Cyber security for small businesses: Online security checklist
Posted: Tue 7th Sep 2021
Cyber security should be high on any small business owner's list of priorities. Here's a brief guide on how to protect your business from cyber threats.
Why do small businesses need cyber security?
Like many small businesses, you're running on limited resources. This can mean you lack the time or budget to prioritise security measures to the same degree as you would other tasks.
As a result:
maintaining cyber security becomes part of an individual's role rather than a dedicated position
training and software falls out of date
data security becomes an afterthought
Improving security doesn't necessarily mean going to huge expense. However, it does need to be a focus if you're to avoid becoming the next victim of a cyber attack.
By adopting certain cyber-security best practices, you can improve both your protection and your company culture when it comes to implementing effective security measures.
What is the best practice for small business cyber security?
Create a cyber protection policy
The purpose of creating a cyber protection policy for your small business is to outline the resources and actions you need to protect your data and make sure your business can continue operating if the worst happens.
As a result, your staff will be better informed and able to take appropriate action to prevent attacks. Your customers or clients will also feel reassured that they're working with a company that takes data protection and online security threats seriously.
To make sure cyber security policies become a part of your business's culture, you should:
document them thoroughly
support them with schedules and checklists to make sure the new processes are implemented and that staff are aware of their responsibilities
Here is a cyber security policy template to get you started.
Review access permissions
A simple but effective security measure is to restrict access permissions to shared files and essential applications. This is called access control.
You should only provide access to those employees who need it for their work. By the same token, you should revoke that access when the staff member no longer needs it. This means that no-one should have blanket admin privileges based purely on their seniority within the business.
What does it mean to restrict access permissions?
Limiting physical access to facilities and other physical assets (for example, a key card to unlock a door)
Implementing best practices when sharing documents with people outside the business
Establishing processes for revoking access as soon as an employee leaves or a contract ends with a freelancer or other third-party
Access control limits the risk of people without the proper authorisation getting access to your systems. It also forms a foundational part of information security, data security and network security.
Back up your data
Making sure all your data is backed up is particularly important for avoiding ransomware attacks.
A ransomware attack is when a hacker steals and encrypts your data and prevents you from accessing it. They then demand a fee to restore your access, and threaten to destroy the data if you don't pay.
With no guarantee that they'll return the data in a usable state, your business faces a dilemma and could end up paying a ransom and dealing with downtime it can't afford.
Cloud services such as Dropbox, Google Workspace and Microsoft Office 365 are popular options for backing up data. Not only does the cloud allow you access documents from anywhere, but the security these services offer is likely to be far more sophisticated, making them an affordable way to significantly improve data security.
Consider remote working risks
Adding more points of entry to a network increases the potential risk of a breach because there are more angles for cyber criminals to exploit.
With that in mind, the recent shift towards non-traditional office working could be seen as a concern – though the concept of remote working has been growing in popularity for many years.
You should include a bring your own device (BYOD) policy in your data security best practices. This helps make sure that all employees maintain a high level of security on any device they use to access the company's documents and network – from installing security software to applying patches as soon as they are available.
What cyber security software and tools should I use?
There are so many security tools available, it can be hard to identify which ones are essential and worthy of your investment. Here are some of the main tools to consider to keep your small business protected.
Virtual private network (VPN)
A VPN is an encrypted 'tunnel' through which your data can travel without third parties being able to view it or trace it back to your IP address.
Using a business VPN is extremely important for any modern company that has a flexible and mobile workforce. It helps protect your business data by keeping your company network and internet connections secure.
Since small businesses typically lack a large IT and cyber-security budget, VPNs are a low-cost solution, as they are cheap to set up and maintain.
A firewall is a vital first line of defence that provides a barrier between your network and cyber attacks. You should include it as a measure in any BYOD or remote working policies you create.
This important tool prevents unauthorised connections and malicious software from entering your network. It monitors incoming and outgoing traffic, and if a computer or program outside your network tries to gain access, it decides what to block or allow (according to the rules you've set up).
Again, this is very beneficial if your business has remote workers who need to securely connect to your network from outside locations.
Antivirus software creates an extra layer of security. Even if malware manages to get to your or your employees' computers, you'll have something in place to detect and remove it before it disrupts the whole network.
This software works by not only detecting and removing viruses, but also by securing your data against various attacks. For example:
web security tools can help prevent phishing attacks and block malicious websites
anti-ransomware tools can protect the data on your devices from being encrypted and held to ransom
As a small business, you might find it more difficult to recover from a large-scale attack than a major company with an in-house IT department would. As a result, protecting company data with a comprehensive cyber-security solution is essential.
A word on software updates
Software can only ever be at its most effective if it's regularly updated to account for new vulnerabilities or types of attacks.
Making sure every device – from printers and laptops to smartphones – has the latest patches and updates applied could be a daunting task for a large enterprise, but is very achievable in a small or mid-sized business.
Communal devices, like servers, should be updated by the staff members who manage IT security as part of their role, while other employees should be responsible for their own devices.
Enforcing this responsibility through training and the company security policy helps make sure that known software vulnerabilities don't result in a data breach you could otherwise have prevented.
Free 30-day trial: Avast Business Hub
Get a free 30-day trial of Avast Business's integrated security platform, the Business Hub with Antivirus and Patch Management. Easily manage both security solutions centrally from one location for multiple devices.
About Avast Business
Avast Business provides simple yet powerful security solutions for SMBs and IT service providers. Backed by one of the largest, most globally dispersed threat detection networks, the Avast Business security portfolio makes it easy and affordable to secure, manage, and monitor business devices.
The result is superior protection that businesses can count on. For more information about our managed services and cybersecurity solutions, visit www.avast.com/business.
A small business guide to cyber security
How small businesses can improve their cyber security