<img height="1" width="1" src="https://www.facebook.com/tr?id=156746741685952&amp;ev=PageView &amp;noscript=1">
Show all

Cybersecurity for Small Businesses: Five Best Practices for Securing Your Business Data

Because you work too hard to have it go up in smoke

Cybersecurity for small business is a top priority during National Small Business MonthAmerica runs on small business. According to the U.S. Small Business Administration, which defines a small business as having fewer than 500 employees, 7.9 million small businesses were operating in the U.S. in 2020. The great majority of these had only one employee, typically the business owner, sole practitioner, or other solo professional.

Since the turn of the century in 2000, small businesses have accounted for 65% of net new job creation in the U.S., and from 2000 to 2019 they created 10.5 million new jobs. By contrast, large businesses created half that number, at 5.6 million new jobs.

Because America runs on small business, we honor and celebrate our small businesses every year in May, during National Small Business Month. At 24By7Security we’re kicking it off with these five security best practices designed to enhance cybersecurity for small businesses. Because you’ve worked too hard to have it go up in smoke.

1: Know Which Security Regulations Apply to You

Small businesses are subject to a variety of regulations, depending on the industry and nature of their work. Before embarking on any journey toward cybersecurity, it is vital to understand which regulations apply to your business. Following are the primary examples:

  • Hotels, stores, restaurants, and other members of the hospitality industry must comply with the Payment Card Industry Data Security Standard if they accept credit cards in payment for goods or services. And who doesn’t? PCI DSS v4.0 is the most current version, which added new requirements and updated specifications to keep security robust throughout the hospitality industry.
  • Healthcare practices, physicians’ offices, medical centers, and other smaller healthcare providers and business associates must comply with the HIPAA Security Rule, in addition to the Privacy Rule and Breach Notification Rule. HIPAA compliance is monitored by the HHS Office for Civil Rights, who penalize non-compliance regardless of the size of the organization. There are countless examples of fines being imposed on small providers.
  • Real estate firms, credit unions, financial advisory firms, stockbrokers, credit reporting companies, and universities who provide financial aid to students are just some examples of small businesses who must comply with the Gramm-Leach-Bliley Act (GLBA) Safeguards Rule. These security requirements extend to any entity who manages consumer financial information, whether in paper, electronic, or other media.
  • Defense contractors, including the smaller suppliers and subcontractors who comprise 74% of the defense supply chain, must comply with Cybersecurity Maturity Model Certification (CMMC) security requirements. CMMC 2.0 was developed to be more inclusive of smaller contractors by streamlining and simplifying requirements to maintain strong security throughout this extensive sector of the defense supply chain.

Once you understand the scope of your compliance obligations, you can then delve into the security requirements central to that compliance in order to design effective cybersecurity for your small business. If you have difficulty with this important first step, contact us for guidance.

2: Complete a Security Risk Assessment

This is the logical place to start, whether you’re building a new security program for a new business or updating security for your existing business. Federal regulations with any type of security component require a regular risk assessment to evaluate the adequacy of security controls within your business.

A security risk assessment provides a structured, qualitative evaluation of your operational environment in terms of threats, vulnerabilities, risks, and security safeguards. Among the activities completed as part of a risk assessment, some will be conducted on your premises while others can be completed remotely. Below are a few examples.

  • Identify and agree on the scope of the assessment for your organization
  • Collect all relevant data, including policies and procedures, network maps, equipment inventories, and other materials
  • Identify threats and vulnerabilities using penetration testing, system scans, and other tools and techniques; document the threats and vulnerabilities revealed by each method
  • Determine the likelihood of threat occurrence, the potential consequences of threat occurrence, and the severity and potential impact of each risk.

All findings should be documented in detailed reports, backup materials, remediation recommendations, and an executive summary. These should be reviewed with you in a live or online meeting in which questions will be answered and next-step guidance provided.

With completion of this action, you will understand where your business has vulnerabilities and how they can be addressed to keep your systems and data secure and improve cybersecurity for your small business.

What You Should Know About A  Security Risk Assessment

3: Got Employees? Train Them!

Whether it’s you and an assistant, a staff of ten, or 300 employees across eight departments, the human element creates enormous risk in any small business. Phishing schemes in particular target employees who are too busy, distracted, or poorly trained to recognize a suspicious email when they get one. In 2021, nearly 40% of all security breaches were the result of phishing attacks, and the frequency is growing steadily each year as phishing continues to produce desirable results for cybercriminals.

Phishing uses spam emails that contain malicious links or attachments intended to fool employees into downloading malware or visiting spoofed websites. While emails have been the delivery weapon of choice, cybercriminals also use texts, social media messages, and phone calls to pose as company executives, for example.

Two security components that can effectively combat phishing and its disastrous consequences are multifactor authentication (MFA) and cybersecurity awareness training. MFA applies an extra layer of security when users log in by requiring them to enter a verification code, as one example. Thus, even if an attacker is able to compromise an account username and password using phishing methods, they are still not able to gain access.

The second layer of security effective in protecting emails from phishing attacks is cybersecurity awareness training. Training, retraining, testing, reminders, and other elements of good training enable you to protect your employees by teaching them how to recognize a phishing attempt, what not to do (for example, don’t click on links and don’t open attachments), and how to report it to your IT or other designated contact.

4: Install Security Software on Systems and Devices

Demonstrate step 1 to stakeholders on all facets of cybersecurityMany smaller businesses use residential-grade security software on their computers, laptops, smartphones, and the networks and systems that support those devices. Although it’s true that using residential products is better than having no security, be sure to take advantage of the added protection of commercial-grade security software whenever it’s available.

Following are four steps small businesses can take today that will help secure your computers and data, courtesy of the U.S. Cybersecurity and Infrastructure Security Agency (CISA).

  • Secure your router and browser. When you connect a computer to the internet you also connect to millions of other computers—a connection that can allow attackers access to your computer. Although modems, digital subscriber lines (DSL), and ISPs all provide some degree of security monitoring, it’s crucial to secure your router, because it is the first device that receives information directly from the internet. For the same reason, strengthen your browser’s security settings rather than accepting the factory defaults.
  • Set up your firewall. A firewall controls the flow of information between your computer and the internet. Most modern operating systems come with a software firewall, and most routers also have a built-in firewall. Your user guide will assist you in enabling your firewall and configuring the security settings. Be sure to set a strong password to protect your firewall from unwanted changes by unauthorized persons.
  • Use antivirus software and keep all software up to date. Installing good antivirus software and keeping it current is vital. This software uses signatures created by software vendors to identify malware, and they frequently create new signatures to protect against newly discovered malware. In addition, other software has vulnerabilities that vendors create security patches for to prevent cybercriminals from stealing your data. If your software offers automatic updating, enable this feature to make sure you always have the latest security. For manual updates, when you get an alert from the vendor, update the software promptly.
  • Remove what you don’t need. The fewer software programs you install, the fewer ways you can be attacked. Take some time to review the software that’s installed on your computer. If you don’t know what it does, research it and decide if you need it or not. Deleting unnecessary default features also reduces attack opportunities. Review the features that are enabled by default on your computer and disable those you don’t need or don’t plan to use. It’s a good idea to first confirm that a feature is safe to remove, and to backup important files and data before the removal process.

5: Get Expert Help with Other Security Practices

Cybersecurity for small business can leverage the services of a virtual CISO very effectivelyThese security best practices will go a long way toward providing cybersecurity for your small business. But there are other steps you can take to further strengthen security for your hardware, software, and data—and this includes asking for help from cybersecurity experts and compliance professionals. Highly experienced professionals will be familiar with all of the regulatory requirements for security, as well as the security specifications of leading cybersecurity frameworks such as NIST, HITRUST, and ISO/IEC, for example.

Your small business may also benefit from the services of a Virtual Chief Information Security Officer (VCISO) who can provide expert guidance on an as-needed, part-time basis to maximize cost-effectiveness. Why not treat your small business to a complimentary consultation during National Small Business Month?


America runs on small business, which accounted for 7.9 million businesses in the U.S. in 2020. Like all organizations, small businesses are vulnerable to malware, ransomware, phishing schemes, data breaches, and other cybercrimes. However, there are several security best practices small businesses can put in place to strengthen cybersecurity and protect data. Start by understanding which regulatory requirements apply to your small business. Conduct a security risk assessment to identify your vulnerabilities so that the most critical can be addressed promptly. Require multifactor authentication for signing in to your most important accounts and train your employees (and yourself) to recognize phishing and other popular cybercrimes. Install security software and enable automatic software updates whenever possible. Finally, seek professional cybersecurity expertise to help you address any critical security gaps before they can be exploited.

You’ve worked hard to establish, maintain, and improve your small business, and you owe it to yourself to protect what you’ve built. Instead of putting it off, why not take the first step today? Cybersecurity for small businesses is every bit as important as it is for larger organizations, as the numbers prove.

Request a Free Security Consultation

Sanjay Deo
Sanjay Deo

Sanjay Deo is the President and Founder of 24by7Security Inc. Sanjay holds a Master's degree in Computer Science from Texas A&M University, and is a Certified Information Systems Security Professional (CISSP), Healthcare Information Security and Privacy Practitioner (HCISPP), Certified Information Systems Auditor (CISA) and PCI Qualified Security Assessor (QSA). Sanjay is also a co-chair on the CISO council and Technology Sector Chief at FBI InfraGard South Florida Chapter. In 2022 Sanjay was honored with a Lifetime Achievement Award from the President of the United States. Subscribe to the 24by7Security blog to learn more from Sanjay.

Related posts

June, 4 2024
May, 28 2024
May, 21 2024

Comments are closed.

Weaknesses in Hospitality Industry Compliance Attract Hackers
Cybersecurity Staffing Shortage Impacts Compliance and Security Programs
Subscribe to our Blog!