With the expansion of online business and the expansion of telework, cybersecurity has become an omnipresent problem for small businesses and microbusinesses, with 10 or less employees, which are considered easier targets than large companies. Cybersecurity first of all requires implementing strict protocols, creating accessible points of control, and maintaining good internal communication to help adhere your team. Here are our 5 practical tips to ensuring the cybersecurity of your business:
- Inform and educate your team about cybersecurity
- Create a secure password policy
- Control your IT equipment
- Include cybersecurity in your business development plan
- Prepare for and react to cybersecurity incidents
1. Inform and educate your team about cybersecurity
A November 2021 study by IFOP and the consulting firm Forrester Consulting (link in French), revealed that 33% of small businesses with less than 250 employees have been impacted by a cyberattack in the last 12 months. However, it’s important to put this into perspective: an attack does not spell certain doom.
Cybersecurity theats and cyberattacks have become buzz words in the business world, but has that translated into an increased ability to identify threats and prevent attacks? This is what you need to make sure of with your team.
The necessity of continuous cybersecurity training
Whether for a small business or a large company, training employees in good digital hygiene is key when it comes to cybersecurity. This education can take the form of a digital charter, provided and explained to each new team member when they arrive.
Cybersecurity threats are continuously evolving
But threats evolve and take more and more pernicious forms: social engineering, phishing, spoofing, slamming, ransomware. That’s why it’s also necessary that your employee education efforts are ongoing, for example, by implementing internal cybersecurity workshops, information sharing when a new vulnerability is detected, by presenting on the best ways to react to incidents, etc. It’s essential that every employee or contractor understands the stakes and feels completely invested in remaining vigilant in the face of external threats.
2. Create a secure password policy
The number of news stories about compromised passwords is too high to count. That’s no coincidence — this is a major entrypoint for cybercriminals. A small business’s cybersecurity is intimately tied, then, to implementing a strong and secure password policy (including length requirements, special characters, unique passwords, etc.) and communicating these recommendations for secure passwords.
We also strongly recommend requiring multi-factor authentication (MFA) for all critical logins in order to guarantee additional security. Beyond two-factor authentication option (2FA) like TOTP (timed one-time pasword), using an MFA method like a physical USB key secures your employees’ logins even further, in case their password is ever compromised.
3. Control your IT equipment
When you launch your business, cybersecurity can seem like a distant threat, whether due to having a small number of employees and contractors or because your developer is well regarded. However, it’s critically important to ensure a certain rigor even from the very first days of developping your business, particularly when it comes to managing your IT equipment. It’s actually easiest to start this project from the very beginning, when the number of machines and the extent of your IT infrastructure is relatively restricted and easy to map. To do that, you’ll need to make sure to apply the following best practices:
- Inventory your equipment and services: keep an inventory of all computers, tablets, smartphones, local servers, remote servers, printers, boxes, 4G keys, etc.
- Inventory software used: learn what they are, what they’re used for, and what versions are used
- Inventory data and data processing: identify what data are essential for your business to operate, find out where they are stored, know and understand what ways they have been processed
- Inventory logins: be aware of the level of access (administrator, user, guest, etc.) and the means of access (local or remote login)
- Inventory all interconnections outside of your network: list all the points of access and connection on the internet, either with providers or with partners
These best practices are essential for the cybersecurity of your business, but you will also need to meet data security requirements imposed by data privacy regulations like GDPR (General Data Protection Regulation) and CCPA (California Consumer Privacy Act). Under these and similar regulations, you may need to be able to provide information in the case of a security breach.
4. Include cybersecurity in your business development plan
If you implement an internal policy to ensure the cybersecurity of your small business, you’ll also need to apply this same diligence to the development of your products. We call this approach Security by design. This entails including security and risk at every stage in the creation of a product throughout its entire life cycle. The goal is to ensure the robustness of the product and any supporting infrastructure to guarantee the security and confidentiality of your systems.
Another important point to pay attention to, which might seem obvious, but is too often the root cause of security breaches, is the necessity of regular updates. You should be sure to update your operating systems, all software, plug-ins whenever their maintainers release a new version or security update.
This also goes for defining a backup policy: how often should you do it? What data should be backed up? And where? There are several criteria to consider in order to establish a specific framework.
5. Prepare for and react to cybersecurity incidents
Even if you take every precaution with regards to the cybersecurity of your business, it’s always adivsable to prepare to react in the case of an incident.
For that, we recommend that you establish different action plans depending on the nature of the cyberattack. As such, you can be sure not to panic when you are inevitably confronted by an incident, and to be prepared to follow a pre-established procedure.
We also recommend that you create a business recovery plan, in order to get back on your feet quickly, and in the best shape to move forward once the incident has been managed.
These five best practices should be the pillars of your business’s cybersecurity strategy. If you want to go further, check your local cybersecurity authorities (for example, France’s Agence Nationale de la Sécurité des Systèmes d’Information, ANSSI, has excellent information available here, in French) for more details.
And to help guide you through setting up and managing your business’s online presence, Gandi created a tailor-made, à la carte service pack for small- and medium-sized businesses. With this service you can rest assured that your website and email accounts will be safe and secure when you manage them from a single, intuitive interface.
Tagged in 2FASecuritySME
