"Rome wasn't built in a day, but it burned in one." - classic Italian saying
While the saying is familiar, it's not one that lives in antiquity and in fact is extremely relevant today when it comes to cybersecurity for small to medium sized businesses. "Rome", in this case, is your business, and "burned" is your business getting destroyed by hackers.
See, these days it's nearly impossible to stay off of the internet. We use it for entertainment, to stay connected in our social lives, to look things up, and of course, for business.
From email and running a website to storing and managing valuable personal and company data, every day more and more of our business operations are moving online and...so are the criminals.
Small and medium-sized businesses are a prime target for cyber-criminals, and when they're successful, the results can be devastating.
In fact, a whopping 61% of data breach victims are businesses with less than 1,000 employees. The average cost to fix it? $1,100,000 and understandably 60% of those businesses close within 6 months of being breached.
Like I said: Devastating.
The good news? You don't have to be another victim.
Most breaches are completely preventable and with the right forethought and planning, you can turn your company into a fortress the cybercriminals wouldn't even dare attempt to breach! How? We will show you!
Here are the Top9 Cybersecurity Tips for your small or medium sized business from our CEO and CIO, Bruno Lecoq, to help you conduct business securely and keep your valuable data safe.
One of the simplest, yet most powerful ways to stay secure and prevent cyberattacks is to use Multi-Factor Authentication, or MFA for short.
As the name implies, MFA requires you to use multiple different methods in order to gain access to your account or information.
For example, let's say that you enter your username and password on a website to log in to your account. Using MFA, this approach would no longer be sufficient enough to gain access to your account. Instead, you may then have to enter in a specific code that was sent to your phone before being able to gain access to that account.
As you can probably guess, that dramatically boosts your cybersecurity because hackers can't simply crack your password remotely anymore. Since they don't have access to your phone and to that specific code, access is denied.
There are many ways to implement Multi-Factor Authentication, but the most common way is to utilize apps such as Microsoft Authenticator, Google Authenticator, or Duo Authenticator.
Now, having to use Multi-Factor Authentication each and every time you log in is a great way to improve the cybersecurity of your small or medium sized business, but it can also be a bit annoying for you or your users so...
To get around this, you can instead implement MFA with conditional access.
This means that you will only have to use MFA when you are outside of the normal conditions of your logins.
For example, if you typically work from home every day on your computer, you won't have to use MFA to log in. But if now all of a sudden you're traveling and working from your laptop at an airport, the system will require you to use MFA to log in because it is outside of the norm of your usage and could potentially be a hacker trying to gain access to your account.
No matter how you slice it, if you only take one thing away from these tips, let it be this: Use Multi-Factor authentication (MFA)!
Tip #2: Use a Password Vault
Let's face it, we have a lot of accounts these days.
An account for email, an account for LinkedIn, an account for Facebook, an account for this tool or that tool. The list goes on and on.
And with a lot of accounts comes a lot of usernames and passwords.
So what do most people do? They either use super simple passwords and reuse the same passwords over and over or use the same password with one little difference here and there. It's easier and who's going to guess the name of my pet hamster in 3rd grade anyway, right?
For starters, any hacker can crack an 8 character password in under 3 hours. And if you're using the same password over and over again, that's bad news.
As if that wasn't enough to sway you, consider this: 81% of cybersecurity breaches occur due to weak or stolen passwords. And judging by the data we've seen have, most passwords out there are definitely weak.
So what should you do?
Use a password vault!
With a password vault, you can generate unique usernames and passwords of random numbers, letters, and symbols that are then saved within the vault for each particular website that corresponds to those login credentials. Then when you go to log in on a particular website, the password vault will auto-fill your username and password.
Not only is this much more secure than using your own passwords over and over, but you don't have to remember any of them or go fishing for that sticky note you scribbled your password on 3 years ago (please don't use this approach!).
At BEMO, we use Keeper as our password vault, but the point is clear: Get a password vault and use it! With a password vault and multi-factor authentication (MFA), your company is well on its way to being cyber secure.
Tip #3: Keep Your Software and Systems Up to Date
If you're anything like me, you hate when you're in the middle of working on something and you get that annoying little pop-up in the corner of your screen telling you it's time to do a system update.
And if you're anything like me, your first instinct is to exit out as soon as possible so you can continue about your business as usual.
"Oh, I'll just do it later," you think. Until later comes and the process repeats itself, right?
When your system prompts you to do an update, it's not just to lighten the shade of blue they're using on the menu bar. There's a lot going on behind the scenes being worked on and improved, including things to make you more cyber-secure.
There have been numerous cases of organizations that have postponed their OS (operating system) updates only to find out that they've been the target of a cybersecurity attack and gotten their data stolen.
How do you or your company manage software updates?
It's okay to postpone for a little while to reach a stopping point in your work, but don't keep postponing indefinitely because you simply don't to wait for your system to update. The main takeaway: It's a necessary inconvenience, unfortunately. That being said, you can make it as pain-free as possible.
Do it while you're on a break or at the end of the workday, or if you're in charge of company IT, you can push a mandatory update at a designated time to ensure that the updates are taken care of and not allowed to be postponed by the little procrastinator in us all. This is what we do at BEMO and it has worked incredibly well for us.
No matter how you or your company decide to handle it, just make sure you handle it!
Tip #4: Control Access to Your Systems
This tip may seem like an obvious one, but it's for that reason that it's so important not to forget.
Who has access to your systems? And which systems do they have access to?
It's not uncommon for former employees to still be connecting to the systems long after they've gone or for different employees to have access to folders, files, or systems that they have no business being able to access.
You should be periodically reviewing who has access to your systems and regulating access according to who should or should not be able to access them. You might just be surprised when you check your log and find out that there's a user who accessed the system that doesn't belong (and that's not the type of surprise anyone wants)!
Tip #5: Ensure Your Endpoint Protection
In the past couple of years, there has been a huge push for companies to allow their employees to work from home using their home computers. This has been a great thing in many ways, but it's also introduced umpteen opportunities to put your company at risk if you're not careful.
For example, how do you know if your employees are using a secure device?
Are they up to date on their Operating System?
Do they have the latest antivirus installed?
Are they using a secure connection?
Do they have a virus already that could enter into your network and wreak havoc?
Furthermore, how do you know that your employee is not downloading confidential documents or data to their personal device?
Whether you use company-owned and managed equipment or implement personal and corporate device policies and systems, the fun fact remains: You have to ensure your endpoints are protected!
Here at BEMO, we have a policy for personal and corporate devices for everyone on the team. You can only connect to BEMO's network if your device is enrolled within our network, your OS and antivirus are up to date, and your device is connected via our secure VPN. And, if by chance one of the devices is lost or stolen, we are able to remotely wipe the company data from the device.
Don't leave the cybersecurity of your SMB up to chance. Have a plan and implement it!
Tip #6: Secure Your Wifi Connection
If you're ever traveling and working from an airport, hotel, or local coffee shop, chances are you're going to be using their wifi for your internet connection.
Connecting to public wifi like this may be convenient, but it's also a good way to get your information stolen if you're not careful.
To use public wifi securely, you should always use a VPN.
A VPN, or Virtual Private Network, establishes a secure connection and encrypts your data and internet activity so that you aren't an easy target for hackers and other cybercriminals.
At BEMO, we use Perimeter81 as our VPN, but there are a wide variety of options available to serve as your VPN provider. Never connect to public wifi without it! If you're curious about Perimeter81, schedule a meeting to discuss adding it to your security arsenal today!
Tip #7: Protect Your Admin Account
It goes without saying that your admin account is pretty darn important.
With just a few clicks here and there, a hacker can do some serious damage should they gain access to your admin account.
So, you have to protect against this at all costs. How?
There are two main ways to do this:
Turn on Multi-Factor Authentication (MFA) - see Tip #1
Enable Just in Time Access (JIT)
We spoke in detail about what Multi-Factor Authentication is in Tip #1 above, but you may be wondering what Just in Time Access (JIT) is.
In short, Just in Time Access means that users are only granted admin privileges if and when they need to accomplish an admin-specific task. Once that task is over, their admin privileges are removed and they are once again a regular user.
By doing these two things, you are going a long way towards securing your admin account and making sure the right people are accessing admin tools at the right time.
To take this even further, you can also create complex, unique passwords for your admin accounts with the help of a secure password vault as I mentioned in Tip #2 above.
Tip #8: Back Up Your Data
Pop quiz: How long is your data backed up for in Microsoft Office 365?
6 months? 1 year? 3 years?
Nope! The answer is 30 days.
This means that if something happens (like a pesky hacker!) and you need to retrieve a file from say...61 days ago, you are out of luck!
You need to create backups of your data for as long as necessary for your individual company's needs. There are several 3rd party backup providers available who can accomplish just that so that if worst comes to worst, you don't miss out on all that valuable data and work!
Tip #9: Train Your Staff
Fun fact: 95% of cybersecurity breaches occur due to human error or negligence.
All the best systems and processes in the world won't make a difference if the human element is missing.
Does your staff know how to use things correctly and which processes to follow?
Do they know what to do or who to contact if things go wrong?
Are they able to identify phishing attacks and other red flags so that they don't jeopardize company information accidentally?
All of the other tips in this article are wonderful, but at the end of the day, don't neglect to train your staff so everyone is on the same page and empowered about how to make your company as cyber-secure as possible.
BONUS: Full Webinar on Cybersecurity for Small and Medium Sized Businesses
If you liked these tips, then you're sure to love our full length webinar where Bruno goes through all 9 things you need to do to make sure that your small or medium sized business is as cybersecure as possible. Simply click the video below!
So there you have it! 9 Cybersecurity Tips for Small to Medium Sized Businesses from our very own CEO and CIO, Bruno Lecoq, that will help keep your company and its valuable data safe in this growing digital world. Ignore them at your own risk!