Every year, new tips come out about small business cybersecurity. But the advice for 2022 isn’t all that different from previous years.
For instance, the U.S. Small Business Administration (SBA) talks about phishing, viruses, ransomware, strong passwords and protecting confidential information this year. Their tips on staying safe are an excellent resource that businesses should read over more than once.
But can small businesses benefit from advice beyond what is now considered basic online hygiene?
To stay safe in 2022, the key is to pay closer attention to some of the basic tips and balance that with some new ways of thinking.
Which Small Business Cybersecurity Strategies Should You Focus On?
The SBA tips cover some cybersecurity best practices that might seem like they only apply to larger businesses. However, some are equally critical for small ones. For example, leaders at smaller companies often don’t think they need security awareness training. If your company only has five employees, do you really need to invest in security training? Yes.
Does this mean that you have to conduct formal training? Not at all.
The small business cybersecurity training topics the SBA tips suggest are precisely what all employees should know:
- Spotting a phishing email
- Using good browsing practices
- Avoiding suspicious downloads
- Creating strong passwords
- Protecting sensitive customer and vendor information
- Maintaining good cyber hygiene.
If your small company seems too small for ‘training’, how about holding a lunch-and-learn type session over pizza? Make the training as interactive, fun and engaging as possible. Even with a business as small as five, if the session prevents one ransomware email, it may save your business.
Knowing where your business stands from a risk perspective may be the most important piece of knowledge you have regarding small business cybersecurity. As noted in the SBA guide, “the first step in improving your small business cybersecurity is understanding your risk of an attack, and where you can make the biggest improvements.”
Risk assessments, especially when conducted by a third party, let you know where your business is at risk and put you in a better position to create a defensive plan or strategy. The process needn’t be in-depth or comprehensive, but there must be some strategy.
Vulnerability scans determine how vulnerable your critical systems and sensitive data are to compromise or attack, given your state of software patching and/or misconfigurations. But, you might ask, how can my business afford to pay a third party to perform a vulnerability scan?
For small businesses, the DHS offers free cyber hygiene vulnerability scanning that produces a weekly report from which you can take action. Sign up for the free service by contacting the Cybersecurity and Infrastructure Security Agency at [email protected] They’ll send you documents to sign, confirm a scanning schedule and send you a pre-scan notification.
When accessing any service, website or application, we highly recommend multifactor authentication (MFA). Remember, MFA provides another critical layer of small business cybersecurity by sending a unique one-time code via email or text. Anyone doing online banking is probably familiar with using MFA, so it shouldn’t be challenging to deploy within your company systems.
Attackers love low-hanging fruit and prefer to attack businesses that don’t have security measures in place. So, MFA represents a major stumbling block.
Beyond the SBA Small Business Cybersecurity Recommendations
Much like training and assessing risk, third-party risk management doesn’t sound like it belongs in a small business cybersecurity tip list. But think about how many companies you do business with and which may have access to your sensitive data. When you share your company’s confidential data and customer data with third parties, it is only as secure as the business handling it.
Take your tax information, for example. For cyber criminals, your tax data is like the holy grail. The tax preparer, accountant or firm you deal with must handle your data with as much due care as you do. Just like you would invest time to ensure that person or company understands small business cybersecurity, you need to be diligent about other third parties like cloud providers and vendors.
Your business cannot afford to be shy about asking third parties who can access your data how data is stored and exchanged and what security measures they have in place.
Social Media Use
Social media is a treasure trove of useful information for fraudsters and criminals.
No matter where they’re using it, employees may be revealing sensitive business information on social media without even knowing they could be harming the business. It’s an under-appreciated aspect of small business cybersecurity.
Every social media post and photo could be exploited. For example, how about that team photo you posted after the strategy meeting in the boardroom? What if it contained confidential information or revealed intellectual property by mistake? Even a LinkedIn post congratulating a co-worker on a successful project or new role could be used against you.
The more data that threat actors have about your employees’ interests, jobs and activities, the better opportunity they have for exploiting it to their advantage and using it in a phishing or ransomware attack.
The Cybersecurity Mindset Shift Required for 2022
No company is too small for cybersecurity to be a top priority. The risks are far too great. For instance, in the last month of 2021, a Log4j software bug was disclosed, which could cause “incalculable” damage in 2022. The technical details can be found here, along with ways to defend against it.
At the time of this writing, the risk to small businesses from the bug was minimal. But what about in 2022?
The point is, developments in the threat landscape occur frequently. While keeping up may seem difficult, knowing about the potential threats is crucial — regardless of your company’s industry or size.
Small businesses should consider cybersecurity developments as equally crucial as industry developments. As cybersecurity becomes an essential part of your business strategy — much like marketing, accounting or human resources — your risk of being breached or attacked decreases drastically.
Finally, prioritizing security isn’t possible without prioritizing mental health. Tech burnout transcends the cybersecurity industry and applies to almost everyone, especially in today’s chaotic business environment. When employees are happy, they typically make fewer mistakes. In the cybersecurity industry, the notion of employees making fewer mistakes means everything.