Cyber security can be an expensive old game. There’s so much fear and misinformation out there that a worrying number of organisations end up spending over the odds for a level of cyber security they really don’t need.
Naturally, investing in a few extra user accounts or a slightly better package to allow for business growth and change is OK. But for most micro business use cases, there’s really no need to break the bank – there are a surprising amount of security options open to you – either for free, or for the now rather trite “cost of a coffee per head, per month”.
So here are 14 ways that micro businesses can stay cybersecure without breaking the bank.
Cyber Security: A Game of Chance
Regardless of its price, no solution will ever protect you 100% from cybercrime. Good cyber security is all about reducing your chances of a successful infection or attack as much as possible with the money, resources, and processes you have to hand.
True, more expensive tools generally provide much better odds of fending off an attack, but a surprising amount can be done with simple things like good policies, inexpensive products, and staff training. In fact, a lot of cyber security involves good old fashioned common sense.
We recommend that every business invest what it can in cyber security as soon as it is able. But in the meantime, there are a number of things that you can do to minimise your risk.
Common Sense
Explore Cyber Awareness Training
Cyber security training is a great investment, whether it’s through live training sessions or habit-building/training products like PhishAware. But good cyber security training doesn’t need to come from the likes of us. There are a number of good habits that you and your team can form in house to improve security.
Phishing is the most common attack vector that businesses face right now. With this in mind, the most important habit to instil in your team is heavy scepticism towards unsolicited emails and messages, especially those requesting information, money, or a change in login credentials.
If the request purports to come from a person or an organisation personally known to the recipient, double check with them by phone that the request is genuine before taking action. If the request comes from a large brand like Microsoft or Adobe, then encourage your team to not click on links in the email and instead log in to their account using the brand’s official URL to check whether the issue is genuine.
There are other cyber-aware habits that you can work on forging with your team too, like locking your PC screens when popping away from your desk; regularly updating software; checking the padlock symbol is present when visiting unfamiliar websites; and liberal use of anti-malware scanning!
Use the Principle of Least Privilege (POLP)
This is a remarkably simple practice but it can really save your bacon in the long run. Make sure that each team member only has the bare minimum access privileges to let them do their job and nothing more. This way, if their accounts do become compromised, the hackers’ access will be limited to that individual’s permissions.
Understandably, this means that those with full admin permissions need to be extra cautious. POLP is great but it should be used alongside good training and habit-forming throughout – from directors to entry level staff.
Diarise a regular user account check-in to make sure that everyone’s permissions provide just enough freedom for them to fulfil their role – especially in times of change and upheaval where roles have changed suddenly.
Keep “1, 2, 3” Backups
Backups are great business continuity practice. They provide a failsafe in cases of accidental deletion, data loss due to hardware failures, and ransomware infection.
Backing up each week’s work onto a pen drive every Friday afternoon is unlikely to take more than 5 minutes (unless you’re working with particularly large image or video files). Alternatively, automatic cloud backup services can be sought relatively inexpensively and provide an off-site, low-effort backup method.
We recommend the 3, 2, 1 backup method: 3 backups, kept on 2 different kinds of backup media (e.g., cloud and a portable hard drive), 1 of which is kept offline – and preferably offsite – when not in use.
Encrypt PCs & Backups
What would happen if a laptop with crucial company information on it was lost or stolen? Well, if that device’s drive/s weren’t encrypted, then that data might end up winding its way to the dark web! Losing the device itself is bad enough but at least if you keep the drive encrypted then you know the data is safe from prying eyes.
Encrypting a drive is as easy as using a tool like BitLocker that comes with Windows 10. Other third-party solutions are available and may come in handy for non-Windows devices and/or backup drives.
Take Care Around Wireless Connectivity
WiFi is a modern marvel but don’t let its convenience fool you. It can also be a cybersecurity minefield – as explored by our colleagues over at Just Firewalls.
Though some kind of Wireless Intrusion Prevention System is ideal, there are still some basic security measures you can put in place without spending a single penny. Firstly, ensure that your WiFi network is using the strongest possible encryption method available – WPA3 is now available on modern routers.
However, WiFi isn’t the only issue here. Bluetooth can also be used to compromise mobile devices and communications, steal data, and eavesdrop on calls. So, switch Bluetooth off in public and don’t accept unsolicited Bluetooth files from strangers!
Solutions
Use Windows Defender
We know that in previous years, recommending people use Windows Defender would be met with hoots of derision – and we’d be hooting along with them! However, Windows’ in-built antimalware solution is now stronger than ever.
Because it comes rolled in with Windows, it can be highly effective at spotting unwarranted registry and app changes, can remove malware from Windows Recovery Environment, protects in real time, and it’s totally free – without ads or nagging messages (yet…)!
Once you can upgrade to something like Sophos Endpoint Protection then we encourage you to do so, but Defender is now at a level where it can be sufficiently relied upon by most businesses while you save up your cyber budget.
Consider Managed Detection & Response (MDR)
Employing your own IT security specialist is an expensive game, especially for a small team. However, what if we told you that you could effectively employ your own security team for pennies a day? It sounds too good to be true, but that’s pretty much what you’re getting when you invest in Managed Detection & Response tools like Huntress.
Simply purchase a Huntress licence for each of your team’s Windows endpoints, install Huntress on each endpoint, and their team of cybersecurity experts can monitor those endpoints – even uncovering things that may seem invisible to the user. If the Huntress team does pick up on something fishy, they will get in touch with remedial action ASAP.
Invest in DNS Filtering
Firewalls are seen as an essential part of security – and don’t get us wrong, they are – but hardware firewalls can be quite expensive for micro businesses or startups. However, there is a low-cost, no-hardware solution that is both ideal for small businesses and for those who work on the move: DNS filtering.
The DNS filtering solution that we offer provides a decent analogue to firewalling: it blocks access to known dangerous links, filters unproductive content, and provides extensive usage logs and reports. Because it doesn’t rely on hardware, it can be used to keep your team safe both in the office and on the road.
We recommend upgrading to a firewall whenever you are able, but DNS filtering products can offer comparable protection for a much smaller price tag.
Use Multi-Factor Authentication (MFA)
Unfortunately valuable usernames and passwords are remarkably easy to phish for – hackers merely need to send a phishing email purporting to be the service provider in question that asks people to change their password using a specific link; forward them to a dummy, credential-harvesting login page; and hoover up their legit login details.
However, there is a failsafe that companies can apply: multi-factor authentication. This requires users to enter further identifying factors on top of their username and password at each login. This way, if a username and password is compromised, hackers will still not have access to the account without the additional identifying factor. This way, users can change their password and re-secure their account without suffering any effects of compromise.
Use Password Managers
It’s good cyber-sense to keep different, complex passwords for each of your different logins. But even those with incredible memories can’t possibly remember all passwords needed on a day-to-day basis.
But simply saving all of your passwords in a basic text file is risky. If a hacker happens across that file, they would potentially have control over all of those accounts (or the ones unprotected by MFA, at least).
Password managers are the solution to this problem. They keep all of your passwords saved in an encrypted format and can incorporate their functionality into your web browser, offering to save new passwords and suggest new, totally secure ones.
Keep Your Software Updated – Or Use Web-Based Software
Hackers make it their job to find security holes in installed software to weaponise into “zero-day” vulnerabilities. The software’s creators will generally close off each vulnerability with an update – making the software as secure as it can be for the time being. Then the hackers hunt for further security holes to exploit in the newer version and the cycle begins anew.
This is just as true for widely used software like Office 365 and Zoom as it is for software that has been developed just for you. Therefore, it’s essential to keep any installed software up to date and to only use software that is actively maintained and updated.
An alternative solution to this – especially for general productivity software – is to lean more towards web-based software wherever possible. Instead of installing the software locally, you can access productivity tools, video conferencing, and accounting software all through your browser. Just keep your browser up to date and make sure the provider is actively updating the browser-based software too.
Paperwork
Establish an IT & Cybersecurity Policy
Now this tip’s just good practice regardless of a business’s size. This should be an HR-vetted document that contains all of the internal “dos and don’ts” of using your network and devices, with a view to maximising security and functionality.
To know that everyone has at least laid eyes on your IT policies, you may want to have each member sign to say they’ve read the policy. You could even incorporate it into employee handbooks and contracts.
Policies can include guidance around acceptable use, access control, password policies, as well as instructions around remote working. You can also consider the policies below…
Enact Onboarding & Offboarding Policies
We recommend having defined policies around what happens when you bring on new staff and when you part ways with team members too.
Onboarding policies can include things like establishing logins for software tools the team members are going to use; assigning them mobile hardware if needed; making sure they receive your IT and cyber training; and having them read and acknowledge any IT and security policies.
Offboarding policies are just as important, if not more so. You need a process to revoke all IT access from outgoing staff; to collect any company hardware from them; to remove and appropriately forward their email address(es); to change any shared passwords they used; revoke MFA access; and to make sure that leavers haven’t left any unpleasant surprises on your social media channels!
Create a Cyber Incident Response Policy
What would you do if you suffered a cyber attack today? Panic? Or do you have a plan? Needless to say, the latter is preferable.
You should start with a risk assessment. Examine where your weaknesses are: How cyber-aware are your team? How well secured is your customers’ data? What are your most tempting data resources and what would you do if they were stolen, leaked, or deleted? How well defended is your network?
Next, how are you going to identify that an attack has happened? How will you determine the scope of an attack? What data and resources are at stake? What will you do in the immediate 30 minutes after detecting an attack, and beyond?
Think of all of the possible attacks that could come your way and make a plan for what happens in the case of minor, moderate, and severe attacks.
Do you have cyber security experts on speed dial that you can call on in cases of cyber-calamity? Don’t leave it ‘til it’s too late – talk to us now for experienced cyber-risk assessment and incident response services.