Cybersecurity isn’t exclusive to tech companies—it’s essential for every business. We have dispelled the misconception that cybersecurity is only relevant to big corporations handling large chunks of sensitive data. Businesses of all sizes and industries are potential targets to cyberattacks.
The Verizon DBIR report found 43% of all cyberattacks target small businesses, and 60% of those go out of business within six months of the attack. It also reveals that on average, SMBs spend between $826 and $653,587 on cybersecurity incidents, and an increase of 15% is expected in the next two years.
It is clear that small businesses cannot afford to ignore the current threat landscape. Ensuring due diligence has become crucial as organizations are likely to be attacked at some point, making it a matter of not if but when.
Zero trust is not limited to large organizations; small businesses can leverage its principles to fortify their defenses and mitigate cybersecurity risks effectively.
Applying these zero trust principles to smaller businesses will involve defining the business strategies (what we want to get done) and prioritizing the tactics (how we are going to do it) based on resources. Keep in mind people, process and technologies, and don’t overcomplicate things.
Define the protect surface: First, and most important, it is crucial to get a clear understanding of the organization’s assets and their business value (which is given by sensitivity and criticality of an asset to the business). Then, identify the threats and vulnerabilities to those assets, and conduct a risk assessment to start building your cyberresilience strategy.
Define policies and invest in security awareness training: It is essential to check your regulatory and compliance requirements, define internal policies and invest in security awareness training. According to the Verizon DBIR, employees of small businesses experience 350% more social engineering attacks than those at larger enterprises. Social engineering doesn’t rely on computer weakness; it relies on human kindness. A con artist who is trying to trick people into giving them something valuable (e.g., letting them know that your manager is out of office, or giving them one of your client’s names) takes advantage of this kindness.
Ensure you have well-defined policies in place and have trained your employees to follow your organization’s policies and procedures. They are the first line of defense against cyberthreats. Make sure they are trained in cybersecurity best practices and that they understand their role in identifying and reporting suspicious activity. Familiarize yourself and be aware of the common cyberthreats: phishing, BEC business email compromise, malware, insider threats and password attacks.
Define business cases, standardize processes and invest in defensive technologies: The difference between larger and smaller organizations is mainly the complexity of the environment and resource availability. A few best practices to consider:
- Enable MFA (multi-factor authentication)—Layer your security measures to make unauthorized access a challenging feat. MFA adds an extra layer of security by requiring users to provide two or more forms of authentication to access a system or application—complex passwords, physical one-time password tokens, biometrics, mobile app one-time password tokens, SMS messages, emails or voice calls.
- RBAC (role-based access control)—Limit access to sensitive data and ensure appropriate levels of access commensurate to each role. If you don’t require the information to do your job, you should not have access to it. Moreover, an absolute must is to have an understanding of who and what (devices and software) have permission to access an organization’s digital environment. Restrict access to resources based on a need-to-know basis.
- Updated software and systems—Cybercriminals are constantly looking for vulnerabilities in software and systems to exploit. Keep all software and systems up to date with the latest patches and updates to reduce the risks. This is the equivalent of locking the doors when you leave the house—by the way, make sure you check the windows, too.
Properly securing your network is crucial since it serves as the backbone of your IT infrastructure. This involves firewalls, establishing a VPN for remote workers and segmenting your network to minimize the impact of a successful attack.
- Endpoint protection platforms—Ensure every device is defended with anti-malware and anti- phishing tools.
- Backup solutions—Essential files should be backed up offsite or in the cloud to protect against data loss from cyberattacks, natural disasters or hardware failure. Ensure testing of full restoration on an annual basis, at a minimum.
- Incident response plan—Document how your team responds to incidents, who is involved, their roles and responsibilities (use a RACI chart), train employees and test the plan.
Transparency and communication across departments: Ensure non-technical teams understand the impact of good cyber hygiene and follow security best practices.
Monitor and maintain: Zero trust is both a way of thinking about security and a continuous journey. Monitoring, maintaining and improving your security posture is a must.
Consider cyber insurance: For an additional layer of protection, it is advisable to consider obtaining a monoline cyber insurance policy that offers coverage for various cyber risks, attacks and more.
Implementing robust cybersecurity measures is crucial for small businesses to protect their assets, maintain customer trust and ensure business continuity. By adopting the principles of zero trust and following best practices, small businesses can effectively mitigate cybersecurity risks and safeguard their operations.
