Scroll Top

The Complete Guide to Cybersecurity for Small to Medium Sized Businesses

Table of Contents

Introduction

Cyber attacks – including data breaches, malware attacks, distributed denial-of-service (DDoS), phishing attacks, spyware and others – are major headaches for businesses.

Given that businesses manage ever increasing volumes of valuable data — such as intellectual property (IP), employee and client personally-identifiable information (PII) , financial records, and much, much more — the rise of cyber attacks against them isn’t surprising.

In the chart below (from Accenture’s 2017 Cost of Cyber Crime Study) you can see how financial services institutions, lead the industry in costs due to cyber crime, but that each industry has faced, and will face increasing cybersecurity costs.

Average Annual Cost (USD – Millions) of Cyber Crime by Industry (2017)

Source: Accenture

The Cybersecurity Threats for Small Businesses are Real

Until recent years, we’ve looked at cyber attacks — especially data breaches and DDoS — as problems for mostly large businesses and enterprises.

On the surface, this makes sense. After all, the top corporate players have the most to lose in terms of capital, IP wealth and other valuable data. The Yahoo breach of 2013 is a perfect example.

But it would be a massive mistake to limit the cyber threat landscape to only big businesses.

Large businesses are continuing to increase cybersecurity spending (in areas such as cybersecurity consulting). As a consequence, cyber criminals are looking for smaller, weaker targets — i.e. small to medium-sized businesses (SMB).

In other words, cyber threats posed to small-to-medium-sized businesses (SMB) are real — and growing.

According to a 2017 study published by the Ponemon Institute (via CSR), there was a 50% increase in SMBs reporting data breaches compared to the previous year! This increase was experienced across a broad sampling of small business types.

A 2018 study by Cisco found that 53% of SMBs had experienced a breach.

SMBs are Catching on to their Cybersecurity Risks

The chart below highlights that SMBs are indeed concerned about securing their digital assets, especially customer PII, IP and transaction information.

SMB Priorities for Cybersecurity Protection

small business cyber security

Source: Ponemon Institute (via CSR)

Question: What types of information are you most concerned about protecting from cyber attackers?
However, SMBs have also reported that cyber attacks have also become more difficult to stop.

SMB Perceptions on Cyber Attack Trends

medium sized business cyber security

Source: Ponemon Institute via CSR

Question: Perceptions about cyber attacks against their companies

One reason cyber attacks are difficult to handle is the diversity of their scope and their varying levels of complexity. The graph below — found in Cisco’s 2018 Security Capabilities Benchmark Study — offers a glimpse of the many kinds of cyber attacks SMBs endure.

Top Security Concerns for SMBs

cyber security for business

Source: Cisco

Countering these threats require implementing cybersecurity best practices across your whole business. Your business’ cybersecurity system must center on the following pieces:

You can find complete details on these pieces in the sections below, but before continuing, we must acknowledge that SMBs have limited resources at their disposal.

In fact, a 2017 study published by the Better Business Bureau (BBB) found that 28% of small businesses cited a lack of resources as their top obstacle to achieving cybersecurity goals.

The Top Obstacles to Cybersecurity for Small Businesses

business cyber security

Source: Better Business Bureau

Related to that, 27% of small businesses said that they lack the necessary expertise in-house to achieve an effective cybersecurity stance. In any case, there’s a lack of capacity.

As leading NYC IT Support company, we know from experience that these resource limitations are genuine, so we’ll do you the favour of not speaking in theory. Instead, you’ll read about specific problems and real solutions.

Below, you’ll find detailed explanations of how to Protect, Detect, Respond and Recover in-line with your resource constraints, including the constraint of time (in addition to cost).

What Should Be Your Top 3 Cybersecurity Priorities?

1. End-User Training

Your end-user training is first and foremost.

The end user is the gateway to your network, and training them on some basic cybersecurity doesn’t cost very much nor does it consume much of your employees’ time.

However, your employees are one of the few things you can’t control through automation. They are unpredictable and no matter how many firewalls and cybersecurity software you employ, the end-user is still the one who can bypass them all.

So it’s really important that they understand what to not to click on, what to avoid downloading, how to keep company data safe, and how to properly maintain their passwords. In terms of the latter, it’s simple things such as not using the same password for every application or account.

Moreover, understanding that keeping data in the network and not emailing personal data out to others are basic pieces of end-user training and end-user understanding that we often granted, but you’d be surprised how little they do understand — and even a little training goes a long way.

2. Multifactor Authentication

Second, multifactor authentication (MFA).

Securing your network with MFA, and guarding your critical data, such as your email network and critical CRM infrastructure.

Most of us have experienced some sort of MFA. Usually, it’s with your bank where they text you a pin number to your cell phone when you try to login to your online account portal. You have to enter to access the portal.

That’s a basic form of MFA, which is fairly effective. You want to have a similar, but easier, MFA for your CRM, email, remote network-access, etc. You want to ensure that your MFA is easy to access — a mobile app works best.

When there’s a login, the app asks you, ‘is this you?’ There’s a little green icon and a red X; green for yes and red for no. If you hit no, it locks the person out from trying to access the system the way they were trying to access it.

It’s not intrusive to the employee, but even though you did user training, the password that they’re using are likely the same password they use for all the other systems, and possibly even their home systems (i.e., other places you cannot control).

If you do a dark web scan for your employees’ passwords, you’ll find that many passwords have been breached. If they’re still using those same passwords, then your network is now extremely vulnerable. MFA makes using those passwords much more difficult to breach.

Most Small Businesses Fold in 6 Months After a Breach
Make Your Business the Exception

3. Vulnerability Assessments

Third, regular vulnerability assessments. Understanding where your vulnerabilities lie allows you to make good business decisions on what you want to remediate. If you don’t understand your problems, you can’t make well-informed decisions about your risks.

You can’t know what you don’t know until you know.

I know that sounds a little like circular logic, but the whole idea is you have to understand where you stand, so you can make a plan forward.

Cyber security vulnerability assessments are a very easy way of going through your network — by using a few automated tools — and finding the most common breaches or the most common vulnerabilities.

It looks for things like systems not being patched, systems lacking anti-virus, systems having local admin rights that they should have.

Basically, little things that are easy to cure through some policies and remediations that plug big security holes in your network.

This includes patching, closing vulnerabilities — such as ports in your firewall that you’re not even using — and other measures that decrease your attack vector and reduce your exposure.

Thieves want easy targets. They don’t want to spend a lot of time trying to breach your network. So, if you make it a little bit harder, they’ll to move on to the next victim.

Get a Cybersecurity Assessment
to Find Gaps in Your Cybersecurity System

The Complete Cybersecurity Guide for SMBs

Our cybersecurity guide for SMBs focuses on these critical elements:

In this guide, you’ll understand how to leverage your limited resources to secure your IT system through specific, clearly-defined hardware, software and processes in as little time as possible.

Protection

To “protect” your IT system, you need to combine specific hardware, software and processes. In terms of the ‘processes’, we’re referring to internal company policies, training and testing.

Secure Your End-Points

What is an ‘End-Point?’

End-points are basically the doors that hackers and other cyber criminals are looking for in order to attack your business. These are also called ‘attack vectors’.

Your end-points are the specific hardware, software and other systems that form your overall IT system. For most SMBs, their computers, applications, mobile devices and networking systems (e.g. routers, switches, etc) are end-points.

Your IT End-Points & Their Cybersecurity Solutions

Mobile

Networking

Hosting

  • Enterprise Grade Data Centers
  • Server Monitoring

People

  • Training
  • Organizational Policies to Prevent Misuse

Solution #1: Anti-Virus

The starting point would be to ensure that each of your desktops, laptops and workstations are equipped with effective and up-to-date anti-virus software.

Imagine a scenario where an employee opens a malicious executable by email. Your anti-virus software would, in that case, be the first respondent to identifying and stopping that virus meant to achieve a ransomware attack on your IT system.

It’s a best practice, but for many SMBs, correctly implementing anti-virus software is difficult. You could have hundreds of PCs equipped with anti-virus, but it only takes one without anti-virus (or updated software) to cause a breach.

Solution #2: Vulnerability Scanning

This leads to the second solution — vulnerability scanning. By regularly scanning your IT system, you’ll generate reports that will tell you — in exact terms — of specific IT systems that are lacking in terms of up-to-date anti-virus software.

It isn’t enough to just have anti-virus software, you need vulnerability scans — and that too on a regularly scheduled basis (e.g. quarterly or monthly) — as well.

For example, you could have all of your computers installed with anti-virus one quarter, but in the next quarter you could find out that not all of them had their cyber threat libraries updated.

Solution #3: Firewalls

You should have firewalls in place to monitor internet traffic that flows to and from your network.

According to Cisco, a firewall “allows or blocks based on state, port, and protocol … [it] monitors all activity from the opening of a connection until it is closed.”

The key advantage of firewalls is that you can also block traffic from malicious websites and other dubious sources (e.g. certain IP addresses, regions, etc).

Today, you can also leverage next-generation firewalls (NGFW).

In addition to the monitoring and filtration capabilities offered by ‘traditional’ firewalls, NGFWs are integrated with a range of essential capabilities for today’s cybersecurity needs.

These capabilities include intrusion prevention (IPS), anti-spam, web filtering, malware filtering (i.e. monitoring for application instals and blocking risky programs) and others.

The advantages of firewalls can’t be understated. By managing internet traffic, you can protect a wide range of daily business operations — e.g. emails, browsing, etc — from being vulnerable.

Solution #4: Software Defined Networking

For SMBs, growth is exciting, especially when it involves opening new offices or branches. But it also involves expanding your cybersecurity infrastructure to those new areas.

Cisco, the industry leader in networking technology, states that software-defined networking (SDN) is the way to go with such growth. In terms of cybersecurity, SDN allows you to cost-effectively manage IT infrastructure across multiple sites.

For example with SDN, your software administrators can manage large and/or multi-location networks through a single console without having to manually deal with each network switch.

Solution #5: Virtual Private Networks (VPN)

Today, mobile is a necessity for SMBs. It’s also a vulnerable end-point.

Cisco recommends using VPNs — i.e. encrypting connectivity between the mobile device and your business network over the internet — to ensure that data is transmitted safely.

Solution #6: Cloud Security

In order to cost-effectively maintain VPN — especially without compromising on performance — you also need cloud-based resources. However, your cloud connectivity must be secure too.

On that vein, if your SMB is deploying applications through the cloud and/or is storing cloud backups of its data, then cloud security is a must.

Solution #7: Keep Your Software Up-to-Date

No cybersecurity gap is ‘too small’. Besides firewalls, anti-virus and cloud security measures, you should also keep your software asset library up-to-date. Your software asset library could include productivity applications, operating system builds and browsers, among others.

  • 256 bit whole disk encryption of your data
  • Deploy company-wide anti-virus and firewall solutions
  • Keep software assets up-to-date
  • Implement access control (on users and devices)
  • Encrypt all communications (e.g. messaging, emails, etc)
  • Maintain an audit trail (e.g. detailing who has access to specific data)
  • Maintain data backups for disaster recovery

Solution #8: End-User Management

With end-user management (and mobile device management), you can enable access to data and apps to only those staff members in need of it. You can also remotely remove that access as well as delete data and apps from lost, stolen or former employee devices.

You can also mitigate the effect of leaked, stolen or exposed passwords by implementing a multi -factor authentication (MFA) system. With MFA, users trying to externally login will be required to authenticate their identity.

Write & Enforce Company Policies

You must ensure that your business has an actual policy in place to govern how your staff can use your IT assets. Rules should be set to prevent users from putting the IT system at risk with unwise usage (e.g. installing applications on computers without authorization).

Write & Enforce Company Policies

You must ensure that your business has an actual policy in place to govern how your staff can use your IT assets. Rules should be set to prevent users from putting the IT system at risk with unwise usage (e.g. installing applications on computers without authorization).

Penetration Testing

It’s one thing to have a cybersecurity system in place, but you also need to ensure that it works as intended. In fact, given the constantly evolving threat landscape, it would also be a good idea to have your system tested to see if it stands up-to new and emerging threats.

Phish Testing

Phishing is a form of social engineering that fools the end-user into trusting a malicious source.

It can involve having the end-user input their login data into a fake web page (e.g. a fake page that looks very similar to their online banking portal).

According to Microsoft, phishing was the most popular method of social engineering in 2017 (followed closely by malicious downloaders and Java backdoors). Microsoft had also noted that phishing was “the top threat vector for Office 365-based threats during the second half of 2017.

Phishing done by email — i.e. spear phishing — aims to achieve the same goal, but tries to get the user to think that the malicious email is trustworthy.

Top 10 Malicious File Extensions (January-September 2017)

Source: Cisco

But remember, phishing is just the method of delivery for cyber attacks. If you or an employee falls to a phishing attack, that problem will result in other issues, such as ransomware attacks.

Leading Causes of Ransomware Attacks Against SMBs

Source: Ponemon Institute (via CSR)

There are two key parts to phish testing:

  1. Ensuring that your firewalls are blocking all traffic from dubious and risky sources.
  2. Having your anti-virus systems work to isolate and remove malicious programs.

Ethical Hacking Tests

For SMBs with high-risk activities, such as financial services institutions (FSI), it would also be wise to get your systems tested by a certified ethical hacker.

Certified ethical hackers are skilled professionals who will look for weaknesses in your system and demonstrate to you how those gaps can be exploited. This will give you a clear insight into exactly what you need to change or modernize, especially against new cyber threats.

End-User Training

According to the Ponemon Institute (via CSR), 54% of SMBs affected by data breaches stated that the root causes for the attacks were “negligent employees.”

In many cases — especially in terms of phishing and spear-phishing attacks — the end-user is your weakest vulnerability. Just consider how millions of Equifax accounts were breached as a result of a weak password (which was “admin”).

There are countless of examples of employees unwittingly clicking on links on emails, entering data into fake web pages and other entirely avoidable mistakes. In fact, Positive Technologies found that 27% of employees (from the companies it surveyed) clicked on malicious links.

In fact, with cybersecurity training, you can achieve the most results in the least amount of time in terms of preventing cybersecurity issues. Your cybersecurity plan isn’t complete without a cybersecurity education and training program.

Internet-of-Things

If any your end-points are compromised, then they’ll serve as cyber attack vectors into your business. But it would be a mistake to restrict your end-points to just computers or the like; the industry is advancing so rapidly that new computing devices are being used by SMBs as well.

Just consider the impact of the ‘internet-of-things’ (IoT). Something as common as the Echo is an example of an IoT-based end-point. In some cases, you might have connected hardware or systems that aren’t traditional computers or mobile devices (common in manufacturing).

Yes, as many as 67% of SMBs are concerned about securing their IoT end-points, but only 29% of them are confident about being equipped to do it right.

Detection

These efforts tie into protecting your IT end-points (discussed above), especially in terms of your networking, internet connectivity and activities on company devices.

For example, you need a firewall in place to block internet traffic from malicious and/or high-risk sources. However, that’s just the start. You also need to monitor the health and activities of your company devices, networks and (where you’re using the cloud) your cloud hosts.

You must aim to detect breaches in your IT system within hours, if not minutes. To achieve that, you need a combination of advanced cybersecurity equipment — e.g. NGFWs — and smart alert systems that will notify you of breaches — which you can then respond to immediately (Cisco).

NGFWs combine detection with integrated cyber threat countermeasures, e.g. sandboxing and malware protection that will analyze file behaviour to find and stop threats.

Real-Time Global Threat Sensor

In the case of high-risk business operations, such as those of FSIs managing confidential client and financial data, additional measures could be required.

You might need a real-time global threat sensor to monitor your IT system around-the-clock.

While this is an enterprise-grade capability, it is practically a must for SMBs in highly complex and regulated industries, such as finance and healthcare. This can readily be done by working with a managed IT services provider with its own SOC-2-compliant cloud hosting infrastructure.

Ultimately, you want to mitigate your risks as much as possible. Your cybersecurity system may have the means to deal with a breach, but the mere occurrence of such an event could damage your SMB’s reputation and ability to operate in the market.

Response

You could have a capable cybersecurity system, but it’s only as effective as the processes you have in place to deal with cyber attacks, especially breaches.

For example, to handle a breach you must have a proper disaster recovery strategy. This would generally include keeping backups of your data in the cloud via enterprise-grade data centers.

Keep Your Backups Safe in SOC-2
Compliant Enterprise-Grade Data Centers

You must also have clearly defined response policies for each of these scenarios:

Ransomware Attack

If your business is struck by a ransomware attack, you must NOT engage with the hacker. Your only response is to restore your system. This requires you to have backups of your data.

SMB Responses to Ransomware Attacks

Source: Ponemon Institute (via CSR)

Lost or Stolen Devices

You must have a mobile device and user account management system in place from the start.

First, this will equip you to enforce specific device policies and access controls (enabling as well as restricting access to certain data and apps) on your employees.

Second, should an employee lose their mobile phone, you can remotely wipe that device and, in turn, ensure that your business’ data is not in the wrong hands.

Malware-Infected PC or Mobile Device

It’s imperative that you have detection measures in place to identify malware-infected devices. If you come across one (or several), then have your IT team or IT department deal with the device (e.g. taking it off your network, removing business credentials and apps, and restoring it).

Rogue Access Points

You need routine vulnerability scanning to identify rogue or malfunctioning access points — such as routers — in your IT system. Once identified, have your IT team cut it off from your IT system.

Your incident response strategies must be according to written plans and processes. This must not be done in an ad hoc, haphazard way. You must also document your steps and keep it as a reference for compliance and learning (e.g. training for future staff).

Recovery

In this step, your goal is to restore your business operations and bring things back to normal.

For example, in the case of a ransomware attack, your recovery phase would involve finishing the disaster recovery process. If you have a disaster recovery as a service (DRaaS) provider, you’ll contact them to begin restoring your system.

However, a proper recovery process is contingent on implementing the Protection, Detection and Response phases of your cybersecurity plan. It’s all interconnected.

Compliance

Though we did not mention this with the four key elements of cybersecurity, compliance is an integral element. In fact, it’s relevant to Protection, Detection, Response and Recovery.

For example, the European Union’s (EU) General Data Protection Regulation (GDPR) requires you to collect, store and manage the PII of EU citizens in a specific way. To follow the GDPR in this area, you must have enterprise-grade hosting for your data — i.e. an industry best practice.

The GDPR — alongside the New York Department of Financial Services (NYDFS), the New York Codes, Rules and Regulations (NYCRR), HIPAA, PCI and others — also require you to maintain a written incident response plan outlining how you will detect and handle a cybersecurity issue.

Likewise, the GDPR and NYDFS require you to report regulators and affected end-users of any and all breaches at your company within 72 hours. In effect, you must ensure that every step of your cybersecurity strategy takes compliance into account.

SMBs Report that the GDPR will Require Changes to Their Cybersecurity Efforts

guide to small business cyber security

Source: Ponemon Institute (via CSR)

Avoid Costly Government Penalties by Keeping Your Cybersecurity Measures Compliant

The DFS requires New York-based FSIs to fulfill the following:

A Cybersecurity Policy

Your FSI must maintain an active cybersecurity policy in a number of areas, including: data or information security; asset inventory and device management; access controls for users; disaster recovery; system and network security; and incident response policy.

Penetration Testing and Vulnerability Assessments

You must ensure that your cybersecurity system is extensively tested and continuously monitored to ensure that it properly functions.

Audit Trail

The FSI must clearly detail and maintain records of your access control and identity management practices, e.g. records of who can access certain data.

Application Security

The DFS requires you to clearly define how you will secure the development and deployment phases of your in-house applications.

Risk Assessment

The risk assessment is a periodic study of your cybersecurity system. Its goal is to examine and determine if your system is capable of handling emerging cyber threats.

Cybersecurity Personnel

In addition to maintaining a roster of qualified cybersecurity professionals, you must ensure that your staff is continuously trained.

Maintain a Third-Party Service Provider Policy

You must maintain a policy that outlines how your FSI is managing third-party service providers, such as a public cloud-host. The DFS requires you to regularly assess their cybersecurity practices and ensure that they are compliant.

You Need an Integrated Cybersecurity Strategy. Today.

Be it compliance, acquiring the right cybersecurity solutions or ensuring correct implementation, it’s obvious that there are many things at play. In all likelihood, you’ll need cybersecurity experts to help you plan and execute an effective strategy.

Finding experienced cybersecurity experts isn’t easy, much less hiring them. In fact, even large businesses and enterprises are having difficulties with building internal cybersecurity teams.

Below, you’ll see that 30% of businesses reported that over 50% of their applicants could not even meet the company’s minimum qualifications.

Challenges With Hiring Cybersecurity Professionals

guide to business cyber security

Source: Deloitte

As expected, SMBs are having a lot of trouble with building their cybersecurity capabilities:

Cybersecurity Challenges for SMBs

small business cyber security guide

Source: Ponemon Institute (via CSR)

Your lack of resources and internal expertise is not only a problem in terms of ensuring cyber security today, but it leaves you with very little room to look at new technologies.

The Cyber Threat Landscape is Evolving … and So is Cybersecurity

cyber security for small businesss

Source: Cisco

For example, work is underway to leverage machine learning for threat detection. This enables systems such as NGFWs to “learn” normal traffic patterns flowing through your network and, in turn, immediately pick-up and report anomalies (Cisco).

If Outsourcing, Find a Secure MSP

There’s nothing wrong in relying on a managed IT services provider (MSP) to drive your SMB’s cybersecurity needs. After all, cybersecurity is a complex specialty; however, you must ensure that your MSP is a secure and fully compliant partner.

Check for each of these key requirements:

Risk Assessment and Prevention

Your MSP must identify and address the internal and external cybersecurity risks threatening the integrity of your data, especially your clients’ non-public information.

Find out how often it conducts vulnerable scans of your IT assets, how it prevents its remote access tools aren’t being used for malicious ends and how it maintains an audit trail.

Onboarding and Offboarding Employees

Examine your MSP’s commitment to properly training its staff, maintaining proper cybersecurity processes and access control (to restrict access).

Does your MSP have an end-user or mobile management system that lets it revoke access and remote-wipe data on lost, stolen or former employee devices?

Password Management

You can’t afford weak password protection and usage at your MSP. You must ensure that your MSP is securely storing and encrypting passwords? Is it employing multi-factor authentication (MFA)? Are there access controls in place to limit password access to your assets to only staff that is vetted and in need of that access for their work?

You absolutely cannot afford an unreliable cybersecurity partner. There are already enough IT vulnerabilities to close, it would be unacceptable to deal with external gaps (that directly affect you) from your MSP as well.

Find a Secure Cybersecurity Partner

It’s clear that developing and implementing a cybersecurity strategy is far from a straightforward task. You need a combination of reliable systems, clearly defined processes, training, and strong compliance expertise to get it done right.

Besides limited resources, you also don’t have a lot of time.

You can’t tolerate the risk of cybersecurity gaps, especially for long periods of time. You need to get started right away and implement a strategy as soon as possible.

Consider leveraging an experienced managed IT service provider such as Power Consulting for your IT Security.

We bring to the table over 25 years of IT solutions experience to the table.

By providing certified IT experts and SOC-2-compliant data centers (located on both coasts in New Jersey and California), we’ve helped the biggest brands in New York overcome their complex IT problems with compliant IT solutions.

You can get every essential piece of an effective cybersecurity strategy through our security as a service (SECaaS) solutions. Our SECaaS packages are tailored for the needs and resources of SMBs — i.e. you get end-to-end coverage for a flat monthly price.

Talk to us and leverage our proven experience to secure your assets right away without the risk of gaps in your implementation and compliance.


Learn More About Cyber Security: