Because of their size, small companies are especially vulnerable to cyber-attacks. Bad actors looking for quick wins are playing the odds that a small company has lax cybersecurity. That should be reason enough to start taking a closer look at the policies you have in place. But, if it’s not, consider this: Larger companies that want to do business with you also have concerns about your small business’s security maturity. Before they sign any long-term contracts, many want to know that you have a security program in place to protect their assets and interests.
Even when small companies are convinced that they need to set up a security program, many are unsure of where to begin the process. You probably have a general understanding about security, such as the need to for anti-malware software on your network and strong passwords. But there’s more to it than that, and we can help you identify some quick wins that will improve your security posture instantly.
START DEFINING CORE SECURITY POLICIES.
Start by defining some core IT security policies. A security policy is your company's formal position on a specific security issue. For example, you may establish a security policy that all users on your network need a unique identity. The policy doesn't specify how you'll execute that, but it does provide a roadmap of what needs to be done.
You don't have to write each IT security policy from scratch. There are information security policy templates available (free and paid; check out ours here) that you can use to get started. You don’t need to write a security policy for every security issue. Start with a few security policies as a foundation for a broad but strong security program.
ELEVATE YOUR PASSWORD MANAGEMENT AND ACCESS CONTROL.
Training employees to create complex passwords is one option to manage network access, but it's not the most secure. Humans are a notoriously weak link in cybersecurity.
Here are a few better options:
- Use a company-wide password manager tool. People only need to create and remember one complex passphrase, which lowers the risk of written down password lists. The password manager handles creating and remembering complicated passwords. It provides an added layer of security because it will only autofill the stored website URL. It won't get fooled by a fraudulent, look-a-like website the way humans can. There are plenty of password manager options, such as BitWarden, Dashlane, and LastPass.
- Require multi-factor authentication (MFA). MFA uses logins and passwords, plus one more piece of authentication (usually a temporary code) before granting access. If a login and password are compromised, access to the resource will be denied without the additional authentication code. Setting up MFA is easy, especially with free MFA apps like Authy or Google Authenticator.
- Use single sign-on (SSO). You probably use SSO for personal apps already. Any service that lets you use your Google or Facebook sign-on to log on is using SSO. SSO provides security by keeping a person's source identity in as few systems as possible. Using SSO also simplifies managing active and inactive users. When someone separates from the company, disabling their login credentials in the source system will keep them out of any and all connected systems.
These are not mutually exclusive options to elevate password security. Taken together, they provide a simple, secure access control framework.
SCHEDULE REGULAR SCANS TO IDENTIFY VULNERABILITIES.
There are two different types of scans you should run. The first is a monthly user audit. This audit clarifies who has access to what systems and data. Early on, when your company only has three people, it's easy to keep track of your users. As you grow and people start to leave, a monthly user audit becomes necessary.
The monthly user audit documents who has access to which systems and with what permissions. The audit will ensure that only people who should have admin rights to a system have them. It will also show if people have access to systems they shouldn't or whether former employees still have active credentials. You can automate user audits with an access rights management tool.
The other regular scan you need to run is a network vulnerability scan. The most critical network scan covers all externally accessible resources. External scans aren't just for companies that host their own web servers. Cloud-based services are external vulnerabilities. As your network expands, your network scan should also expand to cover internal devices. The network scan will identify potential issues on the network that need remediation. These could be vulnerable devices or suspicious activity.
One common vulnerability found is unpatched software. Staying current with security patches is critical. By definition, the security patch addresses a known vulnerability. That's exactly the sort of entry point bad actors will exploit. Is there some forgotten, unpatched computer on your network that nobody uses? That's the entry point to your network. You can run a daily patch scan with an automated patch management tool.
ORGANIZE YOUR DATA INTO SECURITY TIERS.
A core security policy is how you define the security level for different kinds of data. Typically called "tiers," each data tier defines the type of data included, who can access data in that tier and where it can be stored.
There's no fixed number of tiers. A simple place to start is with a three-tier system. The top tier covers your most sensitive data. This is data that you have a legal obligation to protect. The middle tier can include sensitive internal data. This is data that shouldn't be shared publicly or company wide. Think employee salaries or strategic planning documents. The lowest tier is publicly available data.
These tiers can become more granular as your data scope and internal community grow. Your data categorization and management will be especially critical when partnering with larger organizations. If your company will have access to their customer data, you'll need internal controls that protect it.
USE BUSINESS SOLUTIONS THAT PROVIDE SECURITY OUT-OF-THE-BOX.
You're not in the business of designing security protocols—so use business solutions that embed security into their service. Many of the cloud-based services small businesses use come with some security. This includes email services, like Google and Microsoft 365, and storage services like Amazon 3S or Dropbox.
In some cases, the service can shoulder the full security responsibility by shielding you from the sensitive data. For example, there are specific data security requirements for managing credit card data. Services like Square and Stripe process the payments and you never see the credit card data. Consequently, you have no credit card data to secure.
ESTABLISH A RESPONSE PLAN AND ESCALATION PROCESS.
Don't get caught unprepared when a security incident occurs. Define different levels of security incident and what the escalation process is for resolution. Your plan needs to specify who is responsible for handling incident response and who else is involved in the discussions. You want a known group of decision-makers to assess the situation and formulate a specific response and communication plan—quickly.
KEEPING ROLLING AFTER YOU GET YOUR QUICK SECURITY WINS.
These are all valuable places to start to raise your company’s security posture quickly. Use them to build momentum towards designing a comprehensive security program and path towards greater security maturity. Here’s a list of 21 things your company things can do quickly to make your security posture even stronger.