1. Understand the threats.
Hackers take advantage of small businesses in a variety of ways. some of the most common threats are:
- Phishing: Phishing is one way cybercriminals gain access to devices. It happens when a fraudulent email tricks the recipient into taking a compromising action, like opening a malicious email attachment or responding with sensitive information.
- Malware: This term refers to any software that was created to cause harm. That harm could include damage or theft. Malware can affect computers, servers, networks, mobile devices, and more.
- Viruses: A virus is a type of malware that spreads from one device to another. It can destroy or damage files or give cybercriminals access. Devices can become infected by coming in contact with infected removable media (like a flash drive), opening infected email attachments, or visiting an infected website.
- Ransomware: This type of malware enters a device and locks the owner out of their own files. The cybercriminal then demands a ransom be paid in exchange for releasing the files. Ransomware is often delivered through phishing emails or vulnerabilities in out-of-date software.
2. Evaluate your business's vulnerabilities and needs.
Every business has a slightly different risk profile for cybercrime. Do an assessment of your business to understand your vulnerabilities and create a plan to strengthen them.
You don't have to go it alone. The Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA) offers free Cyber Resilience Review resources3 online. And the Federal Communications Commission (FCC) has a Small Biz Cyber Planner4 to help you create a cybersecurity plan.
3. Craft technology policies and train employees.
Phishing is popular among hackers because human error is a common vulnerability among businesses. Employees should learn to be suspicious of all emails with links, attachments, or requests for information. As the National Cyber Security Alliance's StaySafeOnline initiative suggest, "When in doubt, throw it out."5
That's just one of many technology policies your employees should follow. StaySafeOnline's webinar "Creating a Cyber Aware Employee Culture in Your Business"6 includes many suggestions for training your staff to help keep your small business safe. Create clear technology use policies for employees and train them on how — and why — they should follow them.
4. Secure your network.
Cybercriminals can also harm small businesses through weaknesses in their networks. The U.S. Department of Commerce recommends small businesses enable firewalls7 on device operating systems or install additional firewall software. You can also protect your wireless network8 by password protecting your router and hiding the Wi-Fi network in your router's settings so the network name is not shared with nearby devices.
5. Invest in antivirus software.
Install strong, reputable antivirus software on all devices in your small businesses and keep it updated. Antivirus software requires frequent updates to stay ahead of the constantly evolving array of cyber threats.
6. Include mobile devices in cybersecurity plans.
Employee mobile devices can be points of entry into your business for cyber criminals. The Commerce Department suggests that all mobile devices be secured with strong passwords and security apps to protect data while employees are on the go.
7. Secure payment processing.
Payment processors are highly regulated to keep consumer payment data safe. Work only with reputable payment processors and follow their prescribed best practices for cybersecurity. The Commerce Department also recommends isolating your payment systems from other devices, such as those your employees may use to browse online.
8. Practice ongoing cybersecurity maintenance.
Once you've established your cybersecurity baseline, the ongoing work begins. This checklist includes regular maintenance practices to help your small business stay ahead of cybercriminals.
- Keep software up-to-date. Operating systems, browsers, and antivirus software regularly offer updates. Install these promptly to minimize vulnerabilities.
- Backup data. Regularly backup your business data on devices that can't be accessed through your network, like an external hard drive. Ransomware attacks are ineffective if you have backups to protect your data.
- Update passwords. All business and employee passwords should be updated every three months. When and where available, add multi-factor authentication for logging into sensitive programs and devices.
- Test your vulnerabilities. Sign up for CISA's free cyber hygiene vulnerability scanning9 for small businesses. Your system will receive regular scans and you'll get weekly reports.
- Maintain training and information. Provide employees with regular trainings to keep their cyber knowledge fresh and up-to-date. Keep yourself updated by subscribing to cybersecurity update emails, like StaySafeOnline's mailing list10 or attend ongoing cybersecurity events.11
The basics of cybersecurity for small business aren't that difficult — especially for the DIYers that business owners tend to be. And if your network isn't an easy target, you're much less likely to be targeted at all.