Skip to main content


Small Business Security 101

Small Business Security 101

Small business security is something that is often overlooked, with IT responsibilities seemingly assigned to the person who knows the most about computers in many cases. While fulfilling the basic needs of the company, assigning such important responsibilities carelessly leaves your business vulnerable to a cyber attack that could result in the loss of customer information or severely damage your reputation.


Ignorance is Bliss, Or is It?

Smaller businesses are attractive targets to attackers because most small businesses rely on technology to perform day-to-day operations. Many businesses would not be able to thrive without the ability for customers to view its website, make online transactions, or even the ability for employees to send an email to employees or customers around the globe. Small businesses must realize that the technology that allows you to grow and be profitable can also pose the greatest threat to your business if not properly managed. Without training your employees to identify and understand the risk of cyber attacks, many businesses are sitting ducks for an attacker to simply harvest customer information. That’s what we call a low-risk, high-reward opportunity. The reputational damage caused by a cyber attack could very well force your business to close its doors completely.


Where to Start

An understanding of information security and how a well-managed program operates significantly reduces the risk of data being lost or stolen due to a cyber attack. In 2017, Manta conducted a poll of 1,420 small business owners and found that 87% felt they were at risk of experiencing a data breach.  Additionally, only a 17% noted that they had basic IT security controls in place. Basic security controls like antivirus and a firewall are critical to the health of the organization and its responsibility of protecting the customer information it possesses. Below are five (5) areas that any organization that utilizes the Internet NEEDS and is EXPECTED to have in place. If your business has not addressed these five (5) security control areas, stop what you’re doing and figure out how to protect your organization immediately.

  1. A business-class firewall: Home routers can be inexpensive and are great for simple tasks such as streaming online videos. Focus on investing in something that is made for businesses and allows you to change default settings.
  2. Anti-virus/anti-malware: You can choose either or both; just make sure you pay for the subscription and use its features.
  3. Email filtering: 93% of all data breaches begin with a phishing email. A single phishing email has the potential to cause significant damage to a business and is the most widely attack used; make sure you do everything you can to keep junk and phishing emails our of your environment.
  4. User access controls: Not limited to just strong and unique passwords; user access controls should be based on the principle of least privilege. Administrator accounts should never be used for regular duties. Reducing privileges for users drastically reduces the risk of an employee accidentally installing a malicious program onto their workstation.
  5. Patch management: It is paramount that systems are patched in a timely manner as soon as new patches are available. Be sure your third-party programs are included in your patch plan.

How to Improve (Don’t Be the Low Hanging Fruit)

IT security is not something you put in place and never touch or think about again. It is a continual process of improvement to stay one step ahead of the bad guys. Proactive security keeps businesses mindful of new threats and how you can protect yourself vs. reactive security where businesses are running to catch up with threats after they have happened. Now that some basic areas of security have been defined, businesses need to continue to grow their security posture for the future. Here are five (5) additional controls that businesses can implement to improve security:

  1. Vulnerability scanning: This is an excellent way for a business to understand and measure how successful the patch management program is or if there are additional vulnerable programs on the network.
  2. Password managers: These are a powerful tool that can be used to create extremely strong and unique passwords for all employee’s accounts. One master password is used to unlock a digital vault where passwords to websites can be securely stored and viewed. Password vaults can stop employees from using the same password for everything and worrying about remembering 200 different passwords (the number of unique websites that today’s consumer logs into on average).
  3. Ongoing security awareness training: Social engineering attacks are the most common way a network is compromised today. Continued education for employees about the dangers of phishing emails and how to identify them is critical. Additional training covering ransomware, customer identification, and other common social engineering attacks will dramatically reduce the risk of a successful cyber attack.
  4. Phishing testing: Phishing assessments provide insight into how the business will fair during a simulated phishing attack. Testing provides employees a chance to see how authentic phishing emails can seem and the results can be used to further increase employee education and awareness.
  5. Back up your information: Backups can also make or break a business. Ransomware, viruses, and hardware failures can cause everything that a business is storing digitally to be lost in an instant. A business should follow the 3-2-1 strategy, meaning at least three (3) total copies of your data are available, stored on two (2) differed mediums (backup tape AND external hard drive, for example), and at least one (1) copy stored offsite.

Small businesses cannot afford to lag in information security. Every business must understand and implement basic information security needs to prevent the most basic and automated of attacks. Once addressed, a proactive approach to security will keep the business and its customer information secure and avoid being a low hanging fruit that is easy for an attacker to reach.

Written by: Eric Chase 
Information Security Consultant
SBS CyberSecurity, LLC

SBS Resources:

  • {Service} Cybersecurity Partnership: If you begin to shift your mentality to that of a technology company, but don’t know where to start, SBS CyberSecurity has developed our Cybersecurity Partnership (CSP) program to help organizations just like you. The CSP program is designed to help organizations built a strong Information Security Program (ISP) that helps you make better decisions around information and cybersecurity, such as where to spend your next information security dollar. CSP clients are assigned their own Information Security Consultant to bring training and education, tools, frameworks, and templates to your organization to build an ISP that works for you, rather than simply checking the box for compliance. We will be your partners and guide you as you mature your security posture, as well as keep you up-to-date to the ever-changing regulatory and threat environments.
  • {Service} Vulnerability Assessment: An SBS consultant with knowledge of the organization's environment will scan the network for commonly exploited vulnerabilities from inside the organization.
  • {Product} KnowBe4 Phishing Assessment Tool: Your employees are frequently exposed to sophisticated phishing and ransomware attacks in today’s world. This is why SBS has partnered with KnowBe4 to offer the world’s most popular integrated platform for awareness training combined with simulated phishing attacks.
  • {Downloads} Security Awareness Training: A security program is only as strong as its weakest link. SBS strongly believes in the power of education and security awareness training when it comes to a strong Information Security Program. Share these cybersecurity training tools with your employees and customers to keep security top of mind.



Hacker Hour webinars are a series of free webinars hosted by SBS CyberSecurity. Unlike paid webinars, Hacker Hours are aimed to meet on a monthly basis to discuss cybersecurity issues and trends in an open format. Attendees are encouraged to join the conversation and get their questions answered. SBS will also offer products and services to help financial institutions with these specific issues.

Posted: Sunday, June 10, 2018
Categories: Blog