The Ultimate Small Business Cyber Security Guide

There is a persistent myth that small businesses are less likely to experience a cyber-attack. Unfortunately, the truth is far more frightening. Smaller companies have a bigger target on their backs than ever before, and those who fail to prepare are leaving themselves completely exposed. If a breach does occur, the consequences could be devastating.

The good news is that strengthening your defences doesn’t necessarily need to come at the cost of your entire IT budget for the year. This guide will teach you all about cyber security for small businesses:

  • Which threats you’re most likely to face
  • Which security solutions will best protect you
  • How to overcome the unique complications that small and medium businesses contend with

The Threats You’re Up Against

Before you can start protecting the business, you must first understand where the danger is coming from. Some of the most common cyber threats that small businesses face include:

Social Engineering Scams

Social engineering scams have long been a favourite of threat actors, for one simple reason: they are extremely difficult to stop. Unlike most attack methods, social engineering tactics directly leverage human psychology. This allows them to bypass most technological defences entirely. Common social engineering attacks to watch out for include:

Ransomware

Ransomware is a type of malware that locks down business data and systems (usually through encryption) and demands payment from the victims. This cyber threat can be particularly devastating in industries such as healthcare, which cannot afford to experience long periods of downtime and thus are more likely to give in.

It is important to note that while the actor’s goal here is to make payment seem like the only feasible option, this is almost never true. Around 97% of small and medium-size businesses who experience a ransomware attack get their data back, regardless of whether or not the ransom was paid. In addition, paying up might mark you as a viable victim and increase the risk of future attacks.

Credential-Based Attacks

Weak or poorly protected credentials are vulnerable to attack. Malicious actors can use these to gain easy access to company systems. Gone are the days when they needed to waste hours brute forcing passwords, or search the internet for personal details. Modern criminals need only try a list of credentials they’ve successfully breached in the past. This strategy requires very little effort on their part, and is often successful.

Supply Chain Attacks

If attackers cannot breach your defences (or don’t feel like putting in the effort), there’s one last trick up their sleeve. Instead of targeting you directly, they can first breach a third party vendor or partner. They then leverage the trust you’ve already developed with this entity to gain access to your systems. These are known as “supply chain attacks” and are becoming increasingly popular. If you’ve seen news stories where dozens of companies were breached simultaneously, this is usually how they did it.

The Unique Challenges Small Businesses Contend With

Limited Funds

Smaller companies are typically working with very tight budgets, which limits their ability to implement stronger security measures. Solutions that larger enterprises can implement with ease are often entirely out of reach for growing businesses.

Lack of In-House Expertise

Budgetary limits make it almost impossible to maintain the internal security knowledge needed for a solid cyber defence. Without this crucial expertise on hand, you’re more likely to make mistakes that endanger the business.

Legacy Systems

Small businesses often rely on outdated technology. These solutions do not receive security patches, and may be incompatible with modern tools, creating major vulnerabilities that threat actors can exploit.

Basic Security Measures on a Budget

Cyber security doesn’t always need to be complex or expensive. In fact, many of the most effective measures can be implemented on a very low budget. Here are some of the basics that every small business should consider:

Multi-Factor Authentication (MFA)

MFA prevents accounts from being breached if login credentials are compromised, by requiring a second form of verification before granting access. This might include:

MFA is one of your strongest defences against credential theft, as it prevents threat actors from logging in even if they obtain the correct password. Some platforms will also notify you of suspicious attempts, potentially sounding the alarm far earlier. This important security measure should be enabled whenever possible, across all sensitive accounts and devices.

Patch Management

Many software patches are designed to address known security risks. When they’re not applied, these vulnerabilities are left within the program, where they can be easily exploited by threat actors. It’s critical that you implement effective patch management practices, such as:

Backup and Recovery

Reliable backups are your only safety net in the event of a crisis. Without them, a ransomware attack, accidental deletion, or hardware failure can cause permanent data loss. The good news is that a strong backup strategy is relatively easy (and cost-effective) to implement:

Access Controls

One of the biggest mistakes small businesses make is giving every staff member access to all systems “just in case”. This creates numerous entry points for attackers, increasing the risk of a major breach.

Instead, you should be using the principle of least privilege: each staff member should only be able to access what’s needed for their role. This reduces the number of potential attack vectors and helps limit the damage if an account is breached.

Strong access controls include:

Email Security

Email security is your first line of defence against phishing attacks and other social engineering scams. Your employees can’t be fooled by a fraudulent email if it never lands in their inbox. Protective measures also reduce the risk of interception. Consider implementing:

Some of these can be implemented directly within the existing platform, making them virtually free.

Endpoint Protection

Accounts aren’t the only risk. Every device that connects to company networks is another potential entry point for cybercriminals. Computers, laptops, tablets, and mobile devices are a few examples of endpoints. If a single one is infected with malware, your entire IT infrastructure could be at risk.

Implement measures such as:

The Importance of Cyber Security Awareness Training

Technological controls are necessary, but not sufficient on their own. They’re particularly vulnerable to social engineering attacks, which can bypass them entirely. To address this weakness, you’ll need to mobilise your employees.

By teaching your team to identify, stop, and report cyber threats, you build a human firewall – a final line of defence against incoming attacks. Staff are less likely to fall for scams, and can even proactively prevent breaches. The catch is simple: to achieve this outcome, you must first engage your employees. And that can be more difficult than you might anticipate.

Rather than running long lectures that your team will forget within the next month, here are some some techniques you should employ to ensure that training is effective:

If a breach does occur despite everyone’s best efforts, it’s important to handle it carefully. Accidents happen and humiliated employees tend to shut down. Do not shame the staff member responsible in front of the entire team, or punish them for an honest mistake. Instead, take them aside, privately and calmly explain where they went wrong, and then provide additional training to close the knowledge gap.

The Role of a Cyber Security Framework

Achieving a strong security posture can be challenging, especially if you don’t have deep expertise in this area. A cyber security framework can be very helpful here. It provides clear guidelines that keep you on the right track.

Three useful frameworks to consider include:

The ACSC Essential Eight

The Essential Eight was developed by the Australian Cyber Security Centre (ACSC), and is generally considered the foundational framework for small businesses looking to strengthen their defences. It covers eight basic controls that are designed to be achievable for any organisation, regardless of their size or available resources:

  1. patch applications
  2. patch operating systems
  3. multi-factor authentication
  4. restrict administrative privileges
  5. application control
  6. restrict Microsoft Office macros
  7. user application hardening
  8. regular backups.

It’s important to note that within the next two years, the ACSC plans to phase out the Essential Eight and replace it with a more modernised framework. However, these basic controls are still good to implement.

SMB1001

SMB1001 was designed by Dynamic Standards International (DSI), an organisation operating in both the US and Australia. Much like the Essential Eight, it’s built with small businesses in mind. However, it functions a little differently.

Rather than focusing on eight basic controls, SMB1001 splits security across five domains:

  1. Technology Management
  2. Access Control
  3. Backup and Recovery
  4. Policy Development
  5. Education and Training

This provides a far more comprehensive approach to security, while still remaining accessible to small businesses.

ISO 27001

ISO 27001 is the current gold standard for cyber security. It has the harshest requirements, but provides access to an official accreditation in return. If you achieve full ISO compliance, then you will be able to demonstrate to everyone visiting your website that your business is safe and trustworthy.

 

Unlike the other frameworks listed here, ISO 27001 focuses on the creation and maintenance of an information security management system (ISMS). To achieve certification, you must complete a two-stage audit: step one evaluates your written ISMS document, while step two verifies that the controls outlined within it have actually been implemented. This audit must be passed every three years in order to maintain your certification. This process makes ISO 27001 quite a complex and time-consuming framework, and thus it can be difficult for small businesses to implement.

Building a Small Business Cyber Security Strategy

Alternatively, you could build your own cyber security strategy rather than relying on a framework alone. This method allows for a greater degree of customisation, but requires a little more effort. Follow these steps to ensure success:

1. Conduct a Risk Assessment

Before you do anything else, it’s crucial to discover any vulnerabilities hiding within your IT infrastructure. Perform a full risk audit of all digital assets, including:

During this step, you’re looking for security gaps. Unpatched systems, accounts that aren’t secured properly, and other potential attack vectors are all things you should take note of.

2. Prioritise by Impact

Next, you’ll need to perform a business impact analysis (BIA). This step involves determining which threats your business is most likely to face, and what the potential effects would be. If ransomware struck, for instance, would you experience extended downtime? How long is that likely to last? This information will be crucial moving forward.

3. Develop a Game Plan

Once you’ve gathered all necessary information, it’s time to begin putting your strategy together. List all the security measures you’ll need to implement, then organise them into:

When developing your plan, remember to consider timelines, responsibilities, and required resources. Once the strategy document is complete, present it to key staff and stakeholders for input. Early buy-in is essential for reducing change resistance later on.

4. Work Methodically

Implement your strategy slowly and in phases. This will allow you to stop and correct any issues that pop up. Where possible, schedule large or particularly disruptive changes (for example, updating operating systems across the entire office) after normal working hours, so that they don’t interrupt work.

5. Remember Your Plan B

Not all attacks can be prevented. A solid incident response plan will protect your business in the event that a breach does occur, by limiting the damage and allowing you to return to normal operations faster.

Every incident response plan should include:

6. Review and Adjust

Your incident response plan should be a living document, not a one-off. As time passes, your business environment will change, potentially rendering the existing plan obsolete. You should review your cyber security strategy:

Make adjustments where needed to ensure that your plan remains effective.

Cyber Security Services for Small Businesses: Are They Worth Investing In?

Rather than maintaining an internal team, some small businesses choose to outsource cyber security to a third party expert known as a managed service provider (MSP). This route can provide many benefits, but also introduces its own challenges.

When deciding whether to outsource or not, here are the most important factors to consider:

In-House Security

Pros:

Cons:

Managed Security

Pros:

Cons:

10 Steps to a Safer Business

Cyber security is often challenging to implement, especially for smaller businesses that lack internal resources. But that doesn’t mean it’s impossible. By developing a strategy, ensuring the basics are in place, and reaching out for help when needed, you can protect your business without spending a fortune.

Not sure how to get started? Here are 10 easy steps you can take right now to secure your business.