January 22, 2022
Matthew Kirkland

Business Cyber Security: What you need to know

As a business owner, you’re juggling many balls – making sure your product or service is the best it can be, marketing and selling it, meeting with clients. It’s easy to understand why cybersecurity might fall by the wayside; after all, it’s not as tangible as your product or service. But ignoring cybersecurity can be a big mistake. This post will outline what you need to know about building and maintaining a business cyber security program.

You’re never too small to be the subject of cyber attacks

We often believe cybercriminals mainly want to infiltrate big companies for the potential of a significant ransom, but this is not true. Hackers are interested in all businesses, big or small – they have different reasons for infiltrating different types of companies. 

SMEs can be easy targets because they often lack a dedicated business cyber security team or advanced network security systems. Hackers will intentionally pursue smaller companies because of these limited budgets. Another reason why SMEs make such great targets? They also have a wealth of personal information on their customers, vendors, and employees.

A business cyber security plan should be your first step.

A cybersecurity plan is a roadmap of your organization’s cybersecurity goals, what you need to do to achieve them, who is responsible for completing each task, and how success will be measured. Cybersecurity plans are unique to every business, so they must be tailored specifically towards your company’s needs.

A business cyber security plan can include the following:

  • Cyber Security Policies outline guidelines and rules for employees, customers, and third-party partners.
  • Cyber Security Procedures – Detailed cybersecurity procedures, such as conducting a cyber risk assessment and what steps need to be taken when there is a cyber incident.
  • Cyber Security Standards – Specifications for the security of your technology infrastructures, such as passwords, authentication protocols, and encryption methods used for data storage.
  • Security Awareness Training – Employees need to be aware of the risks and mitigate them. Cybersecurity training should be an ongoing process, not a one-time event. 
  • Incident Response Plan – How your organization will respond to cyber incidents, including who will be responsible for each step and what resources are needed.
  • Disaster Recovery Plan – In the event of data breaches, your business could be shut down. It would help if you had a plan in place to recover and get your business back up and running.
  • Data Backup and Recovery Plan – Critical data needs to be backed up regularly and stored in a secure location. If your network is compromised, you’ll need a plan for how to restore that data.

Your business will be much more vulnerable to cyber-attacks without a cybersecurity plan, and your customers may not trust you with their data. Companies that have a plan in place will be prepared and able to quickly and efficiently deal with cybersecurity events, minimizing any damage and bolstering trust.

Cybersecurity audits should be a top priority

SMEs that don’t have in-house cybersecurity expertise should hire experts to conduct regular audits to assess the current state of the systems and cybersecurity practices.

The first step in a cybersecurity audit is to assess your current security posture. This includes understanding your network security, identifying vulnerable systems and devices, and evaluating the risk of potential cyber attacks. Once you have a clear picture of your vulnerabilities, you can start a plan to address them.

  • How often should I conduct a Cyber Security Audit? It is recommended that you complete a cybersecurity audit at least every six months.
  • What should I look for during a Cyber Security Audit? The auditor should review your cybersecurity policies, standards, training, and incident response plan and provide a comprehensive risk assessment. They should also test your systems to identify any vulnerabilities.
  • What should I do if there are gaps in my Cyber Security Audit? Audits should be used as an opportunity to identify areas where your business can improve. You may need to update or change some of the policies and standards you have implemented and provide additional training for key personnel to mitigate risks effectively.

Cyber Insurance is a necessary cost vs. cyber threats

Businesses need to consider cyber insurance as the final layer of protection. Not implementing a policy could cost you big time. The national security institute reported that the average ransomware attack ransom in 2021 was $200,000, up from $5000 in 2018. 

Cyber Insurance can also help cover the costs of remediation and data restoration in the event of cyberattacks. Make sure to talk with an insurance agent to find out what cyber insurance policies are available and which would be best for your business.

Train employees that have access to company data how to spot cybersecurity threats

One of the best ways to do this is cybersecurity awareness training. This type of training can help employees understand why cyber threats concern you and them and help explain the cyber risks your organization faces.

Some of the cyber threats employees face include:

  • Spear phishing: cybercriminals will send emails that look like they’re from a trusted source but contain a link or attachment for them to click on. This link or attachment can lead to malware installed that allows cybercriminals to access your organization’s network.
  • Social media: employee social media accounts can be used to identify any potential vulnerabilities your business may have. You may not know that anyone can use social media to search for posts at a specific location and then study the pictures to learn about internal security protocols and computer systems. 
  • Social engineering: employees need to be aware of this common attack vector. Social engineering is done by pretending to be someone else, usually an IT team member, to get employees to disclose sensitive information or install malicious software.

Backing up your data should be a cornerstone of your cybersecurity plan

SMEs often don’t create cybersecurity plans that encompass backing up data in the event of a cyber attack. However, many cyber attacks – such as ransomware – can be thwarted by simply having data backups. In this way, cybersecurity is about risk mitigation and planning for the worst-case scenario.

Data needs to be backed up securely online or offsite at a secure location without direct connection to your business’ servers. This way, even if your office building burns down or is otherwise destroyed, you’ll still have access to your critical data files. Cybersecurity best practices dictate regular testing of backup processes to ensure they work.

Multiple backups should also be considered to provide failovers if one backup plan fails. For example, an organization should consider creating hot (immediately available), warm (remote location but can be accessed quickly), and cold backups (completely offline at a remote location) so that cybercriminals can’t destroy all of your backed up data.

Backing up alone is not perfect; cybercriminals often steal your data and then threaten to release it publicly if you do not pay them. Make sure to regularly perform cybersecurity audits, ensuring that your business cyber security plan is current and effective.

Get into the habit of checking email headers or links before clicking on them

One of the most popular ways hackers and scammers use business communication tools for malicious activities is by phishing emails. Business email compromise continues to gain traction as studies show it is the most effective attack vector for cybercriminals.

Phishing attempts come in many shapes and forms, such as emails containing malicious attachments, messages with embedded links (either directly or in the form of a shortened URL), and notes specifically designed to fool key personnel into sharing business credentials.

It is up to small business owners to continue evolving business security strategies to be effective against this growing business cyber threat. One of the best ways to fight business email compromise is implementing a Zero Trust network security model or training employees on business email security and phishing-related principles like reviewing links and email headers before clicking on anything inside an email.

Secure your company email with DMARC/DKIM & SPF

I know this sounds overly techy, but if your company doesn’t use DMARC/DKIM & SPF, cybercriminals could create an email that looks like it is coming from someone inside the company and may contain a link or attachment that delivers malware when clicked on.

DMARC/DKIM & SPF protocols are free cybersecurity tools. Still, we recommend only relying on the skills of a professional for implementation. 

Want to know more about DMARC/DKIM & SPF? Check out MXToolBox.

Multi-factor authentication is a must

Multi-factor authentication, or MFA, is a security process that requires more than one type of verification to access a resource. The most common form of MFA is two-factor authentication, which combines something you know (like a password) with something you have (like your phone). MFA can also include biometrics (like a fingerprint) or location verification. MFA is a critical security tool because it adds another layer of protection against unauthorized access. For example, if your password is compromised, MFA can help prevent someone from logging in to your account without possessing your phone or another authentication factor.

MFA is becoming more and more common, especially in online banking and other sensitive applications. If you’re not already using MFA, it’s a good idea to start using it today.

Need to know more about MFA? Consider downloading Google Authenticator, Microsoft Authenticator, or Lastpass Authenticator, and reading Protect your account with 2-Step Verification by Google.

Consider getting a business password manager subscription

Password managers can generate random, strong passwords that are much harder to crack than those you might come up with on your own. Users can then manage the many different usernames and unique passwords required for logging into email, business applications, cloud storage services, or other websites – making it easy to keep track of them all in one place. In addition to creating complex passwords ahead of time, password managers typically allow users to sync their information across multiple devices via an encrypted connection, so they have access at work, home, or while traveling without having to remember numerous passwords.

While password managers provide a real benefit for convenience and ease of use, the real benefit comes from securing your organization and removing the vulnerability associated with a multitude of bad passwords habits that are all too common amongst employees.

Encryption can save you many heartaches

In a perfect world, sensitive organizational data should never be kept on business devices that are not encrypted. If your device is stolen, cybercriminals may be able to access your organization’s files or, worse, exploit your critical data.

Encryption is the process of transforming readable data into an unreadable format. This can be done through various methods, but encryption is most commonly used to protect information during transmission or at rest. When you encrypt your device or files, they are transformed into an unreadable format that can only be accessed with a specific key. This encryption key is like a super-secret password that only certain people or devices can access.

The encryption process does not impact the usability of your files, and you will still be able to open them in their original format at any time. The difference is that when someone without authorization tries to access your data (such as data stored on a stolen or lost device), they cannot do so because they lack the encryption key.

Essentially, encryption means that your sensitive data is out of reach to anyone who shouldn’t have access—including cybercriminals and hackers. This will almost certainly prevent them from stealing or exploiting your data.

Install updates as soon as they are released

It may be the most effortless cybersecurity best practice to implement. Still, many SME owners don’t update their systems as soon as an update becomes available. Cybersecurity experts recommend updating operating systems, applications, and software immediately upon release to combat ongoing security issues and vulnerabilities in the outdated software.

Some small business owners find it challenging to juggle the demands of running a business and staying up to date with the latest security updates. That’s where managed security service providers (MSSPs) can step in to help small business owners avoid any potential data breaches.

If you’re looking for an MSSP to manage your updates and monitor your systems, please look into our 24/7 Tech Support & Monitoring.

Create a list of approved software & ensure that computer users are not logged in as administrators

The business cyber security solution to this problem is a two-folded approach. First, you should have an approved software list so that users know which programs (and only which programs) can be installed and used on their computers and devices. Second, everyone needs to log in with a standard user account instead of an administrator account. This ensures that any malicious links or clicked attachments are not given administrator access and therefore can’t install or modify anything in the business’s system.

Over time, employees may not be aware that they’re logged into their computers as administrators. They will need the training to understand this concept. You should update your business cyber security policy to include employee awareness of how they should log in to computers and the implications of administrator access. Implementing these changes may take some getting used to. Still, they will help keep your business’s data and systems safe from malicious actors.

Avoid free antivirus software or anti-malware

When something is free, you need to ask yourself, “but at what cost?” Free antivirus software and anti-malware may be adware — programs that generate revenue for the company by displaying ads on your computer. Free antivirus software is one of the most common forms of adware in use today. So when you install a free tool on your devices, it may be collecting information about every step you take online to sell that information to the highest bidder.

So be careful when looking for a free security solution and at the very least spend time reading the privacy terms and conditions. Ultimately, the best way to protect your business is to use a reputable, paid security solution that will keep your devices safe without invading your privacy.

As part of our 24/7 Tech Support & Monitoring, we often include a copy of webroot endpoint protection for all of your business computers.

Small business owners should avoid illegal or pirated software

Using illegal software can hurt your small business in several ways. First and foremost, using pirated software is unlawful. You could face fines or even imprisonment for using unlicensed software. Second, using unlicensed software can leave your small business vulnerable to a cyber attack. Cybercriminals often build pirated software with malware and other malicious programs to steal your data or damage your systems. Finally, it can hurt your small business’ reputation. Consumers may not want to do business with a company that uses pirated software.

Look to phase out legacy software and systems

While it’s understandable to hold onto older technology for familiarity or convenience, relying on legacy software (Windows XP) and systems can be a cybersecurity nightmare. Cybercriminals know that many small businesses are still using outdated systems and take advantage of this by targeting these organizations with malware and other attacks. Small business owners must understand the risks associated with using legacy software and systems and plan to phase them out as soon as possible. By doing so, small business owners can minimize their risk of being hacked and losing valuable data.

You shouldn’t always trust USB drives

Think twice the next time you are about to plug in that USB drive from an unknown source. It may seem convenient to transfer files, but it can also be a gateway for malicious software and hackers. In 2010, the Stuxnet computer worm infiltrated Tehran’s nuclear centrifuge program via USB thumb drives placed at the facility. This sophisticated worm wrecked the facilities’ centrifuges, leading to a loss of about one-quarter of Iran’s centrifuges. The Iranian government ensured the system was never connected to the internet or other internal computers to eliminate the risks associated with being online. However, the thumb drives found their way in and caused incredible amounts of damage.

The lesson here is not to trust USB devices from unknown sources – even if your business doesn’t have an Internet connection or internal computer networks. The next time you are out of the office and need to transfer files, use a more secure method like FTP or cloud storage. And if you need to use a USB drive, be sure to scan it for malware first.

Business-grade networking equipment is an easy upgrade you can make today

Small business owners should know that networking equipment not intended for business use is a network security risk. Consumer-grade or internet provider equipment allows users to set up default usernames and passwords, one of the leading causes of a cyber breach when using this type of equipment. These devices are also more common than professional-grade equipment, making them more vulnerable to a cyber attack. A one-time investment in business-grade network equipment is a relatively low-cost upgrade that can provide significant ongoing protection.

Separate guest wi-fi networks from your corporate network

While offering guests access to a wireless access point network at work is an act of graciousness, allowing someone too much access can be potentially dangerous to your business. A company wi-fi network typically provides employees with an internet connection without limiting their activities. SMEs often use this network to share files, folders, printing equipment, and other backup software. If a device can access the company wireless access point, the device can view all of your current connections and devices. Employees or guests should not access the company network with personal devices. 

As a best practice, we recommend going further and creating network segmentation for your mobile devices, smart devices, printers & maybe even specific departments. If cybercriminals can infiltrate your business network, they will try to leverage the compromised system or device to access other systems or data. If successful, they may access the companies’ sensitive data like customer information, personal employee information, or even sensitive documents like financial reports.

Zero Trust is the cost-effective advanced security solution your business needs

Zero Trust is a security model that eliminates the traditional idea of trust-by-default in computer systems. In a Zero Trust environment, every user and device is treated as potentially untrustworthy until proven otherwise. The concept may be challenging to grasp, but it’s something that you’ll want to understand if you want a truly effective way to keep your business safe from phishing, malware & ransomware.

Small businesses are especially vulnerable to cyberattacks because they often lack the resources necessary to implement strong security measures. A Zero Trust approach can help small and midsize companies protect themselves by closing off potential attack vectors and preventing unauthorized access to sensitive data. An employee clicking on phishing or malicious links would no longer be enough for an attacker to access your systems. In addition, the technology can help reduce latency and improve the performance of your business systems.

Arguably, the best benefit of a Zero Trust approach is how cost-effective it can be compared to traditional security solutions. Using the typical trust-by-default security model, SMEs can quickly rack up unnecessary costs as they try to secure their systems against every possible threat. 

Despite Zero Trust’s effectiveness, it still isn’t widely implemented because many SMEs don’t know about or understand the technology. They may not realize the value it can provide until their data has already been compromised or stolen.

Nerds On Site offers the ‘SME Edge,’ an all-in-one solution that includes all required business-grade networking equipment backed by Adam:Networks Zero Trust technology with an internet uptime guarantee. 


We hope that you’ve learned more about business cyber security by reading this article. If your company doesn’t have all of these steps implemented, don’t fret! Nerds On Site has packages designed specifically for SMEs who want peace of mind regarding their IT & Cyber Security.