Last year, there were numerous high-profile data breaches. No sector was left unaffected: healthcare, financial services, entertainment, nonprofits, city and state governments, and even the Department of Defense suffered breaches in 2022. And these are just the big-name breaches; small companies suffered similar breaches and had many fewer resources to deal with them.
Cyberattacks can result in your business’s confidential information being disclosed or destroyed, which can obviously damage your and your company’s reputation. Financial loss is another major cost of a cyberattack; whether it’s a DDoS attack that brings your e-commerce site offline or renders it unusable, or whether the attacker was able to access and drain your bank accounts and max out your company credit card, financial loss is really hard for a business to recover from.
And that doesn’t even include all the other legal and regulatory issues your business could face.
That’s a lot of good reasons for even the smallest businesses to practice good cybersecurity. If the whole idea seems overwhelming, we suggest the following cybersecurity tips for keeping your digital assets safe and secure.
Require employees to use strong passwords
A strong password is one that is at least 12 characters long and contains a mix of numbers, symbols, and capital and lowercase letters- and is unique. Even the most secure password is useless if one database is hacked and your password is released to the wild. The best way for your employees to ensure that passwords are both strong and unique are to use a password manager such as 1Password or Bitwarden. Many password managers even offer enterprise versions that allow you to manage passwords across your organization.
Unlike recommendations in previous years, the National Institute of Standards and Technology is no longer recommending frequent password changes. Forcing frequent password changes sounds like a good idea, but in practice, it’s less secure than keeping a long, strong password for a longer period of time because with frequent changes, users often create simple passwords that are only slight modifications of their previous passwords.
Use multi-factor authentication for sensitive accounts
While a strong and unique password will go a long way to preventing cyberattacks, it’s not totally foolproof. You can make an attacker’s job more difficult by enforcing multi-factor authentication (MFA) on sensitive accounts and records. App or token-based MFA is more secure than SMS (text message) authentication because SMS authentication can be vulnerable to SIM-swapping.
Instead, use an authenticator app, which produces a one-time code that gets sent to your phone. There are dozens of authenticator apps to be found, most of which work on more than one type of device.
As a note, if you do use an authenticator app it’s important to understand what happens if a device is lost or broken. Does your authenticator have the ability to be set up on multiple devices? Does it have one-time codes you can keep in a different location? A little bit of thought during setup can save you a lot of headache in the future.
Keep all your software and operating systems up to date
Many cyberattacks begin with a software or operating system vulnerability. That’s why it’s crucial that you install updates when you get them. These updates will plug security holes that criminals could use to deploy malware. Sure, it’s annoying to take a big chunk of time out of your day to run OS updates, but being successfully attacked through one of these vulnerabilities is a lot more annoying.
This also includes updates to your company’s website. If your site runs on WordPress, for example, you’re probably aware that plugins are regularly updated, and sometimes this is for security reasons. If you want to make your WordPress site harder to hack, make sure you regularly update your plugins and themes, as well as the core WordPress code. If you’re curious about how to further harden your WordPress site against future attacks, contact us.
Give your employees regular cybersecurity training
The biggest cause of cyberattacks that can interrupt business is the human being between the chair and the keyboard. This typically happens because someone emails or texts an employee requesting information such as bank account numbers or passwords, and their message contains a sense of urgency. The employee is expected to respond with similar urgency. But it’s extremely easy for scammers to “spoof” email addresses and make it seem like the message is coming from a co-worker or supervisor.
Training your employees about how to recognize spam and phishing attacks as well as establishing protocols around how your company exchanges sensitive information can help to mitigate these attacks. For example, simply letting your employees know that you will never require them to buy gift cards for a client, or requiring a phone call to verify a suspicious request, will protect your company from a large swath of current phishing schemes.
If someone does spoof an email from your business, there are people who want to know about it. First, report the email to your email provider via their Report Phishing functionality. You can also report it to the FBI’s Internet Complaint Crimes Center and the Federal Trade Commission.
Back up your system, data, and files regularly
In 2017, Britain’s entire National Health Service was paralyzed by ransomware. Ransomware attacks happen regularly all around the world; in 2022, cybersecurity and networking company Cisco, health system CommonSpirit Health, hosting provider Rackspace, and the Los Angeles Unified School District were among the victims of ransomware attacks.
The very best way you can keep your business from having to pay a ransom to get your data back is to keep a copy of your files and data in a place the attackers can’t get to it. This could be in the cloud or on a physical device such as an external hard disk drive—and use both if you can. This will also protect you in the event that your business is destroyed by a fire or a natural disaster. For this technique to work, though, you need to run backups regularly. Set yourself a weekly (or at the very least, monthly) recurring task or calendar appointment because this is just as important as a big meeting.
The Federal Trade Commission offers a lot of great information about cybersecurity for small businesses. We recommend taking a look at what they suggest and using some of the resources mentioned there for employee cybersecurity workshops.
How are you managing cybersecurity in your workplace? Did you find these cybersecurity tips helpful? Connect with us on LinkedIn and let us know.