Back to top

The Essentials of Cyber Security for Small and Midsize Businesses

Jeremy Kurth

Cyber Security is like flossing your teeth. Nobody wants to do it, but ignoring it leads to irreversible harm.  Cyber security is about protecting your business-critical data.  Just like insurance, it is about risk mitigation.  And since small business cyber security risks are increasing every day, the insurance good cyber security provides can no longer be an afterthought.  A recent report by Cybersecurity Ventures states that cyber-attacks are the fastest growing crime in the U.S., and a 2019 Verizon study found that 43% of cyber-attacks target small businesses. 

Many organizations, especially larger enterprises, designate full-time Chief Security Officers (CSOs) and/or entire departments of cyber security-focused staff to integrate and establish a cohesive security regime. Unfortunately, because security is simultaneously important to modern businesses, very complex, and impacting at so many levels, small to mid-sized organizations face severe challenges just figuring out what they should do, much less getting it all done.

Small business cyber security attacks are complex and unfortunately there are a lot of very technically astute bad actors out there spending 100% of their time searching for vulnerabilities to exploit. Vulnerabilities stem from both technical and people-related causes.  Examples of technical issues include things like improperly configured firewalls that enable hackers to access to your network, or servers that have not been properly patched.  People issues are key as “social engineering” - where hackers “trick” employees to give them access - is one of the most significant attack vectors used today.  Ransomware via a phishing attack is an example of this, where an end-user opens an attachment or clicks on a link resulting in their files becoming encrypted on infected systems, forcing users to pay a ransom to get a decrypt key so files can be accessed.  According to Verizon, 52% of breaches resulted from hacking, with social attacks, malware, events caused by errors, and misuse by authorized users being the next most common forms of breaches.

Because of the complexity and variety of small business cyber security vulnerabilities and attacks, there unfortunately is no single silver bullet.  Organizations must take a “layered” approach to cyber security.  Here are best practices for the essentials of a layered approach to small business cyber security:

  1. Asset and patch management: Patches are regular updates to software that included fixing security vulnerabilities.  Successful patch management starts with knowing exactly what you have. If you don’t know a device exists on your network, you will never succeed to know the vulnerabilities that exist. Ensuring you properly patch your environment requires a concerted focus in asset identification and management.
  2. Malware protection: Malware stands for malicious software. Trojans, ransomware, viruses, and worms are examples of malware.  Malware protection starts with effective anti-malware software.
  3. DNS filtering: DNS filtering is a method for blocking access to certain websites, webpages, or IP addresses.  If a particular webpage or IP address is known to be malicious, the request to access the site will be blocked.
  4. Perimeter protection: A network perimeter is the secured boundary between the private and locally managed side of a network, often a company’s intranet, and the public facing side of a network, often the Internet.  Properly configured and managed firewalls are key to effective perimeter protection.
  5. Access control and authentication:  Access control is required to minimize the risk of unauthorized access to your networks, systems and data.  Access control systems perform authentication and authorization of users.  Multi-factor authentication (MFA) which requires two or more authentication factors, is often an important part of a layered cyber security.
  6. Security awareness training: Security awareness training (SAT) teaches employees about cybersecurity, IT best practices, and even regulatory compliance.  Good SAT includes topics such as how to avoid phishing and other types of social engineering cyberattacks, spot potential malware behaviors, report possible security threats, follow company IT policies and best practices, and adhere to any applicable data privacy and compliance regulations (GDPR, PCI DSS, HIPAA, etc.)

Many small and midsize businesses don’t have internal IT teams with the cyber security skills and expertise required to effectively mitigate risks from cyber-attacks.  Good managed IT service providers have the experience and expertise that small and midsized organizations may not have in-house.

At Logically, cyber security is foundational to all of our services.  Logically starts with the “essential” cyber security services that every IT shop should foundationally have in place.  Logically has deep conversations with every client about their specific industry regulations and compliance needs. They bring in their IT Governance department to ensure they build a complete plan designed to minimize overall cost but ensure that solid security provisions are implemented and provided for from the start of the service.

Compliance is obviously a complex beast for many companies, and small to midsized companies can obviously struggle with finding enough deep expert security staff to get to where they need to be.  It makes sense to leverage a managed IT service provider who can provide that deep expertise on-demand, and in fact continually provide security coverage within their expertise umbrella.

Cyber security is like protecting your house.  You need to have strong locks on all your doors and windows, everyone in your household needs to shut the doors and windows, important assets shouldn’t be left outside, and you should have a good alarm system.  Just like your house needs periodic maintenance, so does your cyber security.  Click here if you would like Logically to “inspect your house” and identify security vulnerabilities that may be putting your company at risk.