Security Experts’ Advice on Achieving Cyber Resilience – May 8

Don’t get caught up in the hype. Find out what actually keeps security leaders up at night. Join Fortra’s CISO for a full panel discussion with top industry leaders on how to deliver security outcomes.

Register Now


Small Business Security Challenges

Cybersecurity is difficult for small businesses, but there is help and support so that even the smallest organization can stay on top of essential security.

Being a smaller organization has many benefits and challenges at the best of times. It can often be a tricky issue from a cybersecurity perspective. On one hand you’re probably too small to have a dedicated cyber function – it may well even be a stretch to afford a full-time IT manager. Yet on the other side of the coin, in everything but the smallest company the potential impact of a cyber-attack can be devastating in terms of financial or reputational damage, or even job losses if things go really bad.

There is some good news, though: the basics of security aren’t that hard, and you don’t need to be a cyber specialist to do them. There’s a Government-led standard in the UK called Cyber Essentials, which will be ten years old in June 2024, at whose core there are five things that any small business can do to take a huge step toward effective security. The great thing is that anyone with a half-decent knowledge of IT can do everything it suggests – you don’t need to be a cyber guru.

Where to Begin

First, get a firewall. This is easy, because if you have a home or business broadband connection, the router that drives it has a firewall built in. Make sure you change the “admin” password to something complex and unguessable and make sure the checkbox that allows it to be managed from out on the internet is unticked. Most of the time inbound connections from the internet will be blocked by default, so there’s really not much you have to do (and the user manual will guide you through the things we just suggested you do).

Next is secure configuration – which sounds technical but isn’t really. It primarily covers the fact that, like the router example we just gave, a lot of IT kit comes with default “admin” passwords – so change them to something sensible. It’s also quite common to find that there are other admin-like user IDs built into equipment that you wouldn’t necessarily know about unless you looked properly, so hunt them down and disable them or change the password. For example, I once pointed out to a client that although they had diligently changed the “admin” password on a core system, they didn’t know there was also a “root” account with the same privileges and a default password that could be Googled. Also, when looking at “secure configuration”, this includes ensuring that computers auto-lock their screens after a minute or two unused, demanding a password before letting the user back in.

Patch It

Moving on, we have update management. Another technical-sounding concept but all it means is make sure your equipment is updated regularly. Most operating systems – particularly Windows and MacOS, which covers the majority of desktop and laptop computers – already have automated updates enabled, so to be secure requires nothing except to ensure they’re turned on at least once a week for a few hours to give the updater a chance to run. Servers and network devices often have auto-update facilities too, so enable them on everything that you don’t mind rebooting itself without warning. For the remainder, make sure you run the updater manually at least once a week.

Fourth on the list is user access control. This is probably the most technical of the five elements we will talk about here, because you must know a certain amount about how the file permissions mechanisms work on your file servers, Microsoft 365 repositories and so on. One of the biggest reasons why ransomware can have such a massive impact is that so many small businesses have several user IDs configured as administrators because that’s the easiest way to ensure that users can access everything they need. If you don’t have someone technical on staff, this is the opportunity to hire one or engage some freelance or agency help for a few hours to help design your permissions using (and this is a technical cyber term) the Principle of Least Privilege – that is, giving everyone access to everything they need and nothing else. Proper access control to a system with, say, a million files is the difference between ransomware infecting the 50,000 files to which the compromised user has access and ransomware infecting everything.

And finally: use anti-malware (antivirus, or AV) software. While malware is not the only way to hack a system it’s most definitely the most popular. In a Windows world, the built-in Defender product is a great start, but AV software is so inexpensive that there’s no harm augmenting it with one of the popular AV products because the vendors of those packages do AV for a living, not just as a small corner of their product portfolio.

Requirements and Expectations

In the UK, formal Cyber Essentials certification is something that you pretty much have to have if you’re going to be a supplier to the Government in some product or service areas. Even if there is no compulsion to have it to do business, though, common sense says that small businesses should adopt the principles in the name of best practice.

If you’re among the majority of ISC2 members outside the U.K., Cyber Essentials is still relevant to you because, quite simply, it’s a set of incredibly simple thing that anyone – individual or business – can do, and with a variety of sources (including this one we chose at random from a list of several). While you may not be able to achieve formal Cyber Essentials certification, the point is that it’s a playbook to follow that with minimal effort and modest technical ability you can use to become surprisingly secure.