Cybersecurity basics

Photo: © Elnur | Adobestock

Cyberattacks cost the U.S. economy billions of dollars a year and pose a threat for individuals and organizations. Small businesses are especially attractive targets because they have information that cybercriminals want, and they typically lack the security infrastructure of larger businesses to adequately protect their digital systems for storing, accessing, and disseminating data and information.

Many small businesses cannot afford professional IT solutions, have limited time to devote to cybersecurity and don’t know where to begin. Start by learning about common cybersecurity best practices and understanding common threats.

Best practices

Train your employees. Employees and their work-related communications are a leading cause of data breaches because they are direct pathways into your systems. Training employees on internet usage best practices can go a long way in preventing cyberattacks. 

Other training topics to cover include spotting phishing emails; using good internet browsing practices; avoiding suspicious downloads; enabling authentication tools (e.g., strong passwords, multi-factor authentication, etc.); and protecting sensitive vendor and customer info.

Secure your networks. Safeguard your internet connection by encrypting information and using a firewall. If you have a Wi-Fi network, make sure it is secure and hidden. Password-protect access to the router. If you have employees working remotely, use a virtual private network (VPN) to allow them to connect to your network securely from out of the office.

Use antivirus software and keep all software updated. Make sure all of your business’s computers are equipped with antivirus software and are updated regularly. Such software can be found online from a variety of different vendors. All software vendors regularly provide patches and updates to their products to correct security problems and improve functionality. It is recommended to configure all software to install updates automatically. In addition to updating antivirus software, it is key to update software associated with operating systems, web browsers and other applications, as this will help secure your entire infrastructure.

Enable multi-factor authentication (MFA). MFA requires users to provide two or more of the following: something the user knows (password, phrase, PIN), something the user has (physical token, phone), and/or something that physically represents the user (fingerprint, facial recognition). Check with your vendors to see if they offer MFA for your various types of accounts (e.g., financial, accounting, payroll).

Monitor and manage cloud service provider (CSP) accounts. Consider using a CSP to host your organization’s information, applications, and collaboration services, especially if you’re utilizing a hybrid work structure. Software-as-a-service (SaaS) providers for email and workplace productivity can help secure data being processed.

Secure, protect and back up sensitive data. Secure payment processing. Work with your banks or card processors to ensure you are using the most trusted and validated tools and anti-fraud services. You may also have additional security obligations related to agreements with your bank or payment processor. Isolate payment systems from less secure programs and do not use the same computer to process payments and casually browse the internet.

Back up your data. Regularly back up data on all computers including word processing documents, electronic spreadsheets, databases, financial files, human resources files and accounting files. Institute data backups to cloud storage on a weekly basis.

Control data access. Frequently audit the data and information you are housing in cloud storage repositories such as Dropbox, Google Drive, Box and Microsoft Services. Appoint administrators for cloud storage drive and collaboration tools and instruct them to monitor user permissions, giving employees access to only the information they need.

Common threats

Cyberattacks are constantly evolving, and business owners should be aware of the most common types.

Malware is an umbrella term that refers to software intentionally designed to cause damage to a computer, server or computer network. Malware can include viruses and ransomware.

Viruses are harmful programs intended to spread from computers to other connected devices like a disease. Cyber criminals use viruses to gain access to your systems and to cause significant and sometimes unrepairable issues.

Ransomware is a specific type of malware that infects and restricts access to a computer until some sort of ransom is provided. It will commonly encrypt data on the victim's device and demand money in return for a promise to restore the data. Ransomware exploits unpatched vulnerabilities in software and is usually delivered through phishing emails.

Spyware is a form of malware that is designed to gather information from a target, and then send it to another entity without consent. Malicious spyware is frequently used to steal information and send it to other parties.

Phishing is a type of cyberattack that uses email or a malicious website to infect your computer or system with malware or to collect sensitive information. Phishing emails appear as though they're from a legitimate organization or known individual. They often entice users to click on a link or open an attachment containing malicious code. Be cautious about opening links from unknown sources. If something seems suspicious from a known source, don’t click on it and ask the source directly if it’s legitimate.

Source: U.S. Small Business Administration