How to Protect Your Small Business from Cybercrime
As cybercriminals become more advanced in their methods and technology, it is more important than ever to take measures against cyberattacks. Even if your business operates mostly offline, your email accounts and bank accounts are still at risk. Fortunately, there are several steps you can take right now to better protect your small business from cybercrime.
Company-Wide Security Awareness
Every employee in your company should be aware of the risks of cybercrime. Ensure company-wide awareness and education by implementing cybersecurity awareness programs. You can organize a luncheon or virtual webinar with a presentation on cybercrime and how it affects your company. Cybersecurity training should occur at least once a year or as frequently as once a quarter. Decide what kind of training program makes the most sense depending on your company size and structure.
The month of October is a great time to focus on cybersecurity because it is National Cybersecurity Awareness Month. During the month, there are events and resources available for small businesses to educate their employees. The Small Business Administration (SBA) provides numerous free resources on cybersecurity, and you can find free tools for improving your business’ security on the SBA website.
Alongside awareness programs, you should do a periodic review of your business’ cybersecurity measures or engage a qualified third party to assist you. Understanding the strengths and weaknesses of your business’ security will make preventing cyberattacks easier. You should review the security of any network or platform where sensitive information is stored on a regular basis (e.g. quarterly). Employee data, client data, and financial accounts are all types of data that hackers target.
Keep Work and Personal Separate
While it’s common for small businesses to have some overlap between personal and work activities, it presents serious security risks for both you and your business. If you handle both personal matters and business matters with one email, fraudsters don’t have to work as hard to access both. In the unfortunate event that your business account is compromised, you don’t want hackers to have access to your personal data as well—and vice versa. Maintaining strict separation between personal emails and business emails is a good practice to ensure that both are more secure.
Additionally, every account you use for business should have sufficient login security. Be sure to enable MFA (multifactor authentication) or 2FA (two-factor authentication) on every account, especially email and financial accounts. When you set up a verification method, it’s wise to use a different email than the main email you use for business. Verifying with an authentication app or a text to your phone is even better than verifying with an email.
Cybercriminals stay updated on cybersecurity practices, so they know to target accounts that receive verification codes. Adding a verification step to your account is a great way to stay one step ahead of the threat. If you use your phone for verifying any of your accounts, you can strengthen your phone security as well. Call your telephone carrier and add an MFA to your account. If a hacker tries to impersonate you with the telephone carrier, in order to redirect your phone calls and text messages to their device, they will be stopped by another wall of verification.
Store Sensitive Information Securely
One of the primary objectives for hackers is to steal your data and use it against you or for financial gain. Financial information, client data, and employee data should all be stored in a secure place. If your files are stored in a shared location or cloud storage service, access should be restricted to only those individuals that need it. You should name folders based on who should be accessing them (ex. Public, Private, Internal Only). When sharing access with a client or vendor, make sure to only share relevant files rather than entire folders. You can also create a folder specific to the client’s project so they can only view documents within that folder.
Many file sharing services have the option to set permissions. Permissions should be given selectively, and not all permissions should be indefinite. After closing a project or deal with a third-party, permissions should be reviewed and revoked, if appropriate. You should review access and permissions for all company folders at least once a quarter. Some file sharing services automatically review permissions for you but putting a reoccurring “Review Access and Permissions” event on the company calendar works great too.
When you send files via email, the message will sit in the receiver’s inbox forever (unless they delete it). This can pose a security risk one year, two years, or even 10 years down the road. If a hacker ever gets access to their email account, they will gain access to any files you have sent over the years. When sharing sensitive data via email, take advantage of the secure email option. A secure email will self-delete after a period of time.
Setting a Secure Password
A password is the first line of defense between your data and cybercriminals. Never use personal information in your password like a birthday, name, or address. Avoid obvious passwords, such as “abcd1234” or “password2022”. You want a password that is complex but easy to remember. A good rule of thumb is to create a password with an uppercase character, a lowercase character, a number, and a special character. You probably already knew that since most websites require it. But did you know that a longer password is more secure than a shorter, complex password?
Today, password-cracking software can easily guess an 8-character password. But the longer the password, the more possible characters and the longer it will take to crack. The most complex 8-character password can be cracked in under an hour. But a complex 12-character password? That can take thousands of years to crack!
You are better off setting up a password that is lengthy but easy to remember. It is still a good idea to have numbers and characters mixed in. But your password doesn’t have to look like you smashed your keyboard to be secure. For instance, it can be a combination of three random words (e.g. RedBuffaloBank#1). A longer password does not need to be changed as often, especially when it is protected with MFA. If you suspect your password has been stolen or compromised, it’s time to change it.
Update Browsers and Anti-Malware Software
If your anti-malware software doesn’t automatically update, check for software updates regularly and install them. The software will be most effective at detecting and defending against cyberattacks if it is current and updated. On that note, you should also update your internet browsers. Why? The internet is where you’re most likely to encounter scams, phishing attempts, and malware. Visiting harmful websites or downloading viruses can compromise your computer and network. If your browser is up to date, it can detect potentially dangerous websites or downloads and warn you before you take further action.
The More Layers, The Better
There are many actions you can take to strengthen your business’ defenses against cybercrime. Don’t rely solely on anti-malware software to protect your data. The more layers of security you have in place, the less likely you are to experience a breach. Your ultimate goal is to be time-consuming and costly for cybercriminals to target. Hackers would prefer to pursue easier targets and face less risk for their reward.
You can start improving your cyber defenses today by implementing multifactor authentication, updating software and browsers, creating longer, memorable passwords, and most importantly, increasing awareness of cybersecurity risks throughout your company. To learn more about how to protect your small business from cybercrime, visit our Fraud Resource Center.