Best Cybersecurity Advice for Small Business

The Best Cybersecurity Advice for Small Business:

Small Businesses are what America, and much of the world, was built upon. They are the clients, vendors, and competitors to the larger businesses that dominate the business world and economy. The ecosystem for small business is unique; while businesses are ultimately competitors, they still support each other. They even have their own shopping day: Small Business Saturday (like Black Friday and Cyber Monday).

Even the biggest businesses can fall victim to a cyber attack or data breach, as evidenced by the list at the bottom. It only includes attacks AFTER September 1, 2015. For a small business, this could mean disaster, damage to your reputation, or even closure (as in go out of business.) Since everything today (for the most part) is wired or “online,” businesses need to take a more proactive stance in securing their assets:

  • Workstations
  • Websites
  • E-Commerce
  • Servers
  • Mobile devices

How might you improve your security, you ask? Simple. Follow this advice: what we call the Best Cybersecurity Advice for Small Business:

User Awareness

Simply put, users, whether technical or non-technical; young or old; seasoned or intern, are your first line of defense. They are the ones that receive the phishing emails, scam phone calls, and are subjected to social engineering at the bar. If you do not train them, how are they able to spot these attempts and report them? People, by nature, want to help one another. Social Engineering attacks capitalize on that and exploit it.

At a minimum, you should have your employees read up on what each of these attacks are, how they work, and how to stop them. We offer Security Awareness Training. We can provide the training to you in PowerPoint, Video, Live Teleconference, Online, and In-Person formats. While the cost may seem useless now, when someone accidentally gives a caller or phisherman their administrative password, the investment does not seem so ‘useless’ now, does it?

Defined Rules and Policies

Users will do what they want as long as they can, as long as they know they can get away with it. Having a defined set of rules or a policy is ideal for all businesses. This lets the employees know what the company expects of them, while giving the company a legal leg to stand on if necessary. Security policies do not need to be the size of a phone book. They can be a simple 1-5 page document that tells employees what they can and can not do on company issued devices. Within this, a Non-Disclosure Agreement (NDA) and Acceptable Use Policy (AUP) should be in-place.

Policies are also good because they allow technical staff to document how/what to do in specific scenarios, as defined by the company. This eases transitions after employees are abruptly fired or suddenly quit. Furthermore, it provides a living document for partner organizations: vendors, clients/customers, or anyone else that needs to connect to the company to review and understand where security lies within your company. We offer Security Policy Services to include Security Policy Review, Revision, and Drafting.

Culture of Security

This would not be the Best Cybersecurity Advice for Small Business if we didn’t advocate a culture of security. This is something that cannot be purchased. It must be embodied externally to employees, vendors, partners, and client/customers by everyone. From the President/Owner/CEO down to the lowest intern, janitor, or cook, must be in tune with a culture of security. This best explained by:

Management visibly supports security and requires all other employees to do so. Discussions about security are openly conducted. Everyone understands that not incorporating security into their day to day job is unacceptable. Everyone is aware of the threats and are aware. They know that they can report violations without the fear of reprisal.

Scrutinize Any Organization That Connects to Your Network

Aside from the security staff overlooking the attack, the primary way that attackers made it into Target’s system was vendors. This is two fold for you. You want to have the most secure system to connect with your partners, clients, and vendors, but you also want the same from them. When partnering with someone, provide your security documentation and then ask for their documentation, if they do not have it, perhaps you may want to consider the partnership. They may introduce something into your network or systems that you cannot detect or eliminate – until it is too late. You probably do not want that kind of attention for your business.

High Profile Breaches:

Dow Jones
Experian (includes T-Mobile)
Experian Follow-up
Scottrade
Trump Hotels
Tesla and Chrysler (unrelated to each other)
Apple App Store
U.S. Office of Personnel Management (OPM)
Kaspersky & FireEye (unrelated to each other)
Excellus Blue Cross Blue Shield
Ashley Madison
Ashley Madison (follow up)

Thanks for stopping by. We hope that you agree that this is the Best Cybersecurity Advice for Small Business. We would appreciate if you could subscribe (assuming you like what you read; we think you will). This is meant to be informative and to provide value to anyone who reads this – regardless of their knowledge and/or understanding of IT/Cybersecurity. To learn more about us, check out our “About Us” page.

Be sure to subscribe to this blog and to our Podcast.

If you have ANY Cybersecurity needs, please contact us and a member of our staff with promptly reply to your question or concern.

 


Enter your email address:


Delivered by FeedBurner


Subscribe to our mailing list

* indicates required







About Joe Gray

Joe Gray is a native of East Tennessee. He joined the U.S. Navy directly out of High School and served for 7 years as a Submarine Navigation Electronics Technician. Since leaving the Navy, Joe has lived and worked in St. Louis, MO, Richmond, VA, and Atlanta, GA. His primary experience is in the Information Assurance (IA) and Cyber Security compliance field. He has worked as a Systems Engineer, Information Systems Auditor, Senior UNIX Administrator, Information Systems Security Officer, and Director of IT Security.

Joe is in pursuit of his PhD in Information Technology (with focus in Information Assurance and Security). His undergraduate and graduate degrees are also in Information Technology (with focus in Information Assurance and Security) from Capella University, where he graduated Summa Cum Laude for both degrees and completed a Graduate Certificate in Business Intelligence. He also is a part-time (Adjunct) Faculty at Georgia Gwinnett College.

Joe holds the (ISC)² CISSP-ISSMP, GIAC GSNA, CompTIA Security+, CompTIA Network+, and CompTIA A+ certifications. In his spare time, Joe enjoys reading news relevant to information security, blogging, bass fishing, and flying his drone in addition to tinkering with and testing scripts in R and Python.