There is a persistent myth that small businesses are less likely to experience a cyber-attack. Unfortunately, the truth is far more frightening. Smaller companies have a bigger target on their backs than ever before, and those who fail to prepare are leaving themselves completely exposed. If a breach does occur, the consequences could be devastating.
The good news is that strengthening your defences doesn’t necessarily need to come at the cost of your entire IT budget for the year. This guide will teach you all about cyber security for small businesses:
- Which threats you’re most likely to face
- Which security solutions will best protect you
- How to overcome the unique complications that small and medium businesses contend with
The Threats You’re Up Against
Before you can start protecting the business, you must first understand where the danger is coming from. Some of the most common cyber threats that small businesses face include:
Social Engineering Scams
Social engineering scams have long been a favourite of threat actors, for one simple reason: they are extremely difficult to stop. Unlike most attack methods, social engineering tactics directly leverage human psychology. This allows them to bypass most technological defences entirely. Common social engineering attacks to watch out for include:
- Phishing Scams: Also referred to as vishing (when done over voice call) or smishing (when accomplished via SMS message), phishing is when threat actors send fraudulent messages posing as a legitimate entity. Their goal is usually to collect sensitive information or convince users to download malware onto company devices.
- Business Email Compromise (BEC): BEC is a particularly damaging variant of phishing scam aimed at organisations. During these attacks, threat actors impersonate high-level executives and ask employees to make fund transfers.
- Baiting: Baiting is when cybercriminals leave an attractive prize out in the open to fool their victims. For example, an employee may stumble across a “free USB”, which automatically installs malware when plugged into a device.
- Diversion Theft: Diversion theft is when threat actors trick users into accidentally sending sensitive information to the wrong recipient. They often accomplish this using phishing techniques.
- Quid Pro Quo: During a quid pro quo attack, threat actors collect sensitive information by leveraging a perceived reward. For instance, they might pretend to be IT support, claiming that they need login details to solve an account problem.
Ransomware
Ransomware is a type of malware that locks down business data and systems (usually through encryption) and demands payment from the victims. This cyber threat can be particularly devastating in industries such as healthcare, which cannot afford to experience long periods of downtime and thus are more likely to give in.
It is important to note that while the actor’s goal here is to make payment seem like the only feasible option, this is almost never true. Around 97% of small and medium-size businesses who experience a ransomware attack get their data back, regardless of whether or not the ransom was paid. In addition, paying up might mark you as a viable victim and increase the risk of future attacks.
Credential-Based Attacks
Weak or poorly protected credentials are vulnerable to attack. Malicious actors can use these to gain easy access to company systems. Gone are the days when they needed to waste hours brute forcing passwords, or search the internet for personal details. Modern criminals need only try a list of credentials they’ve successfully breached in the past. This strategy requires very little effort on their part, and is often successful.
Supply Chain Attacks
If attackers cannot breach your defences (or don’t feel like putting in the effort), there’s one last trick up their sleeve. Instead of targeting you directly, they can first breach a third party vendor or partner. They then leverage the trust you’ve already developed with this entity to gain access to your systems. These are known as “supply chain attacks” and are becoming increasingly popular. If you’ve seen news stories where dozens of companies were breached simultaneously, this is usually how they did it.
The Unique Challenges Small Businesses Contend With
Limited Funds
Smaller companies are typically working with very tight budgets, which limits their ability to implement stronger security measures. Solutions that larger enterprises can implement with ease are often entirely out of reach for growing businesses.
Lack of In-House Expertise
Budgetary limits make it almost impossible to maintain the internal security knowledge needed for a solid cyber defence. Without this crucial expertise on hand, you’re more likely to make mistakes that endanger the business.
Legacy Systems
Small businesses often rely on outdated technology. These solutions do not receive security patches, and may be incompatible with modern tools, creating major vulnerabilities that threat actors can exploit.
Basic Security Measures on a Budget
Cyber security doesn’t always need to be complex or expensive. In fact, many of the most effective measures can be implemented on a very low budget. Here are some of the basics that every small business should consider:
Multi-Factor Authentication (MFA)
MFA prevents accounts from being breached if login credentials are compromised, by requiring a second form of verification before granting access. This might include:
- Biometric Data: For instance, a fingerprint or face scan.
- A One-Time Code: This will typically be sent to a second device, such as a mobile phone, and must be typed into the main login page.
- A Special Token: A secondary device that must be used to log in, such as a Yubikey.
MFA is one of your strongest defences against credential theft, as it prevents threat actors from logging in even if they obtain the correct password. Some platforms will also notify you of suspicious attempts, potentially sounding the alarm far earlier. This important security measure should be enabled whenever possible, across all sensitive accounts and devices.
Patch Management
Many software patches are designed to address known security risks. When they’re not applied, these vulnerabilities are left within the program, where they can be easily exploited by threat actors. It’s critical that you implement effective patch management practices, such as:
- Updating operating systems, applications, and firmware promptly when notified that a patch is available
- Replacing or isolating software that has reached end-of-life
- Actively monitoring and documenting patch status, rather than simply assuming it’s been done
- Enabling automatic updates whenever possible
Backup and Recovery
Reliable backups are your only safety net in the event of a crisis. Without them, a ransomware attack, accidental deletion, or hardware failure can cause permanent data loss. The good news is that a strong backup strategy is relatively easy (and cost-effective) to implement:
- Use the 3-2-1 rule: three copies of data, across two different mediums, one of which must be offsite or in the cloud.
- Automate your backup schedule when possible.
- Clearly define your recovery point objective (RPO) and recovery time objective (RTO), and build your backup strategy around it.
- Store data backups in a separate location that is completely isolated from your main environment.
- Test the restoration process regularly to ensure it actually works when needed.
Access Controls
One of the biggest mistakes small businesses make is giving every staff member access to all systems “just in case”. This creates numerous entry points for attackers, increasing the risk of a major breach.
Instead, you should be using the principle of least privilege: each staff member should only be able to access what’s needed for their role. This reduces the number of potential attack vectors and helps limit the damage if an account is breached.
Strong access controls include:
- Regular reviews of who has access to what, and whether or not it’s necessary
- Removal of access when employees leave or change roles
- Clear separation between standard and administrative accounts
- Documented policies regarding account access
- Reviews of third-party access, to ensure that external vendors and partners have only the access they need
Email Security
Email security is your first line of defence against phishing attacks and other social engineering scams. Your employees can’t be fooled by a fraudulent email if it never lands in their inbox. Protective measures also reduce the risk of interception. Consider implementing:
- End-to-end encryption
- Spam filtering
- Domain authentication protocols
Some of these can be implemented directly within the existing platform, making them virtually free.
Endpoint Protection
Accounts aren’t the only risk. Every device that connects to company networks is another potential entry point for cybercriminals. Computers, laptops, tablets, and mobile devices are a few examples of endpoints. If a single one is infected with malware, your entire IT infrastructure could be at risk.
Implement measures such as:
- Antivirus software
- Continuous monitoring and threat detection (in-house, outsourced, or automated are all better than nothing)
- Endpoint management programs (some platforms, such as Microsoft 365, provide this)
The Importance of Cyber Security Awareness Training
Technological controls are necessary, but not sufficient on their own. They’re particularly vulnerable to social engineering attacks, which can bypass them entirely. To address this weakness, you’ll need to mobilise your employees.
By teaching your team to identify, stop, and report cyber threats, you build a human firewall – a final line of defence against incoming attacks. Staff are less likely to fall for scams, and can even proactively prevent breaches. The catch is simple: to achieve this outcome, you must first engage your employees. And that can be more difficult than you might anticipate.
Rather than running long lectures that your team will forget within the next month, here are some some techniques you should employ to ensure that training is effective:
- Run regular, short sessions rather than long and sporadic ones.
- Ensure that content is relevant to the people who are learning it.
- Keep it fun and blame-free.
- Use practical exercises to test and reinforce their knowledge.
- Consider hanging posters around the office or sharing news about recent breaches, to keep the information fresh in everyone’s minds.
- Model secure practices yourself, to reinforce that security is everyone’s responsibility.
If a breach does occur despite everyone’s best efforts, it’s important to handle it carefully. Accidents happen and humiliated employees tend to shut down. Do not shame the staff member responsible in front of the entire team, or punish them for an honest mistake. Instead, take them aside, privately and calmly explain where they went wrong, and then provide additional training to close the knowledge gap.
The Role of a Cyber Security Framework
Achieving a strong security posture can be challenging, especially if you don’t have deep expertise in this area. A cyber security framework can be very helpful here. It provides clear guidelines that keep you on the right track.
Three useful frameworks to consider include:
The ACSC Essential Eight
The Essential Eight was developed by the Australian Cyber Security Centre (ACSC), and is generally considered the foundational framework for small businesses looking to strengthen their defences. It covers eight basic controls that are designed to be achievable for any organisation, regardless of their size or available resources:
- patch applications
- patch operating systems
- multi-factor authentication
- restrict administrative privileges
- application control
- restrict Microsoft Office macros
- user application hardening
- regular backups.
It’s important to note that within the next two years, the ACSC plans to phase out the Essential Eight and replace it with a more modernised framework. However, these basic controls are still good to implement.
SMB1001
SMB1001 was designed by Dynamic Standards International (DSI), an organisation operating in both the US and Australia. Much like the Essential Eight, it’s built with small businesses in mind. However, it functions a little differently.
Rather than focusing on eight basic controls, SMB1001 splits security across five domains:
- Technology Management
- Access Control
- Backup and Recovery
- Policy Development
- Education and Training
This provides a far more comprehensive approach to security, while still remaining accessible to small businesses.
ISO 27001
ISO 27001 is the current gold standard for cyber security. It has the harshest requirements, but provides access to an official accreditation in return. If you achieve full ISO compliance, then you will be able to demonstrate to everyone visiting your website that your business is safe and trustworthy.
Unlike the other frameworks listed here, ISO 27001 focuses on the creation and maintenance of an information security management system (ISMS). To achieve certification, you must complete a two-stage audit: step one evaluates your written ISMS document, while step two verifies that the controls outlined within it have actually been implemented. This audit must be passed every three years in order to maintain your certification. This process makes ISO 27001 quite a complex and time-consuming framework, and thus it can be difficult for small businesses to implement.
Building a Small Business Cyber Security Strategy
Alternatively, you could build your own cyber security strategy rather than relying on a framework alone. This method allows for a greater degree of customisation, but requires a little more effort. Follow these steps to ensure success:
1. Conduct a Risk Assessment
Before you do anything else, it’s crucial to discover any vulnerabilities hiding within your IT infrastructure. Perform a full risk audit of all digital assets, including:
- Hardware
- Software
- Cloud environments
- Networks
During this step, you’re looking for security gaps. Unpatched systems, accounts that aren’t secured properly, and other potential attack vectors are all things you should take note of.
2. Prioritise by Impact
Next, you’ll need to perform a business impact analysis (BIA). This step involves determining which threats your business is most likely to face, and what the potential effects would be. If ransomware struck, for instance, would you experience extended downtime? How long is that likely to last? This information will be crucial moving forward.
3. Develop a Game Plan
Once you’ve gathered all necessary information, it’s time to begin putting your strategy together. List all the security measures you’ll need to implement, then organise them into:
- Quick Wins: Things you can implement right now, without much financial burden, that will make a tangible difference to your security posture.
- Long-Term Investments: Measures that are still necessary, but will require a larger investment (in either time or money) to pull off.
When developing your plan, remember to consider timelines, responsibilities, and required resources. Once the strategy document is complete, present it to key staff and stakeholders for input. Early buy-in is essential for reducing change resistance later on.
4. Work Methodically
Implement your strategy slowly and in phases. This will allow you to stop and correct any issues that pop up. Where possible, schedule large or particularly disruptive changes (for example, updating operating systems across the entire office) after normal working hours, so that they don’t interrupt work.
5. Remember Your Plan B
Not all attacks can be prevented. A solid incident response plan will protect your business in the event that a breach does occur, by limiting the damage and allowing you to return to normal operations faster.
Every incident response plan should include:
- A method for detecting, isolating, and eliminating threats
- Steps to recover lost data using your backups
- A way to ensure business continuity throughout and after the incident
- A communications strategy, in case normal channels are offline
6. Review and Adjust
Your incident response plan should be a living document, not a one-off. As time passes, your business environment will change, potentially rendering the existing plan obsolete. You should review your cyber security strategy:
- At least once per year
- After any major changes
- Immediately after a breach has occurred
Make adjustments where needed to ensure that your plan remains effective.
Cyber Security Services for Small Businesses: Are They Worth Investing In?
Rather than maintaining an internal team, some small businesses choose to outsource cyber security to a third party expert known as a managed service provider (MSP). This route can provide many benefits, but also introduces its own challenges.
When deciding whether to outsource or not, here are the most important factors to consider:
In-House Security
Pros:
- You retain full control over all aspects of your cyber security
- When an incident occurs, your staff are on-hand and ready to get to work
- Security knowledge remains within the organisation
Cons:
- You pay for each staff member’s salary, benefits, ongoing training, office space and equipment
- The expertise you have access to is limited by how much money is available
- 24/7 monitoring is almost impossible to maintain
Managed Security
Pros:
- You pay only a single monthly fee, resulting in a stable, predictable budget
- You gain access to a full team of experts in various niches
- No training or lengthy onboarding process required
Cons:
- You must communicate with a third party, rather than making decisions alone
- External teams may not be as familiar with or invested in your business
- Sensitive data and systems are visible to a third party, potentially increasing attack vectors
10 Steps to a Safer Business
Cyber security is often challenging to implement, especially for smaller businesses that lack internal resources. But that doesn’t mean it’s impossible. By developing a strategy, ensuring the basics are in place, and reaching out for help when needed, you can protect your business without spending a fortune.
Not sure how to get started? Here are 10 easy steps you can take right now to secure your business.