In a digital landscape teeming with cyber threats, small and medium-sized businesses (SMBs) are at greater risk than ever. Smaller organizations often have fewer resources and weaker cybersecurity measures than their larger counterparts, making them low-hanging fruit for bad actors. Verizon’s annual Data Breach Investigations Report has found that 61% of cyberattacks target small businesses.
Identifying the biggest risk factors and then adopting the best practices and solutions that can make the greatest impact is a good first step for small businesses or resource-constrained organizations. Here are some simple and affordable ways organizations can increase their cybersecurity protections and risk resilience– without a large enterprise budget.
Implement Multi-Factor Authentication (MFA)
A simple and highly efficient best practice for improving any organization’s security is implementing Multi-Factor Authentication (MFA) for account access. MFA is a security measure that requires users to provide more than one form of authentication to access a service or application. MFA is a proven method to prevent account takeovers. In fact, Microsoft has said it can prevent 99.9% of attacks on your accounts. Several forms of MFA exist with different levels of protection. Using a hardware device such as a Yubikey offers the best MFA protection, but using a software application such as Google Authenticator or a dedicated password manager that stores Time-Based One-Time Password (TOTP) codes also provides top-notch protection. Using SMS is common but offers reduced security due to the risks of SIM swapping and other well-known attacks.
Stay On Top of Software Updates
Updating software is a simple best practice for any cybersecurity program, yet is often neglected. If software is not updated in a timely manner, the risk of being hacked increases significantly. Bad actors can take advantage of unpatched or old software that is not being properly cared for. Leaders should define which systems or software are critical and put a plan in place for updates. Most will alert that patches or updates are available; do not ignore these and encourage employees to update when they receive an alert.
Use Strong, Unique Passwords
Creating strong passwords is an important step in protecting business data, but is often overlooked. In partnership with S&P Global Market Intelligence, Keeper Security recently found that username-password combinations are still the most widely deployed form of authentication in organizations today (58%). Employees must use strong and secure passwords to prevent hackers from infiltrating critical systems through common attack vectors such as brute force or password spraying. When it comes to password creation, passwords should be at least 16 characters with a mix of uppercase and lowercase letters, a variety of special characters and a random assortment of numbers. Using different, high-strength passwords for every account is also crucial.
A dedicated password manager is an affordable and highly-secure solution to generate and store various work and supply-chain passwords, and provides the ability to safely share passwords internally within teams, as well as externally with clients or contractors. Using a password manager also shields sensitive data from newer password-cracking methods including AI-based password attacks.
Deploy a Privileged Access Management (PAM) Solution
Many successful breaches involve stolen or compromised credentials and the escalation of privileges via lateral movement inside an organization’s network. Organizations looking to remain secure while on a budget should look at PAM solutions that combine password, secrets and privileged connection management capabilities. In a recent report, 91% of IT leaders said their PAM product has given them more control over privileged user activity, decreasing the risk of insider and external breaches. As the volume and severity of cyberattacks intensifies, organizations need effective, user-friendly solutions to help secure their privileged credentials, accounts and sessions. This may seem overwhelming for organizations without an IT or security team, but working with the right vendor can empower any employee with affordable, easy-to-use solutions for holistic protection.
Create a Culture of Cybersecurity Awareness
Business leaders must create a corporate culture that prioritizes cybersecurity, and demonstrate a vested interest in the organization’s cyber posture. Additional research found that this is not happening across many organizations, with survey respondents reporting they knew about a cyberattack within their organization but did not think leadership would care about a cyberattack (25%) or would respond (23%).
Not only do business leaders need to show employees that they care about cybersecurity, but they must also prioritize employee education. Regardless of an organization’s size or available resources, employees are the first line of defense against ransomware and other potentially devastating cyber incidents. It’s necessary to educate employees on cyber threats and cybersecurity best practices. For example:
- Beware of social engineering – From security awareness training and a positive security culture comes an enterprise-wide knowledge of what email links and attachments are suspicious and may be phishing attempts. One of the most common entry points for hackers in organizations of all sizes is stolen credentials through social engineering.
- Encourage caution for remote workers – The pandemic thrust many organizations into remote working environments where security was shifted off-premises. With employees using personal devices and at-home Wi-Fi, the cyber risk to digital business assets suddenly skyrocketed. For organizations with remote workers, it is important to remind them to always secure their emails, to avoid using free public Wi-Fi and to use a VPN when and wherever possible.
Cyber Defenses on a Budget
Small businesses and other resource-strapped organizations can shore up cyber defenses and protect against new and emerging threats with simple best practices like having good password hygiene, deploying simple solutions that include multiple capabilities and prioritizing cybersecurity within their company. These steps are key to maintaining a strong security posture– even while on a budget.
Darren Guccione is an entrepreneur, technologist, business leader, as well as the CEO and co-founder of Keeper Security, the leading provider of zero-trust and zero-knowledge cybersecurity software used globally by millions of people and thousands of businesses. Guccione is actively involved in fostering a culture of innovation in his field, having served as an advisor and board member with multiple technology organizations, as well as an advisor for two Chicago mayors. Guccione was named the 2022 Editor’s Choice CEO of the Year and 2020 Publisher’s Choice Executive of the Year by Cyber Defense Magazine’s InfoSec Awards, as well as Cutting Edge CEO of the Year in 2019.