Small Businesses Need Big Cybersecurity

Rapid changes in technology create new security vulnerabilities that require small businesses to expend resources to remain compliant. Lack of guidance, definitions or policies place these companies in positions that require them to make security investments without fully understanding the need or outcome of the resources they are spending.

While government information technology firms are better staffed from a security perspective, those that provide other services often do not have enough employees or the expertise to operate their internal computer systems at a high level of security. This situation makes them ideal targets for adversaries.

Cybersecurity experts address these topics in the “Small Business Cybersecurity” white paper that includes best practices, recommendations and information resources. They point out that some small companies struggle with cybersecurity because they cannot afford an expensive solution, have limited time to devote to it or simply do not know where to start.

The increasing complexity of technology supporting businesses requires the development of a new workforce that can install, maintain and secure it. A small business with an in-house enterprise information technology staff may typically devote less than 5 percent of its total employee count to that function. And, finding and retaining an employee with a decade or more of experience is difficult.

Small business and cybersecurity experts recommend several best practices to protect computer systems and data. Properly vetting employees’ education and certification is among their suggestions. In addition, the experts advise companies to document their security policies and train employees on their use. These policies should include the use of personally owned devices in the office as well as the processing of company information on personally owned computers.

When small companies begin instituting cybersecurity practices, they should follow an existing cybersecurity model for building its own plan, the experts say. For example, the Small Business Administration offers a guide online, the Federal Communications Commission features the Cyber Planner and the Department of Homeland Security offers the Cybersecurity Road Map.

Whether employing one of these tools or going it on their own, firms should conduct inventories of their hardware, software, databases, domain names and email accounts as well as other information technology-related items. They should manage their new purchases’ by checking and changing the default usernames, passwords and other configurations.

The physical work environment also must be secured, and the setting includes more than a single office building. The recent work-at-home situation COVID-19 triggered illustrates that security policies must extend to mobile devices and remote or home offices. Businesses should ensure their employees have virtual private network access as well as strong firewalls.

A major security incident can largely be avoided by following a good security plan, but because of the complexity of IT systems and the skills of criminals and other adversaries, incidents will occur, the experts emphasize. Data backup systems and regularly practicing how to restore from backup will help a business recover from incidents such as ransomware attacks or data theft. In addition, organizations must store backups either offsite or in the cloud, they agree.

To learn more about how small businesses can and should keep their information technology systems and data safe, read AFCEA’s Cyber and Small Business committees’ “Small Business Cybersecurity” white paper in SIGNAL’s free Resource Library.