Cybersecurity: No business is small enough to not worry about cyberattacks

Bahar Ferguson

Is your business safe from cyberattacks? As a small-business owner, you may be thinking that your business is not significant enough to become the target of cybercriminals, but a business is never too small to be a target. In fact, criminals may take advantage of that attitude and exploit a lack of security. Here is what you need to know and how you can protect your business.

What is Cybersecurity?

Just a few years ago, keeping your business safe meant installing sturdy doors; locks on those doors, as well as your windows; connecting CCTV; and perhaps also hiring night-time security. In addition, business owners may have installed a safe to protect important documents or cash they kept on their premises. Those measures were enough to protect your company from burglaries, whether they were opportunistic or thoroughly planned. Today, these protective measures remain just as valid. But aside from physical break-ins or burglaries, businesses also need to protect themselves against less visible threats.

Cybersecurity has become at least as important as physical security for small businesses. The terms "cybersecurity" or "computer security" refer to the protection of computer systems and computer networks from malicious attacks that may destroy systems or result in the loss of sensitive information. Generally, an organization’s cybersecurity involves practices, protocols and equipment that keep the company’s information safe.

As businesses and individuals continue to rely more and more on information technology, the potential for cyberattacks continues to grow. Small businesses are not immune. Although they may not seem like a worthwhile target, many smaller organizations are vulnerable because they lack the defences that have become standard for larger businesses. Without the right protection, small businesses become easy prey and that is making them attractive to cybercriminals.

Three Types of Cybersecurity

Before considering how to protect your business, it is worth better understanding the threats that the business may face. Dividing cybersecurity into three key areas is a great way of making the field more accessible. The three main types of cybersecurity are physical security, cloud security and network security.

Instilling a cybersecurity culture within a small business is the best way of ensuring that each area is adequately covered.

1. Physical Security. Physical security relates to access to devices such as work computers, laptops, or mobile phones. Keeping those devices and the information stored on them safe includes preventing theft and other unauthorized access. Depending on the value of the device and the sensitivity of the information they contain, companies need to ensure they are kept away from public areas, for example. If computers need to be easily accessible, sensitive information should either be removed or password-protected to avoid unauthorized access. Small-business owners also need to ensure that employees return devices when they leave the company or take a longer leave of absence.

2. Cloud Security. Few small businesses have a server room where all the company’s confidential and sensitive information is kept. Over the past few years, subscription-based cloud services have developed excellent products that allow small businesses to store information, including customer details, supplier data and information about proprietary technology.

These products have become essential to many small businesses, but they may pose a risk to companies’ cybersecurity. While the product could well have been designed with strong protection against cyberattacks, weak passwords and account management can leave your business open to attacks. It is only natural for employees to want to use passwords that are easy to remember. However, when sensitive information is at stake, it is essential to choose secure, complex passwords and resist the temptation to have account access data that can be guessed easily. If an employee does lose his or her access details, the company’s IT team can always issue new credentials. Generally, this will only take a few minutes and ensure that valuable remains safe.

3. Network Security. Network security is concerned with the company’s computer infrastructure. Most businesses, no matter their size, rely on employees from different departments to access information simultaneously and easily, without having to change devices. This type of access only works if computers and other devices are connected, either in a hardwired or a cloud-based network. Network security measures aim to prevent access to an organization’s computer systems. If the network has been breached despite these efforts, the next layer of network security should ensure that the threat is contained and causes as little damage as possible.

Establishing a Cybersecurity Culture

Small-business cybersecurity relies on every individual employee. The most sophisticated firewalls can be breached if passwords are weak, for example. Preventing these breaches starts with analyzing the most likely potential threats facing the business.

Preventing breaches focuses on identifying weak points in a company’s computer systems that could make unauthorized access easier for cybercriminals. Once identified, these weak points can be patched, leaving the business better protected.

In some cases, employees themselves may be identified as potential weak links in a cybersecurity system. If that could be relevant for your company, it is time to establish a cybersecurity culture within the business. Cybersecurity culture includes the knowledge, beliefs, perceptions, assumptions, attitudes, norms and values your employees hold toward cybersecurity. Establishing a strong culture of cybersecurity often begins by educating employees about potential threats and how they could hurt the business.

Helping employees understand the importance of seemingly small actions, like the choice of a password or whether or not to write that password down or leaving a laptop unlocked when they step out to lunch, is often the first step in improving attitudes toward cybersecurity. Focused cybersecurity training may seem like a step too far for small businesses, but it is actually essential to ensure sensitive customer, supplier and employee data stays safe.

Managed IT Services

Effective cybersecurity relies not only on employee compliance and buy-in, but it is equally based on strong protocols and procedures.

Naturally, businesses could develop these protocols themselves and establish their own cybersecurity procedures. However, in reality, few small businesses have the internal resources available to develop their own cybersecurity procedures from scratch. Realistically, small businesses do not need a large IT team to support their day-to-day operations and hiring such a team to be based in-house could be far too expensive once you layer on salaries, taxes and benefits.

This is where managed IT services or an outsourced IT provider can create an ideal solution. Rather than taking away resources from your company’s business operations, you can outsource to a company that specializes in IT services. Your team gains access to the specialist knowledge and skills you need to analyze current cybersecurity measures and their limitations. The outsourced IT teams also keeps your company up to date on the latest ISO and NIST standards that are considered best practice in the industry for security management. And if all else fails, they can act as your “911” in the unfortunate instance that your business is hit with a cyber-attack or you are running into an IT issue.

Bahar Ferguson is the president of Wasatch I.T., a Utah IT provider for small and medium-sized businesses.