Why follow my advice?
I created computer security defenses for a nuclear power plant in the Middle East (the United Arab Emirates). This article is focused on small business computer security so you can defend yourself against threats you usually could not fend off.
It is not about how much you can spend.
I have seen companies spending millions on cybersecurity and getting hacked regardless, as if they’ve spent nothing.
I have seen others diligently working on the proper computer security architecture methods and fend off every attack that comes their way.
And I decided to write an article that would help you protect your business. A practical guide, that if followed, will save you weeks in downtime and could mean the difference between going out of business and surviving.
Are you ready?
If your computer security help for your small business, contact us, and let’s see if we can help!
The Threat Landscape for Small Businesses
Understanding the Risk
For the past twenty years, cybersecurity attack numbers have been growing every year, while your business’s defense capabilities have likely stayed the same. This likely means that you are gradually becoming more vulnerable, and I want to change that. You are no longer too small to be a target, and attackers often focus on you due to your perceived weaker defenses.
Here’s a breakdown of the most common attack vectors against small businesses affecting their computer security and their prevalence:
-
Phishing: Phishing remains one of the most common threats, with around 96% of phishing attacks being delivered via email. By 2023, phishing attempts had increased by nearly 50,000 incidents compared to previous years. Many small businesses cite phishing as their biggest concern, with nearly 30% of them ranking it as the most significant threat. Phishing is also often linked to other attack types like ransomware(StrongDM).
-
Ransomware: Ransomware attacks have surged significantly, especially after 2020. In 2021, 82% of ransomware attacks targeted businesses with fewer than 1,000 employees, and 37% of victims had fewer than 100 employees. The average ransomware payout nearly doubled between 2022 and 2023, highlighting the financial burden placed on small businesses (Varonis). In addition, nearly 66% of businesses globally were affected by ransomware in the past year(Station X).
-
Malware: Malware, including spyware and adware, continues to be a frequent tool used against small businesses. In 2024 alone, over 450,000 new malicious programs were detected each day. Nearly 94% of malware is delivered through email, making it a top vector for distributing malicious software.
-
Social Engineering: Small businesses are more vulnerable to social engineering attacks, with employees at these organizations experiencing 350% more social engineering attempts than those at larger companies. This is due to a combination of weaker security awareness and lower security budgets (Station X).
-
Distributed Denial-of-Service (DDoS) Attacks: While less frequent than phishing and ransomware, DDoS attacks still affect a significant portion of small businesses, particularly those with online service dependencies.
- Common Attack Vectors: The most likely attack vector against small businesses are phishing emails, malware, and weak password practices. Hackers often combine them to create a powerful attack which few are able to survive or deflect. Even if you have an antivirus, hackers can create undetectable malware in just 10 minutes. One of your users might just open a PDF attachment and get themselves infected – and that is just one of the attack vectors.
- Cost of Ignoring Security: Before starting to work with me, a law firm defending nuclear power plants got hacked – a simple email breach. Their accounting email got compromised, their invoices were modified by the hackers with a different bank account – and the firm lost almost a million dollars in a single week. They were lucky I was present on the meeting where they discussed this with the nuclear power plant I was consulting at the time – and helped them protect themselves. But not everyone is lucky enough to have a cybersecurity expert nearby.
Endpoint Security
This includes your computers, laptops, and mobile devices. But you would be surprised to find out that even printers can be seen as endpoints – some smart printers have an operating system, and if your IT team has set up the same password on the printer as on other important equipment in the office… you get my point.
Should you trust your antivirus for your endpoint security or go looking for another? In most cases, it does not matter which antivirus program you’re using. Just as it does not matter what kind of lock you use for your front door if the window or the backdoor are easier entry points or if you hide the key under the rug.
It is not about the antivirus. It is about security hardening. You see, the Defense Information Systems Agency of the USA has released these very helpful guides, called DISA STIGs (security technical implementation guides) for every single operating system and most software products out there.
You should follow them to secure your endpoints before you even think about buying any commercial security product out there. At least that is our process when we help small businesses protect themselves.
- Tweak your existing Antivirus and Anti-Malware Protection: If you use Windows, it already has a great antivirus in it, Defender. By default, some of its options are ON – but most are OFF and are set only in deep system setting menus. Give this task to an expert, and you won’t have to buy licenses for expensive antivirus software.
- Enable Device Encryption: If possible, enable BitLocker management centrally using an MDM (mobile device management) solution.
- Establish Strong BYOD Policies: Employee devices that access company data must be company-owned. There are many reasons for that, the main being that you don’t have control over what configuration and software is on their personal machine, and if there is malware, there is nothing you can do about it. Personal devices are often infested with malware and should never touch your corporate data or network.
- Employee Training: It is critically important training your employees on cybersecurity hygiene, like recognizing phishing attacks, proper password creation, and the importance of software updates.
Network Security
- Why Network Security is Critical: Most WiFi routers and networks are hackable in less than 15 minutes, giving hackers access into your network, computers and confidential data.
- Secure Your Wi-Fi Network:
- Set up strong WPA3 encryption on routers.
- Use WiFi 6 routers.
- Disable SSID broadcasting and change default router passwords.
- Implement a Firewall: This is optional nowadays, when most people can and do work from home. But if you have a large office and lots of employees in it, a firewall is a must. Depending on your small business’s size, you can use open-source firewalls or purchase a commercial one. I personally always recommend the products of Ubiquity.
- Network Segmentation: You should divide the network into segments to limit lateral movement in the event of a breach. For example, if a regular employee gets hacked, the hacker won’t have access to your most critical data on other computers.
- Virtual Private Networks (VPN): Discuss the importance of using VPNs to encrypt communication for remote workers or employees connecting to public Wi-Fi.
Cloud Service Security
- Why Cloud Security Matters: As more businesses move to the cloud, protecting cloud-based data is critical. As a small business, you most likely use Microsoft 365 or Google Workspaces for your collaboration internally and with external partners. Both have hundreds of security settings that are off by default. On top of that, there are licensing tiers locking some security settings away until you upgrade.
- Select a Secure Cloud Provider: You should be evaluating cloud service providers based on their security features, certifications (e.g., ISO 27001, SOC 2), and backup policies.
- Encrypt Data in Transit and at Rest: Most cloud providers encrypt data in transit by default (TLS/https). But your team must know how to encrypt data at rest using zip passwords, for example, which is one of the simplest ways.
- Access Management: Discuss setting up strong access controls, such as Role-Based Access Control (RBAC), and Multi-Factor Authentication (MFA) for all cloud services.
- Backup and Disaster Recovery Plans: Highlight the importance of backing up cloud data regularly and having a disaster recovery plan in place.
Email Security
- Email as the Primary Attack Vector: Let me explain how hackers think. They don’t use fancy spy tools or techniques – they just utilize human weaknesses. Let’s say you have 20 employees. All a hacker needs to do to get into one of their corporate mailboxes (if you do not use proper 2-factor authentication) – is to get their names off your LinkedIn or company website and search for their personal email addresses. Then the hacker searches darkweb databases for any leaked passwords associated with that email account. Then the hacker just tries these passwords and their variations against your corporate email accounts. Voila, usually within just a couple of hours they get access. If that was your accountant’s mailbox, you are in trouble!
- Spam Filters and Scanning: We recommend using spam filters, email scanning tools, and email authentication protocols like DMARC, DKIM, and SPF to prevent spoofing and phishing attacks.
- Implement Email Encryption: You should be encrypting sensitive emails, particularly for communications involving sensitive business information or client data.
- User Awareness and Training: Regularly educate employees about recognizing and reporting suspicious emails.
Strong Authentication Practices
- The Problem with Weak Passwords: There are some common issues related to weak or reused passwords and how they lead to breaches. Let’s say your assistant uses the password “Password123@” for their personal email account. If a hacker ‘guesses’ that password, they will know that your assistant most likely reuses passwords and will attempt to sign into your corporate email with her account credentials. This happens more often than you think! That is why proper password management is important. We recommend that you at least use a corporate password management application.
- Password Management Tools: Recommend the use of password managers to generate and securely store strong passwords.
- Enforce Multi-Factor Authentication (MFA): Explain how MFA adds an extra layer of protection by requiring users to provide two or more verification factors.
Data Backup and Recovery
- Importance of Regular Backups: Hackers rarely destroy data. They might encrypt it and demand you pay ransom to decrypt, but they rarely destroy anything. You need backups for when humans make mistakes or when equipment fails, which is much more frequent. And in the event of a ransomware attack – it definitely helps being able to show the hackers ‘the finger’ and just restore all your data from an offline backup they were not able to get their hands on.
- Best Practices for Backup:
- Use both on-site and cloud backups, but always have offline backups.
- Implement backup versioning to protect against data corruption or accidental deletion.
- Test backup systems regularly to ensure they work as intended.
Physical Security
- Why Physical Security Matters: If a hacker has just 5 minutes, sometimes even seconds, alone with any of your computers, consider them hacked. They can plug in a spy device in the back of a desktop computer, swap a keyboard with a special spy keyboard that transmits every keystroke remotely or even boot the computer with a specialized USB drive and gain access that way. Never give them that chance and have good cameras around and in your business for when people are not around.
- Secure Access to Office Devices: Kensington or similar type of locks for laptops are a good idea if they are ever left unattended. Having a BIOS password for each and every computer, preferably unique passwords, is a must.
- Secure Disposal of Hardware: Don’t just throw away or sell old equipment, because even if you format a hard drive, all the data on it remains recoverable. Disks must be destroyed or securely erased before being disposed of.
Cybersecurity Policies and Compliance
- Developing a Cybersecurity Policy: Start at least with a generic computer security policy for your entire small business. Ideally, you would have at least 20 policies covering various topics. Remember that policies are useless if they are not simple, actionable, and followed by your employees.
- Compliance Requirements: You might need to comply with some cybersecurity compliance standards (e.g., PCI-DSS, GDPR), if you are a small businesses that handles customer data. You might even need to comply with SOC2, if your B2B clients ask you to.
- Conduct Regular Audits: We recommend that you performing regular internal audits or hire external cybersecurity audit services to assess and improve your business’s security posture.
Incident Response and Disaster Recovery
- Creating an Incident Response Plan: Establish a plan to respond to and recover from cyber incidents. You don’t have to reinvent the wheel—there are many guidelines and even templates for incident response plans. If an incident occurs, you should have a guideline on responding vs running around in panic mode.
- Key Elements of an Incident Response Plan:
- Define roles and responsibilities for responding to incidents.
- Steps for isolating infected devices and restoring from backups.
- Communication strategies for informing clients or partners during a breach.
- Regular Testing of Incident Plans: Test and refine incident response plans through drills or simulations.
If your computer security help for your small business, contact us, and let’s see if we can help!