Do you work in an IT department at a company with a limited security budget?
Or are you the IT for a small company and trying to stretch the little money you have for IT to also cover security needs?
Then you will love today’s post.
Because I’m going to show you how to build out programs for cybersecurity for small businesses for less that $10,000 a year.
Don’t have time to read the whole guide right now?
No worries. Let me send you a copy so you can read it when it’s convenient for you. Just let me know where to send it (takes 5 seconds):
Why cybersecurity for small businesses?
Before we start let’s clarify:
Cybersecurity for small businesses is essentially the same as that for larger organizations. However, because of budget constraints, small businesses need to perform risk assessments and create programs that address the risks they actually face. Implementing the basic security controls will provide sufficient security for most SMBs.
Now a little backstory:
One of my friends, Gabriel Friedlander, posted a question on LinkedIn a little while back that got a ton of engagement.
Here’s what he asked.
You’re a small business owner (think restaurant, small accounting firm) and you have $10k (which is a lot for many of them…) to spend yearly on cyber security. How would you spend it?
The responses he got were amazing!
Gabriel actually made a report out of it that you can download here.
Let’s dive into cybersecurity for small businesses and the controls you should be implementing.
Plus: We’re going to give you some recommendations for low cost and free cybersecurity tools that you can use.
Basic Security Concepts
Basic Security Controls
Advanced Security Controls
Incident Response Planning
Business Security Plan Concepts
If you follow the news, you probably see the announcement of a massive data breach almost weekly.
And you may find yourself wondering:
If the large companies can’t stay secure, how does my SMB stand a chance?
You actually have an easier job than the large companies
You just have to do it right.
Small Business Cybersecurity Considerations
The first thing that you have to understand about security is that, unfortunately, it’s a super complex topic.
In times gone by, a company was adequately protected if they just installed antivirus on all of their computers.
Not any more.
Why is that?
Attackers have gotten much more sophisticated over the years and speaking as someone who does penetration testing, anti-virus is not hard to bypass.
Cybersecurity Breach Incidents
So, rule number one on cybersecurity for small businesses is this:
Don’t do it yourself.
Unless you have an experienced security professional on your team, your best option is to partner with an organization that can help you.
The risk that you accept when attempting to manage your own security program is often too great.
Here’s some good news:
You can find managed security service providers (MSSPs) that will handle your security for a very reasonable price.
MSSPs that handle cybersecurity for small businesses on a daily basis often have invested in tools and team members; in short, they have the expertise and have taken on the investment.
When looking for a partner to manage the cybersecurity for your small business, here are a few tips to keep in mind:
1. It’s better to find someone or a company that is not affiliated with any specific vendor
2. Not every IT person is a security expert. So, make sure the company you choose has sufficient expertise to protect you. Just because they are a Managed Service Provider (MSP) who offers security services doesn’t make them experienced.
3. It could be a security consultant or a company. You have several options
4. Ask questions of potential partners. Ask them how they secure their own company. If they have bad security practices themselves, they will cause disaster for you.
Cybersecurity Needs For Each Small Business Differs Greatly
Another hugely important topic is this:
Because small businesses have limited cybersecurity budgets, they must prioritize the most critical threats. The level of risk tolerance and likelihood of a breach differs between organizations. Each company must analyze this to determine the right areas to invest money into.
So, when trying to figure out what security measures you should implement or how much money to spend on it, ask yourself a few questions about the security needs at your business.
Here are a few questions that will help you:
1) How much money does the business make? What critical apps or assets could cause large damages to the business if they were breached?
For example, if you run a small accounting office, critical assets to you may be the computers running the software that you use to prepare taxes.
2) How comfortable is the business with downtime or revenue loss?
Of course, you will probably say you can’t afford downtime, but you have to understand just how much downtime you can actually have before your company suffers.
A small attorneys office, for example, could probably handle more downtime than an ecommerce store.
They can still make money using say paper and pen.
3) Who has access to business critical assets, apps, and information, and what will happen if they are breached?
With this, you should think about a few groups – internal and external.
Internally, you want to practice a need-to-know based system for managing access control.
One security failure that we often see among small businesses is that many people wear many hats and restricted access is ditched — everyone gets access to everything.
This is a big mistake!
Only give employees access to the accounts they need to do their job.
You may even need to tell them that it’s not because you don’t trust them, but because you want to reduce your company’s attack surface.
Externally, you should think about and vendors or contractors that you may have given access to while troubleshooting.
If you hired a web developer to build your e-commerce website, do they still have administrative access to the site?
If so, what happens if they are compromised and the attackers get access to your website
4) Does anyone have access to business apps or data from home or remotely? Do vendors?
5) Are there any regulations that your business must comply with? Like PCI, HIPAA, GLBA, GDPR, or CCPA?
No matter how small your business is, there is still a chance that you need to comply with various regulations that have security components.
In fact, small businesses sometimes make the mistake of thinking they are exempt from compliance because they are small.
Here’s a quiz you can take to quickly determine if your small businesses cybersecurity plan needs to include compliance:
SMALL BUSINESS COMPLIANCE QUIZ
Tip: You must understand that no company can go from having no security to 100% secure overnight. It’s a process. So, prioritize the greatest risks to your company, address them, and focus efforts and funding on other security threats later.
Basic Security Controls ($3,000 – $5,000)
Now that you understand the risks that your small business faces, you can begin implementing appropriate cybersecurity controls.
The first tier of controls that we will discuss are basic security controls.
For a company with less that 10 employees, you should definitely be able to implement these for less than $5,000 a year.
Note: If you are using a MSSP, you can probably build an entire security program for less than $5k.
Let’s look at the specific controls.
1. Data Backups
Backups are extremely important and a must-have for pretty much every small business cybersecurity program.
This is especially important in the event that you are the victim of a ransomware attack – an attack in which your computer is locked with malware and you must pay to regain access.
Insider Tip: Make sure that you have at least one backup located offsite. This way if an attacker gains access to your network, they aren’t able to destroy your backups. If possible password protect all of your backups as well.
Data Backup Solutions
2. Internet access constraints
Depending on your business, you should try to limit access to the internet.
If you use a point-of-sale terminal computer, for example, your employees should not be browsing the internet on that device.
Should the device be compromised, you are risking the confidentiality of all of your customer credit card information.
One simple solution that some small businesses find affordable is using a dedicated Chromebook for accessing payroll and accounting systems.
In short, if a device is not a user’s computer, internet access should be limited.
3. Security Awareness Training
You must educate your employees about cyber threats!
Employees who are not trained to beware of cyber threats dramatically increase the risk that your small business will be the victim of an attack.
It is important that everyone in your business develop a “culture of security” – that is a mindset in which they are always aware of attack vectors such as suspicious emails and actively avoid falling prey.
There are many security awareness solutions that include training videos.
Security Awareness Training Solutions
4. Multi-factor authentication
Enable multi-factor authentication (MFA) wherever possible.
It’s a completely free security control that is highly effective for the average small business’s security.
There are a variety of MFA techniques, but the two most common are texts and authentication code apps.
In both cases, you get six digit code that you must enter after you login to an account.
This is a great additional layer of security in case your login credentials are compromised.
Multi-factor Authentication Solutions
5. Computer access control
This is another security control that small businesses overlook but can be very effective.
There are two main types of accounts on your computer – regular users and administrators.
Regular users cannot install software and make certain configuration changes without entering administrative credentials.
When a regular user is browsing the internet and accidentally visits a malicious website, when the payload tries to run on their system, it won’t be able.
For this reason, I usually tell everyone to work in the regular user account on their computer.
Then when they need to install additional software or make a configuration change, they can simply input the credentials when prompted.
Having a properly configured and maintained firewall is a vital component of every small business cybersecurity plan.
A properly configured firewall (or Unified Threat Management Device – UTM) can do a lot in limiting who can access your business network from the outside.
They can also restrict outbound traffic and network segmentation.
You should also enable and configure the firewalls on each endpoint you use – computers and servers.
Small Business Firewall Solutions
7. Inventory and Patch Management
Keeping an inventory of the software installed on your company’s devices allows you to know what is installed and to be sure that all apps, computers, and other systems are updated and patched to the latest versions.
Un-patched devices and apps are open doors for attackers.
Inventory & Patch Management Tools
Solarwinds Patch Manager
Insider Tip: Routers, switches, cameras, and electronic devices often are overlooked for patching. Know that these devices periodically get firmware updates. Without applying these updates, you risk your devices being targeted by attackers.
8. Health check & vulnerability scanning
Once a quarter, most organizations should perform vulnerability scans to check for any issues with applications or computers on the network.
Reducing vulnerabilities means reducing the likelihood an attacker can gain access to your network.
Criminals regularly perform vulnerability scans of your business network, so get ahead of them.
Vulnerability Scanning Tools
9. Anti-virus software / Endpoint protection
Install and use on all computing devices on your network.
Anti-Virus & Endpoint Protection Tools
10. Vendor Compliance
For organizations that must comply with PCI and HIPAA, selecting vendors that are compliant is a must.
11. Email Security Gateway
Email is one of the easiest ways for attackers to attack your network.
A security gateway will check incoming and outgoing emails for viruses, malware, spam before they arrive at your inbox.
This is a great way to reduce cybersecurity threats from reaching your business.
Email Security Tools
12. Virtual Private Network (VPN)
VPNs ensure that anyone on the same network as the VPN user is unable to view or access the data being sent (like passwords).
This is an especially important cybersecurity control for small businesses, especially when employees travel or work from home frequently.
Advanced Security Controls ($5,000 – $10,000)
If your small business has the basic cybersecurity controls covered, there are still a few things you can do to improve defenses.
Implementing these advanced security controls is pointless if you don’t have the basics covered.
But if you do, and you’re ready to take your security maturity to the next level, you should look into these advanced controls.
Let’s look at a few that can really boost your company’s security posture:
1. Cloud Based Logging
Most apps and programs have internal logging – i.e. they write logs locally to your computer.
The logs include information about how the app is behaving or errors they encounter.
However, these logs can be invaluable for detecting and investigating cyber incidents.
Collecting these logs can take a lot of storage and attackers often try to remove them when covering their tracks.
Having a cloud-based collection and analysis software (SIEM) can help your business detect attacks earlier.
Cloud Logging Solutions
2. Penetration Testing
After you have all of the basic cybersecurity controls covered, you may want to hire an organization to attempt to attack your company.
This will give you an idea of when cracks you have left and how an attacker could use them.
The report will also usually include suggestions for how to better protect your business.
Note: Penetration tests are required by some compliance regulations. However, they can be expensive and are really only of value for businesses with fairly mature security programs.
3. Website Whitelisting
Here’s what you have to understand about browsing the internet:
Visiting infected or malicious websites is often one of the main attack vectors that criminals use.
Because of this, it only makes sense for you to whitelist the sites your company uses for operations.
Note: Whitelisting means allowing certain items, and blocking all others.
Then, employees can’t visit any other sites, drastically reducing the risk to your organization.
Website Whitelisting Tools
4. Data Loss Prevention
DLP tools help in preventing sensitive information from leaving your organization.
5. Smart Anti Virus (EDR)
This software is the next generation of Anti-Virus.
Incident Response Planning & Additional Resources
Did Grandma ever tell you that you should set some money aside in case it “rains”?
When it comes to cybersecurity, it sometimes “rains.”
Businesses have security incidents daily.
What really determines the impact of a security incident at your organization is how prepared you are to handle them.
Let’s talk about incident response plans:
No matter how hard you work to secure your organization or how vigilent your employees are, your company is likely to face a cyber incident at some point.
How your company survives can depend on how well you have planned your response to the incident — your incident response plan.
An incident response plan is basically a plan for what to do if your business is breached.
How you choose to respond to each incident will depend on what happens.
If all of your computers are locked up by ransomware, for example, you may have different options to choose from if you have a backup in place vs if you didn’t.
If your customers’ credit card details are stolen, your incident response plan will guide you regarding who to notify and actions necessary to resolve the breach.
To speed recovery, even more, it helps to have prepared flowcharts and contact lists.
In the end, it is important that you have a conversation about these things before an emergency arises.
Ever heard the saying: an ounce of prevention is worth a pound of cure
Definitely the case here.
Create and rehearse your incident response plan now; you never know when you will need to use it.
Cybersecurity for Small Business References
The U.S. NIST Small Business Act was passed as law in August 2018.
It provides cybersecurity resources to SMBs to help them protect themselves against cyber attacks.
UK Cyber Essentials
The UK Cyber Essentials is a government information assurance scheme that encourages organizations to adopt good practices in information technology
The 20 security controls by the Center for Internet Security is a great framework for any organization looking to improve their security posture.
Controls are divided into 3 tiers based on security maturity.
Now It’s Your Turn
So that’s how we create an organized plan for cybersecurity for small businesses.
Now I want to turn it over to you: Which of the controls from today’s guide are you going to implement first?
Or do you have a recommendation for a tool that we overlooked?
Let me know by leaving a a quick comment below right now.