top of page
Search
Writer's pictureVincent Scott

10 Cybersecurity Tips for Small Business

Tip 1. You're not too small to be a target.  I once had a person in a major corporation say to me, “We are a soap and diaper company. Who would hack us?” My answer, “Everyone who wants a piece of your $85 Billion a year.” Clearly a huge example, but it scales all the way down.  Who would hack you? People who want your money. People who want your IP.  


You are not too small to be a target, and you live in an incredibly dangerous neighborhood.  The miracle of the internet is that you are only one address away from the most capable criminals. Act like it.


Tip 2.  Guard your bank transfers very closely.  Bank transfers, rather than checks, are becoming increasingly common. Guard your bank transfer information. View ANY email requesting a change in bank transfer information with extreme skepticism. Even if it looks perfectly legit, pick up the phone, and dial a number not from the suspect email, and verify that it is legit. Every time. Complex scams around this are standard attacks against small businesses.  Don’t fall for it.


Tip 3. Engage two-factor everywhere you can, but especially banking. Nearly all banking and many other platforms offer two-factor authentication now. Yes, it is a little less convenient, but worthwhile. Always put 2FA on your bank accounts and your primary email accounts. Always always always.


Tip 4.  People are more important than hardware.  The US Special Forces outline 4 truths to operate by. This is #1 and it applies here, too. When we think about cybersecurity we tend to think about technology and technology answers. Buy the new cool tool! Get the AI! That will protect me. However, this is a misconception. The actions and capabilities of your people are way more important than how cool your tools are. Thousands of companies every day are paying licensing fees on tools they think are protecting them, but in reality, are effectively sitting on the shelf because no one is using them. There is very little fire-and-forget in this business. If you want to improve your cybersecurity, upskill your people. 


This means training people to, for example, guard your bank transfer information.  It also means that when you grow and want to up your game, think about hiring the right people before you start selecting tools. You will be fabulously better protected if you hire the right person and have them use free tools, than buying expensive tools that no one knows how to use. I am continuously astonished at how often I see companies making the second choice, given how ineffective the strategy is for real security.


Tip 5.  Hire an IT Service Provider that has a security mindset.  Most small businesses hire someone else to do their IT.  These companies fall under the general rubric of Managed Service Providers or MSPs.  All MSPs are not created equal and many are not security conscious.  Choose wisely.  


Tip 6. Hold your IT Service Provider accountable.  Once you have chosen wisely, realize they must be held accountable for providing good services by someone inside your organization. MSPs are not fire-and-forget either.  


My experience with security and MSPs is that you have to engage with them regularly or security falls off. You hear nothing and so presume all is good, but that is not necessarily the case for security. Everyone knows when email falls over, but you might hear nothing on other security concerns because all the “guards are asleep.” My experience is that they will fall asleep unless you check those guards periodically.


Tip 7. Scale cybersecurity with your business.  As you grow your risk rises, and your cybersecurity should scale with that. Micro-businesses are pretty limited in what they can do.  However, as you grow you should add in additional protections. This starts with engaging the right people first, and then creating and maintaining a more sophisticated cybersecurity capability. 


I see many companies that have grown to medium and large enterprises who have not put any additional security capabilities in place. This works until it doesn’t. The consequences can be quite severe.  


Tip 8. Use long passwords; try the passphrase.  There is a lot of focus on the complexity of passwords. Substituting 3’s for E’s for example. It's important to know that the bad guys know those tricks, too, and build them into their password crackers. Statistically, the best protection is a longer password or passphrases. 


Use passwords at least 14 characters long for your important accounts. Banking? Super long.  Your login to the Wall Street Journal? Perhaps it does not matter so much. While you are at it, avoid password re-use, especially on critical accounts.


Tip 9. Know what information you need to protect.  Finances are the obvious starting point but what about other things? Are you inventing that next cool device? Are you supporting your military's operations? What needs to be protected? Then focus your efforts on those things.



Tip 10. Have a plan for when bad things happen.  Bad things will happen.  Have an Incident Response Plan.  For micro companies, this might be ad-hoc, but as you scale up this should rapidly become more robust.  As more government agencies mandate reporting you should know who you have to report to and when, be aware of the free resources out there to help, and if you are going to bring in experts who they are and who makes the decision to call.




bottom of page