Owning a small to medium size business (SMB) is the American dream.
Keeping a small to medium size business, is the American challenge. A major challenge for SMBs is finding affordable cyber security solutions.
When it comes to making any business decision, SMBs need to measure risk vs reward. Marketing, sales, purchasing, what to outsource, what to keep in-house, etc.
Ask any small business owner, and their answer will likely be the same:
When it comes to cyber security, small business owners often find themselves between a rock (costs) and hard place (implementing and maintaining).
Here’s the best part: It doesn’t have to be hard!
As recent studies show, 62% of businesses are not prepared for a breach. In turn, small businesses want the best “bang for their buck” on most of their investments, and the same holds true for cyber security.
Disclaimer: This is not a post focusing on what start-ups need, and because it’s 2022, our assumption is that most businesses already have a solid firewall, use a trusted anti-malware protection, and back up their data. We see those as “business needs” more so than “security needs.”
With that said, here are 5 affordable cyber security solutions every SMB needs, right now.
1. Security Awareness Training
Without question, general information and cyber security awareness training for employees, is the best return on security investment a business can find. This is one of the most affordable cyber security solutions out there.
Some will say a firewall is a business’ first line of defense, but what good is a firewall if Johnny Two Shoes clicks on link and lets a bad guy walk through the front door?
People are the first, and if trained correctly, the strongest line of defense. With that being said, people are also the biggest threat to causing a breach.
For the most part, technology does what it is built to do. People on the other hand? Not so much.
Cyber attacks come from all angles and in all sorts of shapes and sizes. Having a strong defense system is key. How can a business defend against attacks they do not understand?
The military is the perfect example of this. They train over, and over, and over…for that very reason. The mindset of a small business owner should be the same!
Find an effective user training solution and require that everyone finishes their program annually, at minimum. In fact, no business will get punished for training their employees more frequently than one time a year!
Sometimes referred to as second-factor authentication (or 2FA), multi-factor authentication is another form of proof (authenticate) via evidence, that a site, app or computer requires to verify…YOU!
Think of the first time you had to type in a password on a computer. (Yes, there was a time when we didn’t need passwords. Crazy to think, we know.)
A password is a form of authenticating that someone is the person they say they are. MFA adds more proof using evidence (a push notification to a phone, a code that only that person is sent, or something else).
Because passwords have become both weak, as well as more accessible through data breaches, businesses need to further protect their assets from bad guys who are pretending to be someone else.
Cyber security is about making it harder for bad guys to access sensitive data, and multi-factor authentication requires cyber-criminals to work harder.
As the link above shows, cyber-criminals can easily obtain someone’s credentials (more reason for training!).
Whether they trick someone using social engineering (more on that below), or purchase your information from the dark web (spoiler alert, they will), adding layers of security or verification is critical to a business.
Everyone learned to use a password, to the point where it feels weird not using one. It takes a few extra seconds. MFA should become second nature as well. MFA is one of those affordable cyber security solutions that needs to be used more!
Another term people rarely want to hear, but in reality, everything someone does at work, could technically have a policy around it.
Specific to cyber security, simple policies around administration (aka the people side of security), can be the difference between a major or minor cyber event.
Examples of administration policies include; strong passwords, clean desk policy, locking computers/devices when unattended, email policy, etc.
Every new policy does require a little time to write, as well as some change management. That is good! If it takes someone a few extra seconds, it typically takes a cyber-criminal longer to bypass.
Going back to the mindset of “making it harder for the bad guy”, many of the above policies and best practices, when done properly, become second nature. Similar to wearing a seat-belt.
Since we have briefly discussed passwords, lets use the strong passwords policy as an example.
Anyone who has been using technology since the early 90’s, was educated on passwords the same way.
Use something you’ll easily remember
Now add a number at the end.
Now add a capital letter.
Now use a word no one likely knows about you, but one you can remember. And still use a number.
Now use a “character”…but not any character, just one we allow…like !, @ or $.
Now, you have to change it often. Say, quarterly. Even if it’s close, it works.
How many people just changed their password to “Spring2019!”? Far too many.
Most of the time, cyber criminals aren’t guessing your password using their own math skills. They use a computer program to figure it out. After all, a computer is slightly better at math than a person is.
So, make the math harder!
By implementing a strong password (or passphrase) methodology policy, unique passwords can become a very powerful defense tool for a business.
How do you know what a good password policy is? Work with an expert.
Our Suggestion: cuick trac™
4. Phishing Simulation Tool
So far, we have covered multiple ways to prepare, but now we will shift gears to testing.
How can a business be sure that their cyber defense program works, if they aren’t testing it? Phishing simulations are a great, cost-effective, yet creative way to see if people are following the policies, and learning from their training.
Frequent phishing tests allow businesses to identify vulnerabilities, so they can make on-going adjustments to their security program.
When a business can find out where things would go wrong in the event of a breach, the financial impact is far less, rather than having a cyber-criminal find out first.
Invest in a phishing simulator that provides unlimited tests and unlimited templates. A business should always be testing their people using common (easy) attacks, all the way up to sophisticated attacks.
As mentioned above, attacks come in all shapes and sizes, so testing different parts of the business with unique simulated attacks, will help strengthen the awareness of the organization.
When it comes to a small to medium size business encountering a cyber breach, it is not a matter of “if”…it’s “when.”
Luckily, there are some really good cyber insurance providers out there, and in 2019, every business should have it.
According to a recent Cisco paper, 68 percent of U.S. businesses have not purchased any form of cyber liability or data-breach coverage, showing that businesses are not adopting cyber insurance at a rate that matches the risks they face.
Regardless of what provider a business requests a quote from, their response is likely to be the same:
“You need a good cyber security program, and you need to prove it.”
Maybe the business already complies with a specific security standard, like the National Institute of Standards and Technology’s (NIST) Cyber Security Framework (aka NIST CSF).
If so, odds are in your favor that an insurance provider will offer solid coverage, knowing the business leaders are doing more than “what is required”, within their means, to protect the business and more importantly, their customers.
Even if a business were to implement the things discussed in this post, it can help them obtain an affordable cyber insurance policy.