Because of their size, small companies are especially vulnerable to cyber-attacks. Bad actors looking for quick wins are playing the odds that a small company has lax cybersecurity. That should be reason enough to start taking a closer look at the policies you have in place. But, if it’s not, consider this: Larger companies that want to do business with you also have concerns about your small business’s security maturity. Before they sign any long-term contracts, many want to know that you have a security program in place to protect their assets and interests.
Even when small companies are convinced that they need to set up a security program, many are unsure of where to begin the process. You probably have a general understanding about security, such as the need to for anti-malware software on your network and strong passwords. But there’s more to it than that, and we can help you identify some quick wins that will improve your security posture instantly.
Start by defining some core IT security policies. A security policy is your company's formal position on a specific security issue. For example, you may establish a security policy that all users on your network need a unique identity. The policy doesn't specify how you'll execute that, but it does provide a roadmap of what needs to be done.
You don't have to write each IT security policy from scratch. There are information security policy templates available (free and paid; check out ours here) that you can use to get started. You don’t need to write a security policy for every security issue. Start with a few security policies as a foundation for a broad but strong security program.
In the context of cybersecurity, training refers to educating employees, contractors, and other stakeholders about security best practices and policies. This can include training on how to recognize and avoid common phishing and social engineering attacks, how to create strong passwords and use multi-factor authentication, how to handle sensitive data, and how to respond to security incidents. Effective training programs are ongoing and can help organizations reduce the risk of human error and improve overall security posture. employees to create complex passwords is one option to manage network access, but it's not the most secure. Humans are a notoriously weak link in cybersecurity.
Here are a few better options:
These are not mutually exclusive options to elevate password security. Taken together, they provide a simple, secure access control framework.
There are two different types of scans you should run. The first is a monthly user audit. This audit clarifies who has access to what systems and data. Early on, when your company only has three people, it's easy to keep track of your users. As you grow and people start to leave, a monthly user audit becomes necessary.
The monthly user audit documents who has access to which systems and with what permissions. The audit will ensure that only people who should have admin rights to a system have them. It will also show if people have access to systems they shouldn't or whether former employees still have active credentials. You can automate user audits with an access rights management tool.
The other regular scan you need to run is a network vulnerability scan. The most critical network scan covers all externally accessible resources. External scans aren't just for companies that host their own web servers. Cloud-based services are external vulnerabilities. As your network expands, your network scan should also expand to cover internal devices. The network scan will identify potential issues on the network that need remediation. These could be vulnerable devices or suspicious activity.
One common vulnerability found is unpatched software. Staying current with security patches is critical. By definition, the security patch addresses a known vulnerability. That's exactly the sort of entry point bad actors will exploit. Is there some forgotten, unpatched computer on your network that nobody uses? That's the entry point to your network. You can run a daily patch scan with an automated patch management tool.
A core security policy is how you define the security level for different kinds of data. Typically called "tiers," each data tier defines the type of data included, who can access data in that tier and where it can be stored.
There's no fixed number of tiers. A simple place to start is with a three-tier system. The top tier covers your most sensitive data. This is data that you have a legal obligation to protect. The middle tier can include sensitive internal data. This is data that shouldn't be shared publicly or company wide. Think employee salaries or strategic planning documents. The lowest tier is publicly available data.
These tiers can become more granular as your data scope and internal community grow. Your data categorization and management will be especially critical when partnering with larger organizations. If your company will have access to their customer data, you'll need internal controls that protect it.
You're not in the business of designing security protocols—so use business solutions that embed security into their service. Many of the cloud-based services small businesses use come with some security. This includes email services, like Google and Microsoft 365, and storage services like Amazon 3S or Dropbox.
In some cases, the service can shoulder the full security responsibility by shielding you from the sensitive data. For example, there are specific data security requirements for managing credit card data. Services like Square and Stripe process the payments and you never see the credit card data. Consequently, you have no credit card data to secure.
Don't get caught unprepared when a security incident occurs. Define different levels of security incident and what the escalation process is for resolution. Your plan needs to specify who is responsible for handling incident response and who else is involved in the discussions. You want a known group of decision-makers to assess the situation and formulate a specific response and communication plan—quickly.
These are all valuable places to start to raise your company’s security posture quickly. Use them to build momentum towards designing a comprehensive security program and path towards greater security maturity. Here’s a list of 21 things your company things can do quickly to make your security posture even stronger.