7 SMB Security Tips That Will Keep Your Company Safe
With National Cybersecurity Awareness Month as a backdrop, industry leaders weigh in on how SMBs can more effectively protect themselves from cyberattacks.
![](https://eu-images.contentstack.com/v3/assets/blt6d90778a997de1cd/blt88d4a8d2c0668003/64f0d515f687a18a7234e732/1.jpeg?width=700&auto=webp&quality=80&disable=upscale)
Here we are, nearly midway through the 16th annual National Cybersecurity Awareness Month (NCSAM), and while the good news is many large enterprises are more locked down than they were five or six years ago, it's clear SMBs need some help.
An August report by Untangle examining the current state and trends of IT security for more than 300 SMBs bears that out. Among the findings: While 80% of SMBs ranked IT security as a top business priority, 52% admitted they didn't have an in-house IT security professional on staff, and another 29% said they spend $1,000 or less annually on IT security.
They've also become targets for hackers, according to Heather Paunet, Untangle's vice president for product management. "For SMBs, if they do get attacked, it could cripple their business," she says.
In honor of NCSAM, we asked industry leaders how SMBs can more effectively protect themselves from cyberattacks. You'll find that many of their tips involve standard cyber hygiene and apply across the board to companies of all sizes.
The vast majority of security breaches happen because companies don't have a good system for updating software, including security software, Web browsers, productivity applications, and operating systems, NCSA's Coleman says. Many software applications will update automatically, so be sure to turn that capability on whenever possible. SMBs should also have a backup system in place. Too many ransomware victims get caught because they don't have backups they can rely on if they get hit.
In addition, SMBs should think about securing their privileged accounts more carefully, says Max Trottier, vice president of sales and marketing at Devolutions. A lot of SMB owners know what privileged accounts are, he says, but because they are smaller companies, they don't always see it as something they have to focus on right away. But as they grow and add IT infrastructure, there's much more to manage. Remember that rank-and-file workers only need access to the data they need to do their jobs, so it makes sense to focus on a privileged account management.
Top security talent can cost way more than most SMBs can afford. Indeed, they are lucky to have one IT person or a contractor who does their IT and security as well.
As a result, cybersecurity awareness training becomes paramount, says NCSA's Coleman. Teach the staff to be suspicious of unusual requests, attachments, and links, and give them an easy, specific way to report an incident. There may be a resident "techie" on staff who can notice cyberthreats, or some SMB owners may just want potential cyberthreats reported directly to them in all circumstances.
At many companies, rank-and-file staffers don't always feel responsible for reporting security issues, Devolutions' Trottier adds. SMBs need to get their employees more involved and make them comfortable reporting an issue if they think something's wrong, he says. "It all starts with user education, teaching the staff about phishing emails and the different signs of cyberattacks," he says. "It they think an email is malicious, they have to report it."
Even with the best tools and staff available, security events will happen. That's why SMBs should develop an incident response plan, NCSA's Coleman says.
What should such a plan include? For starters, companies will want to disconnect the affected computer from the network and call their IT person, whether that's an in-house employee or a contractor. In addition, they should use spare computers and backups so your operations can continue; have processes for operating by paper to keep the business moving forward; become familiar with your state's data breach law and what your responsibilities are in terms of notification; and have a procedure in place for communicating the incident to the public. Some companies may want their attorneys to handle the press, while other owners will want to be in control. Finally, once the incident is over, document lessons learned and make improvements to policies and procedures.
Chris Morales, head of security analytics at Vectra, says SMBs need more than an IT outsourcer who does security as part of a mix of services. The dangerous threat landscape demands they consider a managed security service provider (MSSP).
But with so many companies to choose from, how can nonsecurity people tell the difference? Start by talking to the provider's customers about how they solved their problems. Find out how engaged they are with their customers. Ask how often they'll communicate and who will be the point of contact. Also: Do they understand your business and how a security incident can hurt it? You have to be confident they can explain what's wrong and what you need to do to fix it.
Untangle's Paunet adds that SMB owners should ask point blank how the MSSP will protect the company from ransomware. What tools will they use to secure company data? And can the MSSP recover our data if it's lost? SMBs need to know their data and telephony will be safe, she adds.
SMBs need to decide which security standards they will focus on, says Information Security Forum's Durbin. For example, if they plan on using credit cards, they will need to become PCI DSS certified. If they plan to do business in the European Union, they should spend time learning more about GDPR. It also may behoove SMBs to learn more about GDPR because it will help them if they wind up handling sensitive data of any California residents given that the California Consumer Privacy Act (CCPA) goes into effect Jan. 1, 2020.
"Once CCPA goes into effect, it will be the first time in the U.S. that companies will have to adhere to privacy requirements by law," Durbin says. "It will be interesting to see how it develops."
Along with California, Maine and Nevada have passed privacy laws, and many other states, including Massachusetts, Maryland, New York, and Texas, have privacy measures in progress.
SMBs should also consult the NIST Cybersecurity Framework for guidance on standards.
Here we are, nearly midway through the 16th annual National Cybersecurity Awareness Month (NCSAM), and while the good news is many large enterprises are more locked down than they were five or six years ago, it's clear SMBs need some help.
An August report by Untangle examining the current state and trends of IT security for more than 300 SMBs bears that out. Among the findings: While 80% of SMBs ranked IT security as a top business priority, 52% admitted they didn't have an in-house IT security professional on staff, and another 29% said they spend $1,000 or less annually on IT security.
They've also become targets for hackers, according to Heather Paunet, Untangle's vice president for product management. "For SMBs, if they do get attacked, it could cripple their business," she says.
In honor of NCSAM, we asked industry leaders how SMBs can more effectively protect themselves from cyberattacks. You'll find that many of their tips involve standard cyber hygiene and apply across the board to companies of all sizes.
About the Author(s)
You May Also Like
CISO Perspectives: How to make AI an Accelerator, Not a Blocker
August 20, 2024Securing Your Cloud Assets
August 27, 2024