cyber attacks can harm your company’s brand and diminish your customers’ trust in you. As a result, there’s a chance that a cyberattack could lead to:

  • Loss of customers
  • Loss of sales
  • Reduction in profits

Reputational harm can have an influence on your suppliers, as well as your relationships with partners, investors, and other stakeholders in your company.

The need for cyber security professionals has increased with companies struggling to fill vital data security positions. Review this resource and you’ll find it provides insights into how the combination of heightened demand and increasingly sophisticated remote technology can create tremendous career opportunities for cyber security professionals.

Antivirus

Antivirus are computer programs that are designed to identify and remove computer viruses that have been infected on a computer, or warn the user of malicious links or downloads while browsing the internet. This program regularly scans users’ machines to check for malicious files or programs.

We recommend the following tools:

  • McafeeESET
  • Endpoint Security

Password management

A password manager is a computer program that can store, generate and manage passwords for local applications and online services. Passwords are difficult to remember, and passwords that are easy to remember are usually weak. A password manager can generate and store strong passwords, so that if one account is compromised, the total impact of the breach is not spread to other accounts with the same password. Benefits of using a password manager include:

  • Increased productivity, as a strong password manager can make it easier for employees to access work applications
  • Passwords are accessible on multiple devices
  • Automatically generate strong passwords
  • Alert you when you visit a phishing site 

We recommend the following solutions:

  • 1Password

Encryption

Encryption is the process of turning a plain text into “secret code” so that hackers and cybercriminals cannot read if they intercept a message before it reaches the intended recipient. It helps provide data security for sensitive information.

We recommend the following solutions:

  • Kaspersky

Phishing prevention

Phishing attacks are designed to exploit the people of an organisation, over targeting the business’s systems.

Basic Phishing:

Phishing is a type of social engineering attack that is frequently used to obtain sensitive information from users, such as login credentials and credit card details. It happens when a hacker poses as a trustworthy source and convinces a victim to open an email, instant message, or text message.

Spear Phishing:

Instead of a large group of people, spear phishing targets specific individuals. Attackers frequently conduct social media and other online searches to learn more about their targets. This allows them to personalise their messages and appear more genuine. Targeted attacks frequently begin with spear phishing. 88% of organisations worldwide experienced spear phishing attempts in 2019. (Proofpoint)

Whaling:

Whaling is when attackers go after a “big fish,” such as a CEO. These attackers frequently spend a significant amount of time profiling the victim in order to determine the best time and method for acquiring login information. Because high-level executives have access to a lot of firm information, whaling is a major worry.

Pharming:

Pharming, like phishing intends to exploit and trick individuals. Pharming directs consumers to a phoney website that appears to be authentic. In this scenario, however, victims are not required to click on a malicious link to be directed to the fake website. Even if the user types in the proper URL, attackers can infect the user’s machine or the website’s DNS server and redirect the user to a false site.

Best Ways to Protect Your Small Business From Cyberattacks and Threats

  1. Backup data

Backing up your company’s data and website can allow you to restore any information lost in the event of a cyberattack or computer failures. It’s critical that you periodically back up your most crucial files and information. Fortunately, backing up is often inexpensive and simple.

  1. Secure your devices and network

Update Software: 

Make sure your operating system and security applications are set to automatically update. Important security upgrades for recent infections and attacks may be included in updates. Most updates can be scheduled after business hours or at another time that is more convenient for you. Because updates solve severe security problems, it’s critical not to disregard update prompts.

Install Security Software:

Install security software on your business computers and devices to help prevent infection. Check for antivirus, anti-spyware, and anti-spam filters in the software. Computers, laptops, and mobile devices can all be infected with malware or viruses.

Set up Firewall:

A firewall is software or hardware that acts as a barrier between your computer and the internet. It serves as a checkpoint for all inbound and outbound traffic. A firewall will safeguard your company’s internal networks, but it must be patched on a regular basis to function properly. Remember to set up your firewall on all of your mobile business devices.

Turn on Spam Filters:

Reduce the quantity of spam and phishing emails that your company receives by using spam filters. Spam and phishing emails can infect your computer with viruses or malware, as well as steal your personal information. The best thing to do if you receive spam or phishing emails is to delete them. Using a spam filter can help reduce the chances of you or your staff accidentally opening a spam or fraudulent email.

  1. Encrypt important information 

Make sure your network encryption is turned on and that any data you save or send online is encrypted. Before sending data over the internet, encryption turns it into a secret code. The risk of theft, destruction, or tampering is reduced as a result. When utilising a public network, you can enable network encryption through your router settings or by installing a virtual private network (VPN) solution on your device.

  1. Implement multi-factor authentication (MFA)

MFA (multi-factor authentication) is a security procedure that requires you to give two or more forms of identification before you may access your account. Before access is granted, a system may demand a password and a code sent to your mobile device. Multi-factor authentication adds an extra layer of security to your device or online accounts, making it more difficult for hackers to obtain access.

  1. Manage passphrases

To protect access to your devices and networks that contain sensitive business information, use passphrases rather than passwords. Passphrase passwords are phrases or a combination of words that are used as passwords. They are easy to remember for people but complex to crack for machines.

A secure passphrase should be:

  1. Long – aim for passphrases that are at least 14 characters long, or four or more random words put together
  2. Complex – Implement capital letters, lowercase letters, numbers and special characters in your passphrase
  3. Unpredictable – A group of unrelated words will make a stronger passphrase
  4. Unique – don’t reuse the same passphrase for all accounts

Administrative Privileges

To avoid a cybercriminal gaining access to your computer or network:

  1. Change all default passwords 
  2. Restrict use of accounts with administrative privileges
  3. Restrict access to accounts with administrative privileges
  4. Disabling administrative access entirely
  1. Monitor Use of Computer Equipment and Systems

Keep track of all the computer hardware and applications your company uses. To prevent unauthorised access, make sure they are secure. Remind your staff to be cautious of the following:

  • Where and how they store their electronic devices
  • The networks they connect their devices to, such as public Wi-Fi
  • Unknown viruses and other risks could be mistakenly carried from your home to your workplace via USB sticks or portable hard drives.

Remove any software or equipment that is no longer needed, ensuring there isn’t any sensitive information on them. 

Remove unauthorised access to systems by past employees when access is no longer needed for them. 

  1. Implement Policies to Guide Staff

When your employees use or share information, a cyber security policy can help them understand their obligations and what is appropriate. This information includes:

  • Data
  • Computers and Devices
  • Emails
  • Internet Sites
  1. Train Employees

Your employees can serve as the first and last line of defence against cyber-attacks. It’s critical that your employees are aware of the hazards they may face and the role they play in keeping your company safe. Inform them about: 

  • Maintaining strong passwords and passprhrases
  • How to identify and avoid cyber threats
  • What to do if they have identified a cyber threat 
  • How to report a cyber threat
  1. Protect  Consumers

It is critical that you safeguard the information of your customers. If you lose or compromise their information, your company’s reputation may suffer, and you may face legal ramifications. There are laws about what you can do with any personal information you collect from your customers, ensure that you are aware of local laws and customs. 

Top 5 Biggest Cyber Security Threats

  1. Phishing
  2. Malware
  3. Ransomware
  4. Weak Passwords
  5. Insider Threats

Types of cyber security tools

  1. Antivirus
  2. Password management
  3. Encryption
  4. Scanning
  5. Network security monitoring
  6. Website attack prevention
  7. Phishing prevention
  8. Firewall tools
  9. CS training programs

What to look for in a Cyber Security Company?

Add text/paragraphs here

Conclusion

Cyber security can be daunting because of the risks involved if performed incorrectly.   Smaller businesses may not require significant resources to obtain the security they require. Putting in place best practises and providing your employees with the tools and training they require will go a long way towards protecting your business.