- Protect Against Viruses, Spyware, and Other Malicious CodeMake sure each of your business computers are equipped with antivirus software and antispyware and update regularly. Such software is readily available online from a variety of vendors. All software vendors regularly provide patches and updates to their products to correct security problems and improve functionality. Configure all software to install updates automatically. Set antivirus software to run a scan after each update.
- Secure Your NetworksA firewall is a set of related programs that prevent outsiders from accessing data on a private network. Safeguard your Internet connection by using a firewall and encrypting information. If you have a Wi-Fi network, make sure it is secure and hidden. To hide your Wi-Fi network, set up your wireless access point or router so it does not broadcast the network name, known as the Service Set Identifier (SSID). Password protect access to the router. If employees are working from home, ensure that their home system(s) are protected by a firewall as well.
- Establish Security Practices and Policies to Protect Sensitive InformationEstablish rules of behavior such as requiring strong passwords and policies on how employees should handle and protect personally identifiable information and other sensitive data. Establish appropriate Internet use and guidelines that detail penalties for violating company cybersecurity policies.
- Educate Employees About Cyber Threats and Hold Them AccountableEducate your employees about online threats and how to protect your business's data, including safe use of social networking sites. Depending on the nature of your business, employees might be introducing competitors to sensitive details about your firm's internal business. Employees should be informed about how to post online in a way that does not reveal any trade secrets to the public or competing businesses. Hold employees accountable to the business's Internet security policies and procedures.
- Require Employees to Use Strong Passwords and to Change Them OftenRequire employees to use unique passwords and change passwords every three months. Consider implementing multifactor authentication that requires additional information beyond a password to gain entry. Check with your vendors that handle sensitive data to see if they offer multifactor authentication for your account.
- Employ Best Practices on Payment CardsWork with your banks or card processors to ensure the most trusted and validated tools and anti-fraud services are being used. You may also have additional security obligations related to agreements with your bank or processor. Isolate payment systems from other, less secure programs and do not use the same computer to process payments and surf the Internet.
- Make Backup Copies of Important Business Data and InformationRegularly backup the data on all computers. Critical data includes word processing documents, electronic spreadsheets, databases, financial files, human resources files, and accounts receivable/payable files. Backup data automatically if possible, or at least weekly, and store the copies either offsite or on the cloud.
- Control Physical Access to Computers and Network ComponentsPrevent access or use of business computers by unauthorized individuals. Laptops can be particularly easy targets for theft or can be lost, so lock them up when unattended. Make sure a separate user account is created for each employee and require strong passwords. Administrative privileges should only be given to trusted IT staff and key personnel.
- Limit Employee Access to Data and Information, Limit Authority to Install SoftwareDo not provide any one employee with access to all data systems. Employees should only be given access to the specific data systems that they need for their jobs, and should not be able to install any software without permission.
- Create a Mobile Device Action PlanMobile devices can create significant security and management challenges, especially if they hold confidential information or can access the corporate network. Require users to password protect their devices, encrypt their data, and install security apps to prevent criminals from stealing information while the phone is on public networks. Be sure to set reporting procedures for lost or stolen equipment.
Typically the end goal of a cyberattack is to steal and exploit sensitive data, whether it's a person's credentials or a customer's credit card information, which is then used to manipulate the individual's identity online.
Businesses should be aware of the most common types of cyberattacks. Here a list of potential cyber threats.
- APTAdvanced Persistent Threats, or APTs, are long-term targeted attacks in which hackers break into a network in multiple phases to avoid detection. Once an attacker gains access to the target network, they work to remain undetected while establishing their foothold on the system. If a breach is detected and repaired, the attackers have already secured other routes into the system so they can continue to plunder data.
- DDoSAn acronym for distributed denial of service, DDoS attacks occur when a server is intentionally overloaded with requests until it shuts down the target's website or network system.
- Inside AttackThis is when someone with administrative privileges, usually from within the organization, purposely misuses his or her credentials to gain access to confidential company information. Former employees, in particular, present a threat if they left the company on bad terms. Your business should have a protocol in place to revoke all access to company data immediately when an employee is terminated.
- MalwareThis umbrella term is short for "malicious software" and covers any program introduced into the target's computer with the intent to cause damage or gain unauthorized access. Types of malware include viruses, worms, Trojans, ransomware and spyware. Knowing this is important for choosing what type of cybersecurity software you need.
- Password AttacksThere are three main types of password attacks: a brute-force attack, which involves guessing at passwords until the hacker gets in; a dictionary attack, which uses a program to try different combinations of dictionary words; and keylogging, which tracks a user's keystrokes, including login IDs and passwords.
- PhishingPerhaps the most commonly deployed form of cyber theft, phishing involves collecting sensitive information like login credentials and credit card information through a legitimate-looking (but ultimately fraudulent) website, often sent to unsuspecting individuals in an email. Spear phishing, an advanced form of this type of attack, requires in-depth knowledge of specific individuals and social engineering to gain their trust and infiltrate the network.
- RansomwareRansomware is a type of malware that infects your machine and, as the name suggests, demands a ransom. Typically, ransomware either locks you out of your computer and demands money in exchange for access or it threatens to publish private information if you don't pay a specified amount. Ransomware is one of the fastest-growing types of security breaches.
- Zero day attackZero day attacks can be a developer's worst nightmare. They are unknown flaws and exploits in software and systems discovered by attackers before the developers and security staff become aware of the issue. These exploits can go undiscovered for months, even years, until they're discovered and repaired.
The Department of Homeland Security has come up with a Small Business toolkit containing resources to help businesses recognize and address their cybersecurity risks. Below are links to begin evaluating your cybersecurity program:
- C3 Voluntary Program SMB ToolkitThis toolkit contains resources specially designed to help small businesses recognize and address their cybersecurity risks. Resources include talking points for CEOs, steps to start evaluating your cybersecurity program, and a list of hands-on resources available to small and medium businesses.
Toolkit for Small and Midsize Businesses (SMB) Table of Contents
Begin the Conversation: Understanding_the_Threat_Landscape
Getting started: Top Resources for SMB
Cybersecurity for Startups
C3 Voluntary Program Outreach and Messaging Kit
SMB Leadership Agenda
Hands-On Resource Guide
- C3 Stop.Think.Connect. ToolkitThe Stop.Think.Connect. campaign has an online Toolkit that includes information specific to SMBs. The Toolkit can be found at:
- Federal Small Biz Cyber PlannerThis tool helps businesses create custom cybersecurity plans. The Small Biz Cyber Planner includes information on cyber insurance, advanced spyware, and how to install protective software. For more information, please visit:
- Small Business, Big ThreatThis online assessment tool, developed by the Michigan Small Business Development Center (SBDC), assists small and medium businesses in evaluating the cyber risks they face. At the conclusion of the 30 minute assessment, participants receive a risk assessment report and can choose from a variety of resources to engage with, including in-depth trainings, webinars, best practices, and industry articles on small business cyber security. Learn more and take the assessment at:
- Internet Essentials for Business 2.0This guide for business owners, managers, and employees focuses on identifying common online risks, best practices for securing networks and information, and what to do when a cyber incident occurs. For more information, please visit:
- White Paper: Every Small Business Should Use the NIST Cybersecurity FrameworkThis white paper from eManagement can help SMBs understand and use the National Institute of Standards and Technology (NIST) Cybersecurity Framework. It provides cybersecurity tips for SMBs aligned to the Framework's core functions: Identify, Protect, Detect, Respond, and Recover. The white paper can be found here:
- Geographically Specific ResourcesThis collection of cyber resources from various levels of government can help small and midsize businesses recognize and address their cyber risks. Access geographically-specific resources here: