5 Practical Security Improvements For Small Businesses

Mike Lisi -

Small businesses are increasingly becoming targets for cybercriminals. More often, attackers target smaller organizations because they're perceived as easier targets with fewer resources dedicated to security. The good news is that improving your businesses cybersecurity doesn't have to be complicated or expensive. Today, we’re discussing five practical security improvements that any small business can implement, regardless of budget or technical expertise.

1. Implement Two-Factor Authentication (2FA)

Why it matters

Two-factor authentication adds an extra layer of security beyond just a password. Even if a hacker manages to steal or guess your password, they still won't be able to access your accounts without the second form of verification.

Types of 2FA

For those unfamiliar with 2FA, here are some common types you might encounter:

  1. SMS/Text Message: A code is sent to your phone via text message. While convenient, this is considered less secure than other methods.
  2. Authenticator Apps: Apps like Google Authenticator or Authy generate time-based codes on your smartphone (also known as Time-based one-time password or TOTP codes). This method is more secure than using SMS.
  3. Push Notifications: Some services send a push notification to your phone, which you can approve or deny. This is both secure and convenient.
  4. Hardware Tokens: Physical devices that generate codes or can be plugged into your computer. These are very secure but less convenient.
  5. Biometrics: Uses fingerprints, facial recognition, or other biological traits. Common on smartphones but also used in some business settings.
  6. Email: A code is sent to a secondary email address. This is generally considered less secure and is less common in business settings.

When setting up 2FA, you'll typically be offered one or more of these options. Choose the method that balances security and convenience for your business needs.

How to do it

Most online services now offer 2FA as a way to enhance protection for your account. Here's how to enable it for some major services:

  1. Google Workspace: Go to the Admin console > Security > Authentication > 2-Step Verification. You can check the box to enforce this for all users within your workspace.
  2. Microsoft 365: Access the Microsoft 365 admin center > Users > Active users > Multi-factor authentication. Select users and then select Enable.

For other services, look in the security or account settings for options related to two-factor or two-step verification.

Impact

Implementing 2FA can prevent unauthorized access to your accounts, even in cases where passwords have been compromised. This simple step can thwart many common attack methods used by cybercriminals.

2. Regularly Update Software and Systems

Why it matters

Many cyber breaches occur due to outdated software with known vulnerabilities. Cybercriminals often exploit these weaknesses to gain access to systems and data.

How to do it

  1. Set up automatic updates for your operating systems (Windows, macOS, etc.).
  2. Enable auto-updates for your antivirus software.
  3. Regularly check for and install updates for all business-critical applications, especially if they are accessible via the Internet.
  4. Create a schedule to review and update less frequently used software.

Impact

Keeping your systems and software up-to-date ensures that you're protected against the latest known vulnerabilities. This simple practice can significantly reduce your risk of falling victim to cyber attacks.

3. Use Strong, Unique Passwords

Why it matters

Weak or reused passwords are one of the easiest ways for hackers to gain unauthorized access to your accounts. If a hacker obtains one password, they often try it on multiple services, potentially compromising several of your accounts at once.

How to do it

  1. Use a reputable password manager like LastPass, 1Password, or Bitwarden.
  2. Generate unique, complex passwords for each service your business uses.
  3. Ensure that passwords are at least 12 characters long.

Passphrases are a great way to add length to a password without making it overly difficult to remember. For example, the password UU7$l@VjztFm is 12 characters long, uses letters, numbers and symbols, and will be difficult to guess or crack, but it's also hard to remember. A passphrase such as Overhead-Catchy-Catalyze-Gear foregoes the use of numbers but is more than twice the length of the password and orders of magnitude more difficult to crack, while being significantly easier to remember.

Impact

Using strong, unique passwords or passphrases for each service dramatically reduces the risk of credential stuffing attacks and makes it much harder for hackers to gain access to multiple accounts even if one is compromised.

4. Secure Wi-Fi Networks

Why it matters

Unsecured Wi-Fi networks can be an easy entry point for attackers to access your internal systems and sensitive data. This is especially crucial if you have employees working remotely or if you offer Wi-Fi to customers.

How to do it

  1. Ensure your Wi-Fi network is encrypted. WPA3 is the latest and most secure protocol, but WPA2 is also acceptable if WPA3 isn't available.
  2. Change the default login credentials of your router. Use a strong, unique password.
  3. If you offer guest Wi-Fi, set up a separate network that doesn't have access to your business's internal resources.

Impact

A secure Wi-Fi network helps prevent unauthorized individuals from accessing your network, protecting your data and internal systems from potential breaches.

5. Use a VPN on Unknown or Public WiFi Networks

Why it matters

Public WiFi networks, such as those found in coffee shops, airports, or hotels, are often unsecured and can be easily exploited by cybercriminals. When your employees connect to these networks, they put your business data at risk of interception or theft.

How to do it

  1. Choose a reputable VPN service provider. Some popular options include ProtonVPN, ExpressVPN, or Surfshark.
  2. Install the VPN client on all company devices, including laptops, smartphones, and tablets.
  3. Train your employees on how to use the VPN and when it's necessary (i.e., whenever they're working outside the office or using public WiFi).
  4. Establish a company policy that requires VPN use when accessing company resources from public networks.

Impact

Using a VPN encrypts your internet connection, making it much harder for attackers to intercept your data or inject malware into your systems. This added layer of security is crucial for protecting sensitive business information when working remotely or while traveling.

Cybersecurity doesn't have to be overly complex or expensive for small businesses. By implementing these five practical security improvements - two-factor authentication, regular software updates, strong unique passwords, secure Wi-Fi networks, and using VPNs on public networks - you can significantly enhance your business's security posture.

Remember, these steps are just the foundation of a robust security strategy. As your business grows, you may want to explore more advanced security measures including having an external party come and perform a vulnerability assessment or penetration test to identify weaknesses within the network that can be exploited by attackers. If you’re interested in having an assessment done, contact our team at Maltek Solutions to discuss your concerns and objectives and we can tailor an assessment that makes sense for your business.