Large businesses in the United States are putting substantial resources into protecting their information from cybersecurity threats. As a result, they are tougher targets for malicious attacks, so hackers and cyber criminals are now focusing their unwanted attention on smaller, less secure businesses.
Small businesses have money and information of value to criminals but are often less prepared than larger companies to handle cyber threats. They often have more to lose than larger organizations simply because an event – whether a hacker, natural disaster, or business resource loss - can have a devastating impact on the business.
The National Institute of Standards and Technology (NIST), in co-sponsorship with the Small Business Administration and the Federal Bureau of Investigation InfraGard Program, conducts workshops on cybersecurity geared for small businesses.
These workshops explore practical tools and techniques that can help small businesses to assess, enhance, and maintain the security of their systems and information. The workshops are based on the principles of the NIST Framework for Improving Critical Infrastructure Cybersecurity. Although the Cybersecurity Framework was developed for critical infrastructure organizations, it has proven useful to a variety of small businesses as it provides a simple, common language for discussing risk management.
The workshops help small businesses organize processes and tools to protect their information. This is a continual, on-going activity.
For most small businesses, the security of their information, systems, and networks might not be their highest priority, but they need strong cybersecurity to protect them. The following actions may help to strengthen the cybersecurity posture of small businesses.
Train employees
Employees should be trained to know the company policy on computer use, understand how to treat business information, and know what to do when a security incident occurs.
Training employees in the fundamentals of information, system, and network security is one of the most effective investments small businesses can make to secure their business.
Stay up to date
Any software application installed on a system can be used for an attack. Install only applications needed to run the business and patch/update regularly.
Install and activate software and hardware firewalls
Firewalls block unwanted traffic such as malicious communications or browsing to “blocked” websites. Install and keep operational a hardware firewall between the small business internal network and the Internet.
In addition, install, use, and regularly update a software firewall on each computer system used in the small business (including smart phones and other networked devices if possible).
Secure wireless access point and networks
If a small business uses wireless networking, the administrative password that was on the device when it was received must be changed. Set the wireless access point so that it does not broadcast its Service Set Identifier (SSID).
Access only those wireless access points that the business owns or trusts (i.e. are assured of their security)
Individual user accounts and strong passwords.
A small business should Identify and control who has access to their business information, including employees, contractors or maintenance personnel. Conduct a nationwide background check on all prospective employees, especially if they will be handing funds.
Have separate accounts for each user and strong passwords should be required. Limit administrative privileges to hinder any installation of unauthorized software.
Limit access
Employees should only have access to systems and information needed to do their jobs.
Set up web and email filters
Choose an email provider that offers filtering for irrelevant or inappropriate messages. Use web browsers that allow web filtering to keep employees from accessing malware-infected websites
Make full backups of important business data/information
Conduct a full, encrypted backup of the data on each computer and mobile device used in the business at least once a month, shortly after a complete virus scan. Store these backups away from the office in a protected place so that if something happens to the office, the data is safe. Save a copy of the encryption password or key in a secure location separate from where backups are stored.
