Cybersecurity for Your Small Business: 10 Things to Think About Today
In part one of this blog series, I addressed the problems that businesses face with security in the post Cybersecurity: Big Challenges for Small Businesses. In this post, I’ve put together a 10-point plan together with Huawei Cyber Security Officer Vladimir Yordanov that you can start implementing today to make your business more secure.
However, we don’t claim that this is a complete list. Depending on individual needs, your business could be required to do less or do more. Cybersecurity is a complex topic that often requires complex solutions, but we believe that this list will give you a good start for your security defenses.
1. It starts at the endpoints
Your organization’s connected endpoints – user devices, printers, smart door locks and security cameras, and others – are both its weakest link and its first line of defense. You must combine effective, consistently deployed protection technologies with the comprehensive, repeated education of all users whose devices touch your network. At the absolute minimum, make sure to perform these critical steps regularly:
- Make sure all of your user devices are protected by passwords.
- All users practice good password hygiene.
- Change default settings.
- Apply security patches regularly.
- Use anti-malware and anti-virus protection.
- Know and follow the best security practices recommended for your device by the manufacturer or industry.
2. Watch for Those Connections
Every network connection your business uses, whether owned, leased, cellular, Wi-Fi, or wired, is a potential vulnerability. This means you must ensure that you have complete visibility into each of those connections and its active cybersecurity measures.
To achieve and maintain the visibility you need for optimum network cybersecurity, your business must work with its chosen communications carriers; Internet service providers (ISPs); network implementation, operations, and management staff; and contractors. You must also work closely with every company and individual in your business value chain to ensure their connections to your networks are also secure.
3. Secure Your Data
Data is the crown jewels of your business and the key to growth and success. There is nothing more damaging to a company than seeing your brand in a headline reading “Massive Data Security Breach Puts Customers at Risk.” This is why data security must be a top priority for every business. Modern day work practices, such as deploying new technologies and services, new devices and IoT, remote working, and public Wi-Fi, provide new ways for the data to be compromised. It is a serious issue that small businesses cannot ignore – according to the 2019 Verizon Data Breach Investigations Report, 43% of all breaches involved small businesses.
There is no single vendor or solution that can provide a complete defense against data security breaches – it is a combination of many solutions and services. Some of the techniques that can be deployed to protect data are:
- Regular backups.
- Two factor authentication (2FA).
- Anti-malware and antivirus solutions.
- Anti-phishing defenses.
- Regular systems security updates.
- Security vulnerabilities patching.
- Password management.
- Data access privileges and identity management.
Most important, your organization’s data security solutions and architecture must be aligned with compliance and regulatory requirements, and with overall data lifecycle management best practices.
4. Secure Your Applications
Application security is just as important as data security as they provide direct access to data. The role and importance of the applications in our personal and work lives has increased dramatically over the past few years. In today’s environment, nearly every business is using various applications. In some cases, such as social media and gig economy platforms, the business itself is the application. OWASP, the US nonprofit Open Web Application Security Project Foundation, does an excellent job of keeping tabs on the top 10 web application security risks, publishing an updated list every few years.
If your small or midsized business develops applications, ensure that you follow top cybersecurity software development standards, practices and frameworks. If your business uses applications, ensure that each application provider with which you do business is secure and follows industry best practices. Ask for relevant certifications and evidences of compliance. You can consult this cybersecurity white paper on what cybersecurity questions to ask your technology vendor.
If your business is delivered via application, then all of the above applies to you. There are many vendors and solutions providers that can help you secure your application infrastructure.
Do your research. Take advantage of security-as-a-service offerings. Use the security features of your cloud provider or providers to their fullest. Implement the solutions and services needed to minimize the exposure of your applications and your business to cyber-attacks.
5. See Your Clouds More Clearly
A Ponemon Institute survey found that 60% of respondents’ companies transfer confidential or sensitive information via cloud computing services. Those respondents’ companies do so whether or not that information is encrypted or otherwise protected.
This underscores how dependent businesses of all sizes have become on software as a service (SaaS) and other cloud-based resources. It also hints at the level of risk involved if your business does not protect its information and services, wherever they are in the cloud. Especially if your business works with multiple cloud services providers, you must ensure you have adequate visibility and protections to guard against a breach in the cloud harming or halting your operations.
6. Check Your Compliance
The growth of IoT, enabled and accelerated by the growth of 5G wireless networks, is raising the number and types of connected devices exponentially. Huawei predicts that by 2025, there will be some 40 billion devices around the world that will be able to sense and 100 billion connected devices globally. However, many current IoT devices lack sufficient cybersecurity protections, in part because cost requirements mean that it’s not profitable for manufacturers to build in security measures at the device level.
7. Know the Risks of the Internet of Things (IoT)
Cyber-attacks targeting IoT devices could cost the US – an early IoT adopter – a staggering US$8.8 billion a year, according to the Irdeto Global Connected Industries Cybersecurity Survey.
This means that you should select only IoT devices that allow easy password changes and software updates. Then, you need to endow them with robust, regularly changed passwords and the timely implementation of vendor-provided software and firmware updates.
8. Secure All Assets on the Move
Your users and your most valuable corporate data are increasingly mobile. Users do business from almost anywhere via laptops, smartphones, and tablets. Information, some of it personal, private, and/or proprietary, traverses numerous wireless connections and cloud-based services. Your business must strive to protect your users and data with equal vigor whether they are “at rest” or “in motion.” At minimum, you need end-to-end encryption for your data and secure devices and connections for your road warriors.
9. Get Physical
Cybersecurity is only part of your security challenge. After all, no amount of cybersecurity will help you keep bad actors from stealing physical assets from your premises. Fortunately, smart security devices such as connected cameras and entry scanners, when implemented correctly, can enhance physical security. Such devices can also provide information that can be combined with your cybersecurity measures.
If someone using legitimate access credentials suddenly accesses your network and downloads unusually large volumes of data, information about when and how they entered the building and which computer they used could be forensically useful. At minimum, your cybersecurity protections should limit or prevent unauthorized access to physical resources. Those protections should also guard against insertion of rogue thumb drives or links to untrusted network connections.
10. Seek Help
The nine cybersecurity considerations above are only a starting point. Depending on the specific constraints, goals, and needs affecting your business, you many need to do more or less that what’s described here. Whatever your specifics, it’s unlikely your small or midsized organization has the technical knowledge or financial resources of its larger counterparts. Fortunately, you do have access to resources that can improve your cybersecurity without breaking the bank. Here are some recommendations.
First: educate yourself and your employees. Your people are the first line of defense. Make sure that your employees are trained and aware of the modern day cyber threats and how to defend against them. Experts agree the majority of successful cybersecurity attacks exploit vulnerabilities caused by human error and poor IT hygiene. Education, starting with the recommendations in this post, can help to improve user behavior and reduce those vulnerabilities.
Second: know that you are not alone. Be proactive – seek out advice and ask for help. There are a lot of companies that offer security consulting services for small business. Some even offer complimentary initial consultations. There are also online and physical discussion groups and communities that recommend best practices. Vendors, regulators and industry groups also publish guidelines to help business with their security decisions and needs. Do your homework, find out about these resources, and use them.
Third: take advantage of new technologies. Security technologies have advanced significantly over the last few years. They are more effective and do not cost as much as they used to. Many vendors that previously only served large businesses now offer simpler and more affordable solutions for smaller enterprises. Security as a service is another consideration. Cybersecurity services offer improved protection without requiring your organization to spend big bucks for expensive infrastructure. Multiple cybersecurity solutions, including protections against distributed denial-of-service (DDoS) attacks, data loss prevention (DLP), and so-called next-generation firewall (NGFW) offerings, are available as services.
Make sure to take complete advantage of all the cybersecurity features available from your cloud and software-as-a-service (SaaS) providers. One example is Microsoft Office 365, which offers 2-factor authentication that can help protect your business from social engineering attacks. Some cloud and SaaS cybersecurity features are enabled by default, while some are not. Some are free, while others are offered at additional cost. The important thing is that they exist, so learn about them and use those that can help protect your business.
Your approach to cybersecurity for your business must be holistic, proactive, and consistent. And it’s probably going to involve spending more than the US$500 annually the average small business spends on cybersecurity protections, according to a 2018 Juniper Research study. But there are things you can do starting today for little or no money that will help begin or accelerate your journey toward more effective cybersecurity.
And check out Huawei’s cybersecurity solutions for enterprises for tips you can use now and solutions to explore.
About key contributor Vladimir M. Yordanov
Vladimir is the Cyber Security Officer for Huawei’s Enterprise Business Group. He has nearly 20 years in the cybersecurity domain, with extensive experience in all major aspects of systems and information security, including Networks, Data, Applications, Cloud, and IoT.
He has led the design and architecture on E2E security solutions and strategy for governments, financial institutions, military, law enforcement, educational institutions, and his expertise covers End Point, Data and Applications Security, Network Security, Management, Reporting, and Unified Threat Management, Penetration Testing, Vulnerabilities Assessment, Remediation, Recovery, Detection and Prevention.