CyberSecurity & Small Business: Best Practices

5Gmb...M2Ub
24 Mar 2024
147

Cybersecurity in small organisations can be a headache if you don’t follow best practices. 

If you aren’t a medium member, you can read with no paywall via substack

Over the last few years, we’ve seen an increase in data breaches and hacks that have occurred, many of which have affected small businesses. Security through obscurity, while existing in the early days of the internet is no defense policy to have in today's world. 

While large organisations and corporations typically have large IT departments with dedicated cybersecurity staff, you’ll often find that small businesses or not-for-profit groups have a lot fewer resources at their disposal to use for such things. Because of this, you’ll often find a large variance in the policies and strategies that are used between these different types of groups.

However, if we’re a smaller organisation, we can offset some of this risk by using some industry best practices to help structure the role cybersecurity policy plays within our business. In today's article, we’ll explore five of these practices and discuss how implementing them in the workplace can raise your security posture, quickly and easily. 

Basic security policies are able to be developed in-house if there’s no budget for a specialist. 


Risk Assessment

To defend against a threat is impossible without knowing about, and understanding how this threat may affect you. One of the best ways to find this information can be by doing a risk assessment and looking at how the results might impact the way you do business. This includes looking at things like managing sensitive data, your threat profile or risk level or even how you share and disseminate data within the organisation. While you won’t have to go overboard at this stage, knowing some of the risks you’ll face along the way can help you to develop strategies for mitigating these risks. 


Staff Awareness

One of the biggest risks any organisation can face is the usage of social engineering attacks in the wild. These attacks are often particularly damaging because they use an unwitting insider to assist in the breach. While the discussion of human factors in cybersecurity is often a broad one, there are some simple steps we can use to assist in mitigating this factor somewhat. Restrictions around non-official hardware are helpful, as is educating your employees about the risks posed by phishing-based attacks. Like many other things in life, attitude is everything. So ensuring your employees have a good attitude and awareness towards security matters can assist in lowering or reducing your threat level overall. 


Secure Infrastructure

Often, the damage that’s done during a cyber attack isn’t done in the initial stages. Regularly, it’s done during the lateral movement phase, where threat actors are able to move and pivot within a network. Because of this, rather than compromising a single machine, lateral movement often involves the compromise of multiple machines or user accounts. 
One of the simplest steps organisations can take to help prevent this process is to have good security practices around securing the infrastructure that powers the business. This means no admin passwords for machines or routers, good habits around administrator credentials and good policies around the management of user accounts that are used in the business. It won’t eliminate the risk of lateral movement, but it will help in delaying an attacker's ability to move through your network. 
Anti Virus software is also a good option for any company assets. While it won’t solve all your problems, scanning and altering can be done automatically, making it easier to detect and quarantine threats when they occur.

Securing infrastructure means everything. Cameras, routers, and machines should all be well secured with good passwords. 


Data Protection

One of the biggest things missed by smaller businesses in their security posture is the importance of data protection at all stages of the process. While this typically will be a multifaceted approach, it can provide a significant upgrade around your ability to protect important commercial data. 

The proliferation of End-to-end encryption has done wonders around securing data and can be applied from everything to instant messaging right through to voice and email communications. 

While typical businesses may not require such a level of security there are many small organisations that provide services to industries like defence and manufacturing that can benefit from an upgrade such as this. Proprietary software or solutions aren’t always better in this instance. 

Lastly, the good old backup of sensitive data is also a great process to implement. This means that should you need to apply incident response strategies, it’ll be far easier to recover your position. In the era of automation, there’s no excuse for not having sensitive data backed up regularly. 


Incident Response & Management

One of the last proactive steps to be taken, incident response can be as simple as knowing exactly who you’ll call in an emergency and at what point you’ll be calling them. Alternately, if you provide critical services, it could be as detailed as having backup plans and a person or department on staff to manage or implement them. 

Having this plan ready to go prior to any significant event allows you to implement it in a timely fashion, increasing your ability to minimize the effect a cyber attack or data breach may have.

It’s good to remember that when employees punch their cards and leave the office at 5 pm, any internet-facing infrastructure you have is open for attack 24/7, and response strategies should factor this into their plan. It’s also important to remember that while we can overcomplicate these things, often simple is best. Therefore, having a simple plan is better than having no plan at all. 

Final Words

While the development of effective cybersecurity policies should be coordinated by industry professionals, there are steps that can be taken if this isn’t an option for your circumstances. 
While it’s impossible to defend against every threat, increasing your security posture can often be done with changes in attitude and company culture over spending large amounts of money. 

Despite the proliferation of AI-based systems and threats, social engineering attacks will remain relevant for a long time into the future. Because of this, policies that focus on the users as well as the hardware will function better than policies that focus on hardware alone. 
Think we missed anything? Give us your thoughts on cybersecurity practices in small businesses by leaving a comment and telling us all about it. 

Medium has recently made some algorithm changes to improve the discoverability of articles like this one. These changes are designed to ensure that high-quality content reaches a wider audience, and your engagement plays a crucial role in making that happen.

If you found this article insightful, informative, or entertaining, we kindly encourage you to show your support. Clapping for this article not only lets the author know that their work is appreciated but also helps boost its visibility to others who might benefit from it.

🌟 Enjoyed this article? Support our work and join the community! 🌟

💙 Support me on Ko-fi: Investigator515

📢 Join our OSINT Telegram channel for exclusive updates or

📢 Follow our crypto Telegram for the latest giveaways

🐦 Follow us on Twitter and

🟦 We’re now on Bluesky!

🔗 Articles we think you’ll like:

  1. Software Defined Radio & Radio Hacking Pt 1
  2. OSINT Investigators Guide to Self Care & Resilience


✉️ Want more content like this? Sign up for email updates

Join our Crypto focused Telegram Channel!

Telegram

Enjoy this blog? Subscribe to Investigator515

13 Comments