- Myth: If you are a small business, there is no need to worry about cyber attacks.
- Step 0: Keep Your Systems Up to Date
- Step 1: Create Separate Online Accounts for Business Use
- Step 2: Identify Suspicious Links and Messages
- Step 3: Use Good Antivirus and Firewall
- Step 4: Use Unique, Strong Passwords
- Step 5: Avoid Untrusted Networks
- Step 6: Regular Backups
- Step 7: Encrypt Sensitive Information
Well, you might be wondering why you should read this blog when there are hundreds of online paid courses on cybersecurity, numerous cybersecurity influencers, and countless “how to secure” guides available online. You are not wrong. The reason you should read this blog is that it condenses extensive background research on best security practices and advisory from the US government and other reputable cybersecurity governing bodies. This will save you endless hours of research in an ocean of resources, books, blogs, articles, video courses, and books.
Firstly, let’s break down some myths.
Myth: If you are a small business, there is no need to worry about cyber attacks.
Reality: If I am a newbie hacker trying to gain quick money or test my skills, will I hack into big tech companies with professional cybercrime investigators, incident responders (skilled cybersecurity professionals who respond to help companies in case of unplanned events like hacking), and the best security operations in the world, or will I target a small business to test my skills and luck? Makes sense, right?
Even if you are not targeted by a newbie, imagine a situation where some group of geeky hackers is running a botnet (a network of hijacked computers and devices infected with a computer virus under the control of a hacker), spreading a virus, or you download a widely spread virus from the internet from a popular website that was recently breached. Now your computer system, which operates your entire business, is corrupted. Now what? If you have not taken any preventative measures, you have incurred a serious business loss.
Now that the impact of ignoring or neglecting cybersecurity is crystal clear, let’s look at how we can implement cybersecurity best practices in a small-scale business.
Step 0: Keep Your Systems Up to Date
Older versions of software and systems tend to have many security vulnerabilities, and these vulnerabilities may have public exploits that allow hackers to gain remote access to your computers. Thus, it’s important to stay up to date to prevent these types of attacks.
Step 1: Create Separate Online Accounts for Business Use
Create a separate online account for your business laptop or system and never casually browse the internet or download personal items. Keep this computer only for professional use. By following this policy, you restrict the attack surface open to an attacker. If you don’t visit unknown websites and surf endlessly on your work computer, the chances of getting hacked are drastically reduced.
Additionally, CISA (Cybersecurity and Critical Infrastructure Security Agency) recommends moving all devices to either Chromebooks or iOS devices like iPads. It might be expensive, but these two stand out as they are “secure by design.” Even if an attacker finds a foothold on these systems as part of a ransomware attack, the data primarily lives in a secure cloud service, reducing the severity of the attack.
Step 2: Identify Suspicious Links and Messages
Never respond to suspicious links and messages. To identify them, ask two questions:
- Is the sender someone you know or trust?
- Does the message seem out of character or too good to be true?
If your answer is yes to both questions, it might be a scam. When a known person asks you to send money via a text message, double-check by calling them. This old-school method works well. I have seen college professors and relatives lose access to their Facebook and social media accounts because some skids hacked into their accounts and started spamming other people with requests to send money. These skids were often successful in their attempts. So, kindly watch out for these tactics.
Step 3: Use Good Antivirus and Firewall
This should be a no-brainer. If you can buy any EDR (Endpoint Detection and Response) or a cool tool that protects and monitors all systems, does automatic security updates, implements security changes across all systems, and monitors for any security breaches or suspicious activity, and alerts the user, Microsoft Defender for Endpoint is recommended as it’s most cost-effective. If you are a tech geek, you can opt for open-source solutions as well.
Step 4: Use Unique, Strong Passwords
Use a unique, strong password for each online account, use a password manager, and enable two or multi-factor authentication.
You might have heard about the password rule of keeping it between 6 to 8 or 12 characters and changing it once every 3 months. This policy was created by NIST (National Institute of Standards and Technology). It was during a time when modern computers took 90 days to crack a password of 12 characters in length. However, the latest NIST 800-63B policy states that one does not have to keep changing the password but must use a strong password of very long length, preferably stored inside a password manager like Keepass, Passbolt, or Bitwarden. There are many online tutorials on these tools which are easy to follow.
For multi-factor authentication, you can use an application called Google Authenticator and use services like receiving OTPs on your mobile devices.
Step 5: Avoid Untrusted Networks
Never log on to untrusted networks. Hackers can set up free or open WiFi to lure you into disclosing your network. Worse, they may temporarily halt your WiFi network by sending malicious network packets (deauthentication packet), set up a fake open WiFi with your WiFi name, and ask you to enter sensitive details. During this attack (deauth plus evil twin attack where an attacker sets up a captive login portal), the only thing you can do is be vigilant, check if your network is registered or displayed as an open network, restart your router, and hope this time the attacker is not sending any deauthentication packets to your network.
Step 6: Regular Backups
Have regular backups. This is crucial in case of attacks like ransomware, where the hacker encrypts all your data, or in situations where you accidentally lose all your data. Keeping data in cloud storage like OneNote or Google Drive is handy. If possible, invest in a physical hard drive (HDD) to back up important documents and information.
Step 7: Encrypt Sensitive Information
Encrypt your sensitive information using Bitdefender. Even if your device gets stolen or lost, no one will have access to this sensitive information and documents.
By following these steps, you can significantly improve any small-scale business’s cybersecurity without the need for expensive resources, expertise, or tooling. Stay safe.
