It does not matter if you are small or big; hackers do not discriminate. While larger companies have a legal team and big pockets to recover from breaches, smaller companies suffer the most. According to the Ponemon Institute, the average price for small businesses to clean up after their businesses have been hacked stands at $690,000.
Worried?
We talked to the experts in the industry to help you with the top cybersecurity tips for startups and small businesses.
1. Manage Risk Ratios
“Small businesses and startups have unique challenges from security budgets to risk. Any solution licensed by these organizations should follow the Three Pillars of the security model. That is, any technology should protect a user’s identity, the asset, and any runtime privileges.”
Morey Haber, CTO, BeyondTrust
2. Opt for Better Solutions
“There is no excuse for SMBs to not integrate a dependable cybersecurity solution. One of the first steps we would encourage that small businesses should work with managed service providers (MSPs). These MSPs can help offload some of the complexities when trying to integrate a cybersecurity solution. Working with an MSP will help the void that SMBs have when it comes to limited skilled manpower and technologies.
The cybersecurity industry is on a mission to provide strong cybersecurity solutions for SMBs. This type of solution must be very simple to operate and simple to manage. At Check Point, for example, we now have fine-tuned cybersecurity solutions such as Sandblast that is made for SMBs. We designed the technology in a way that it will be simple to operate. We strive to provide the most advanced cybersecurity solutions that is simple to manage. Sometimes, it’s a simple as a push of a button to apply the most advanced capabilities.”
Some helpful statistics:
81 percent of SMBs do not have a dedicated IT person (Check Point Research)
85 percent of SMBs do not have a dedicated security person (Check Point Research)
71 percent of attacks on an SMB resulted in a confirmed breach (Verizon DBIR 2016)
Hacks can cost a small business an average of$32,000 (National Small Business Association, 2016)”
Gabi Reish, VP, Product Management and Product Marketing, Check Point
3. Employee Training is Mandatory
“To get the most out of a small security budget, consider dedicating a significant portion to employee training. There is no shortage of open-source solutions that do an excellent job; the trick is to have a well-educated, proficient, motivated team that has the ability to architect solutions and implement them to 100%.”
Serge Borso, Adjunct Instructor at SecureSet, a Denver-based immersive, accelerated cybersecurity academy
4. Engage in Security Conversations
“With shoestring budgets, IT and information security teams at SMBs should invest in finding the best solutions, embracing cloud services that can deliver what internal systems cannot. They should provide the organization with expert advice, discussing the benefits and risk of using cloud services. Together with the business, IT, information security and information risk management teams can work together to ensure adequate safeguards are in place. Such a proactive approach will make it less likely that unmanaged initiatives will bypass processes and defenses.”
Steve Durbin, managing director of the Information Security Forum, a London-based authority on cyber, information security and risk management
5. Scan, Protect, & Track
“Small businesses using apps should protect themselves by:
Scan – diagnose your apps to see any vulnerabilities
Protect – apply binary protection in minutes using software like AppSolid
Track – monitor your app’s security status in real time
With a web portal, you should implement AI Penetration Testing allowing a small business to easily be able to inputURLs of your web APIs or applications, and verify ownership, conduct pen testing and download security reports.”
Min Pyo Hong, CEO and founder of SEWORKS
6. Follow Security Baselines for Every Product
“Ensure that all the applications and network devices are configured and used as per security baseline of that product vendor. For hackers, security baseline of a product is holy grail that opens the secret data doors.”
Kashif Abid – Head of Compliance and Security, Kualitatem Inc.
7. Get Serious About DDoS
“DDoSing is an enormous threat to lots of small businesses. With no protection, you can become an easy target for hackers and blackmailers which can leave your website offline for days. Install CloudFlare to protect yourself from DDoS attacks and malicious bots, while boosting the speed of your website.”
Alexander Winston, Managing Director, PPC Protect
8. Work on Staff Training
“Small businesses without adequate budgets should focus their cyber security efforts on training their staff, as most cyber risk is rooted in human failure or human error. Also, right now cyber insurance is a good value for the money as it is still a relatively new insurance product.”
Noah Skillin, Chief Operating Officer and Founding Member of Risk Cooperative, Certified Risk Manager
9. Outsource When Needed
“Hiring outside firms to handle your Information Security is often the best option for a cash-strapped business. Many are turning to vCISO Managed Services that allow you to have a Chief Information Security Officer on call without the Salary and Benefit requirements that are often out of reach for such an employee.”
Dylan DiMartino, Founder & CEO, Dunwich Technologies
10. Opt for Insurance
“Purchase a small cyber insurance policy and make the most out of the resources the insurer provides. Most policies come with support services such as threat assessments, security software recommendations/discounts, and post-event recovery support that are invaluable.”
Matthew, Treadstone Risk Management, LLC
11. Get the Fundamentals Right
“Cyber Security can’t be an afterthought; one breach can bankrupt the company. Focus on the fundamentals:
* maintain an accurate inventory of all hardware, software, and data;
* patch hardware and software regularly;
* limit access to data to only those who need to know; and
* test internally-developed software for common programming mistakes.”
James Goepel, Vice President, General Counsel and Chief Technology Officer at ClearArmor Corporation
12. Deal with Phishing
“Give a five-minute talk on how to avoid phishing to everyone on the team. Every employee can fall prey to these scams and it just takes one slip up for hackers to get company credentials. A quick educational talk can save everyone a lot of pain.”
Richard Nehrboss, CEO, Shardix DB
13. More Phishing Tips
“Present your staff with information about being aware of security, and then come up with an email where you send them a link they want to click on. This is a process known as “phishing simulation.” If your staff members click on the links, provide them with educational information on how to avoid phishing.”
Robert Siciliano Identity Theft Expert with Hotspot Shield
14. CMS Update
“The single best tip is to always update your browser and if you are using a WordPress website then you should constantly be updating your plugins to avoid vulnerabilities. The other simple solution many ignore is updating and changing their passwords that are greater than 11 characters to avoid them being cracked.”
Rich from ProfileDefenders.com
15. Secure Cloud Apps
“Small businesses and startups – many of which rely on cloud-business applications (e.g. Office 365 & Dropbox) – can significantly mitigate cyber risk by implementing free and autonomous cloud security tools that ensure only trusted users using safe devices and networks can access cloud services, while maintaining control over data collaboration and compliance.”
Dror Liwer, Co-founder and Chief Information Security Officer (CISO) at CORONET
16. All-round Security
“To protect against disasters from internal mistakes and malicious attacks, cloud-based backup solutions are the ideal, cost-efficient solution. Users can have their important website and email data saved in an outside location. Then when incidents do occur, they can automatically restore their websites to a previous version and minimize downtime.”
(source: 48% of IT providers blame phishing emails for ransomware attacks, while 36% blame the lack of employee cybersecurity training within small businesses, according to Dynamic Business Technologies.)
David Moeller, CEO and co-founder at CodeGuard
17. Vulnerability Management
“The greatest consideration is value, in my opinion. Buying a vulnerability management solution can be expensive. Buying one that someone else manages and creates curated actions, has much greater value and allows for a smaller budget to derive the most value. Similarly, network monitoring doesn’t have to mean building out and staffing up a SOC. There are great vSOC options out there that also manage their products. This makes for a high value proposition in that products, practitioners, maintenance, implementation, etc… are all taken care of and only engaged when needed.”
Jason Kent, CTO at AsTech, a San Francisco-based security consulting company
18. Develop Security Policies
“Having sound cyber security policies can cost nothing but can save everything. Your policy should include keeping all software and applications up-to-date, limit employee access to sensitive information, educate employees on cybersecurity basics, practice good password management, and learn your network and the security implications of growing your attack surface.”
Brad Fuller, Director of Operations at HorneCyber
19. Two-Factor Authenticate EVERY Account You Use!
“Nowadays if you are using a service that doesn’t offer 2FA, you really should find a different service. The best way to be cyber secure on a budget is to make responsible decisions, and 2FA is an easy and cheap habit to get into.”
John Gerdes, CISSP, Principal Consultant, Castellum Security Risk Consulting
20. Beware of Ransomware
“Ransomware is the biggest concern right now because criminals are making money on it. The best defense is to do regular backups, have decent malware protection, and to educate employees on the danger of opening unrecognized email attachments. If you do get hit by ransomware, Microsoft has some tools and utilities that can help you recover.”
Carl Mazzanti, Vice President and Co-founder, eMazzanti Technologies
21. Quick Guide
“Most cyber security best practices do not cost anything! Small businesses and startups can do most of the following for free using the tools and technologies they already have:
1) Use two-factor authentication.
2) Use strong passwords.
3) Turn on automatic updates on all your software (Windows, Mac, Adobe, Web Browsers).
4) Think twice before you open links in emails you were not expecting to receive.”
Taylor Toce, CEO, Velo IT Group
22. The Old Backup Plan
“In the event of a malicious attack, a company should have systems in place to keep operational or at least backups where the company is not affected or very slightly affected. In the event of a total disruption of the business, it is too late to mitigate, and you will likely see dramatic costs to the business. Being proactive rather than reactive is the key.”
Braden Perry, Kennyhertz Perry LLC
23. Two Inexpensive Things to Layer on Top
Use Email Filtering with ATP (Advanced Threat Protection) -Email filtering scans inbound emails for potential threats found in both attachments and links and prevents any bad attachments from entering your network. (Most viruses enter a network from someone unwittingly opening an attachment with a virus embedded in it.) ATD means your system gets notified of a virus within an hour of being found on the internet to protect your network better. This service costs just $2/month per user.
Human Firewall – Your employees are your best line of defense against fileless attacks that go right through your spam filters and firewalls because there is nothing to block and your employees, especially executives, are your biggest vulnerability. Train them to look out for suspicious emails and requests, to lock server room doors, use passcodes on their smartphones and workstations, and to report things that look suspicious. We send our clients a monthly simulated phishing email to test them, measure their susceptibility, and to improve our training. These trainings can run $5-20 a user annually.
Stephen Tullos, Cybersecurity Team Leader at My ITRead on RiskMy
