Each year, cybersecurity threats increase and the risks get bigger and bigger for small and medium-sized businesses. We’ve seen a constant increase in the costs associated with cybercrime year after year, and it’s mostly small businesses that quietly pay the price.
Unfortunately, there is a stigma associated with cybersecurity; that comprehensive protections are a luxury that only larger companies can budget for. This just isn’t the case, and it’s dangerous for business owners to think this way.
Cybersecurity isn’t easy, and it does cost money to implement and maintain, but it is absolutely feasible for a small business to maintain even if budgets are restrictive. In fact, it’s probably more critical for businesses that don’t have a lot of wiggle room when it comes to their IT budget, as a lack of good cybersecurity protection almost guarantees unexpected expenses.
This guide will go through a lot of elements that decision-makers need to be thinking about when formulating a cybersecurity plan.
Let’s Look at the Threat Landscape
Gone are the days where businesses could get by just installing and maintaining antivirus across every endpoint. While viruses and malware haven’t gone away, cybercriminals have realized that the best targets are at least somewhat protected from the basics. This means the criminals are employing other tactics to get in and cause harm.
Before we address that, let’s talk about the motivations behind cybercrime.
Cybercrime is a Business
There’s a long-running misconception that cybercriminals look like the Hollywood portrayal of hackers. Movies and television portray them as pale, basement-dwelling outsiders who tap away on a keyboard all night long. In reality, most cybercriminals treat their trade just like a business. In many cases, it is a business, with a staff of scam artists trying to meet quotas, and leadership constantly honing in on tactics based on what works and what doesn’t.
Modern cybercrime is almost completely motivated by monetary gain, and business data tends to have a value associated with it. Stolen contacts, emails, and personal information adds up over time, and if the criminals can extort you just to put things back to normal, it’s icing on the cake.
Not All Cybersecurity Attacks are Especially Technical
With more and more businesses ensuring that their basic cybersecurity needs are covered (by using centralized antivirus, malware protection, firewalls, and other security solutions), cybercriminals are utilizing other tactics to gain access to your network.
This includes methods like social engineering and more analog scams that can happen over the phone, or over email, instant messenger, social media, and other less technical tactics.
At the end of the day, cybersecurity isn’t just about throwing money at the problem; it’s about spreading awareness and training your people to be vigilant when it comes to identifying and avoiding potential threats.
The Ultimate Small Business Cybersecurity Checklist
1. Establish the Basics
At the risk of being vague here, the basics are the traditional cybersecurity solutions that businesses have needed over the last several years. That’s going to be things like antivirus, anti-malware, and ensuring that your hardware and software are properly supported and being maintained.
The Basics are going to vary a little depending on your business, its infrastructure, and what level of compliance you need to meet, but at the end of the day, it’s about protecting your basic endpoints with automated security, and ensuring that the solutions you need aren’t actually going to put you at risk.
Antivirus Protection
There is a world of difference between the free and consumer-grade antivirus out there and the centralized, business-oriented antivirus that would protect your data. Consumer-grade antivirus solutions are usually great for just that, but when it comes to protecting your network and all of the endpoints on it, they will absolutely fall flat.
Business-grade antivirus is centrally managed, meaning it can be deployed and managed virtually, and it can’t be tampered with or disabled by the typical user. On a network with dozens of PCs, all of the devices need to have protection, or the weakest link could become vulnerable and allow a threat to spread across the network.
It’s also important that the antivirus is monitored. Centralized antivirus will have logs and alerts for an administrator or IT professional so they can catch when there is a problem and deal with it.
Hardware and Software Support
Every single device on your network and every piece of software that you use has a potential expiration date. This is going to vary wildly from one vendor to another, but essentially a product starts to “expire” once it is no longer supported by the vendor. That doesn’t mean that the product stops working right away, but it can mean that the product no longer receives security updates any longer, which can spell trouble.
For instance, on October 14, 2025, Windows 10 will reach its end of life. This means that Microsoft will no longer be providing security updates to laptops and workstations running Windows 10, and in short order, these systems will start to become liabilities.
This same principle applies to network hardware like routers and switches, hardware firewalls, and access points, as well as software like your line of business applications. Software is particularly important because it tends to store critical company information, and that data could be valuable to cybercriminals. If your business has to use legacy software or hardware, special precautions need to be taken to ensure that they are segmented from the rest of the network or that data is particularly hardened to prevent risk.
2. Patch Management and Maintenance
This is a good segue into the next big pillar of cybersecurity. As long as the hardware and software you use is supported, you can typically entrust your vendors to provide security updates and patches to avoid certain vulnerabilities. The catch is that someone needs to ensure that these security updates are being caught, tested, and applied.
This isn’t anything new—Microsoft has been releasing critical patches for Windows for decades, but it is something that needs to happen regularly within your organization. If your business partners with a managed IT provider like CoreTech, this should be happening under your agreement.
If your business doesn’t have someone handling your IT maintenance, give us a call at (270) 282-4926 to get that spun up.
3. Data Protection
Your data is the biggest target for cybercriminals, and losing your data could result in major issues for your business. Fortunately, there are a few simple ways to protect your data.
Encryption
Encryption is the act of scrambling information at the base level. Think of those secret decoder rings that used to come in cereal boxes that would let you decode messages, except much more complex.
When a device is encrypted, it requires you to enter in a decryption key or password before you even log in. Don’t confuse this with the typical Windows login, this is an entire layer before that. Essentially, your computer will ask you to log in with two passwords.
This is a pretty minor inconvenience with a massively major payoff, because it renders all of the data on the device inaccessible unless the first password is entered correctly. Even if the device is stolen and taken apart, the data is encrypted and can’t be accessed.
This isn’t something that actively costs time or money either, it just needs to be implemented. This is going to be the theme for a lot of cybersecurity methods in this guide… modern cybersecurity is about establishing good practices and better habits while ensuring that the bases are covered.
Data can also be encrypted before being sent. If your staff needs to share sensitive information, email isn’t inherently secure enough to do so safely. Using email encryption when sending sensitive information will add an extra layer of protection while transmitting data.
The Principle of Least Privilege
If everyone in the organization has access to every single piece of information on the network, it means cybercriminals have a much broader range of targets for accessing your data. Locking down users so they only have access to the directories and files they need goes a long way in preventing the spread of a problem across your entire network.
This means minimizing the number of accounts with administrative permissions, setting up access controls, and dishing out network policies to control who can see and do what across the network.
Just like encryption, this is just something that needs to be implemented and maintained, as opposed to an expensive solution that requires a lot of capital.
4. Data Backup
While this technically falls under data protection, it’s important enough to list out as its own category. If your business doesn’t have a solid data backup solution, it’s operating on borrowed time.
Hard drives can fail. Even redundant RAID array setups in modern servers can fail. The cloud is just someone else’s computer, and the cloud can fail. Your data needs to be redundant, and you need to control it.
Your data should be encrypted and stored in multiple locations. One of those locations can certainly be a trusted cloud storage provider, but you should have access to your data at all times and you should review and understand what the host is doing to protect your data.
Depending on your industry, you may also need to comply with data retention policies that might include deleting information from backups, so that needs to be understood and adhered to as well.
5. Account Hardening
A portion of your cybersecurity will rely on your end-users, but you can strengthen this with policies and education (more on this shortly). The big takeaway here is that everyone in your organization needs to adhere to strong security best practices when it comes to managing accounts that have access to sensitive information.
Enforce Strong Passwords
Weak passwords, especially passwords that are used across multiple accounts, are one of the biggest ways cybercriminals can gain access to sensitive information. Using the same password across multiple accounts puts all your other accounts at risk—once they have access to one, they have access to them all.
Cybercriminals gain access to passwords from data leaks and hacks all the time. If Netflix (for example) gets hacked, a hacker could walk away with the usernames and passwords for millions of users and post them on the dark web for other criminals to access. It’s pretty easy to scour through that list and automatically try those usernames and passwords with other services such as PayPal, banks, social media, emails, and other critical accounts. This can all happen for months before Netflix (or whoever gets hacked) even becomes aware of it and announces it to the public.
All passwords need to be unique, complex, and carefully stored so they can’t be stolen or shared. We highly recommend establishing a centralized password manager for all of your employees.
2FA / Multi-Factor Authentication
Known as 2FA or MFA, this is the process where you need to type in a short PIN as well as your password to gain access to something. This simple process adds a strong protective layer across any account it is active for. It’s generally easy to set up, and we can help simplify the storage and access to 2FA codes by implementing a standardized 2FA app across your user base.
6. Staff Education
One of the biggest cybersecurity trends that has been growing throughout the last few years is that users are the easiest target when it comes to an organization’s cybersecurity. A company with the right solutions in place might be locked down fairly well, to the point where the end users are the weak point in the armor.
A lot of cyberattacks start out with a social engineering attack, such as phishing or SMS attacks. There are even attacks that utilize traditional phone calls or in-person meetings. It’s critical that employees are trained to spot signs of these attacks, and are trained to handle them professionally.
That means building a culture of cybersecurity, eliminating the stigma of being a victim of a cybersecurity attack, and encouraging (and even requiring) staff to report anything suspicious they see.
Don’t Let Your Business Become Another Statistic
More and more small businesses are suffering from cyberthreats, but the best defense isn’t out of reach. We work with businesses to help them thrive in an increasingly turbulent environment. Getting started is simple—just give us a call at (270) 282-4926 and we’d be happy to discuss your business and your needs.
