Small Business Cybersecurity
Learn to Secure Your Small Business!
Small Business Cybersecurity – A Complete Course
The Small Business Cybersecurity course contents are divided into several sections:
Introduction to Small Business Cybersecurity
This introductory section is designed to provide small businesses with a valuable vantage point from which to view cybersecurity, and start laying a foundation for the course contents that follow.
- What is Cybersecurity? A Gentle Introduction for Small Businesses
- 5 Steps to A Strong Defensive Posture: Mastering Small Business Cybersecurity
- Performing a Risk Assessment: What are YOU trying to protect?
- The Small Business Cybersecurity Advantage
- Defensive Cybersecurity Technologies for Small Businesses
- How Attackers Get In
Behavioral and Configurational Security
Some of the most important things that small businesses can do to improve their security posture are completely free. This section focuses on adopting secure behaviors, practices, and configurations, and should serve as the starting point for taking action.
Too many small business owners think that the most important thing is to buy premium cybersecurity technologies. We want to challenge this thinking; carefully deployed tech is very important, but it can never take the place of having strong fundamentals.
- Introduction to Behavioral and Configurational Security
- Securing Your Small Business Starts With Authentication: Using Strong Passwords, Password Managers, and MFA
- The Principle of Least Privilege
- Vulnerability and Update Management
- Separate Personal and Professional Use
- Segment Your Network
Defensive Cybersecurity Technologies for Small Businesses
TL;DR: A Condensed Introduction to Cybersecurity for Small Businesses
Before we dive into the details of how to secure our systems, let’s start by briefly defining what we mean by the term cybersecurity.
What is Cybersecurity?
Cybersecurity is the practice of protecting our computer systems. We may initiate a cybersecurity program by starting to take inventory of the technology that we use. This includes hardware systems like laptops, desktops, and mobile phones along with printers. In today’s workplace, it may also include a smart refrigerator or other smart devices.
The goal of our defensive cybersecurity practice is to defend all of our devices, networks, applications, and data, as best as possible, given resource constraints like a budget.
Cybersecurity is similar to physical security. Instead of door locks, in the digital world we have passwords. As with locks, we can often choose how strong we want them to be. In place of an alarm system, in cybersecurity there are AV (antivirus) and EDR/MDR (endpoint / managed detection and response) as well as others. And a real-life fence corresponds with a network firewall.
Challenges in implementing cybersecurity include educating users, social engineering, and maintaining all systems so they are free of vulnerabilities.
Our Approach to Small Business Cybersecurity
We use a five-step approach to help small businesses achieve enterprise-grade security:
- Optimize behavioral and configurational security.
- Assess and securely redesign the company’s network(s).
- Research and deploy defensive technologies like firewalls, AV, and EDR.
- Use active defensive tactics to maximize ROI and achieve enterprise-grade security.
- Deploy the use of targeted offensive cybersecurity services to test and harden the company’s networks and devices.
These five steps are designed to provide the highest ROI upfront. In general, each step is more important than the steps that follow.
The first three steps provide a solid foundation for cybersecurity at an organization. They involve a wide range of activities that help to strengthen security, from using strong passwords to deploying antivirus (AV), firewalls, and endpoint protection (EDR / MDR) to actively protect the network.
The last two steps – active defense and offensive security – use advanced tactics to help us fortify our networks and achieve true enterprise-grade security.
Authentication, Authentication – Wait For It – AUTHENTICATION
The very first thing that we recommend all small businesses start to address is – you guessed it – authentication.
What’s authentication? Put simply, authentication is the process of ensuring that a user is who they claim to be. The most common way to authenticate is by using a username and password combination. We do this for our operating systems and applications.
When it comes to improving small business cybersecurity, there are three primary activities that we recommend:
- Using strong, unique passwords. Length is the most important factor, followed by complexity. Every password needs to be strong as well as unique – meaning that each password is only used once.
- Using a password manager. It’s really tough to use strong, unique passwords without a password manager. They’re easier to use than you think! We really like Bitwarden and Keeper.
- Using multi-factor authentication (MFA). Strong passwords aren’t enough anymore. You also need to be using multi-factor authentication wherever possible; almost all popular applications support it. In terms of MFA method, text-based MFA is considered more secure than email-based MFA and authenticator apps are considered the most secure (outside of using a physical key).
When it comes to passwords that need to often be recalled from memory, we recommend using a long passphrase that can be easily remembered while still providing excellent protection.
You can learn more about authentication and get lots of helpful tips, in our article Securing Your Small Business Starts With Authentication: Using Strong Passwords, Password Managers, and MFA.
The Principle of Least Privilege
After implementing strong authentication practices across the organization, we recommend that small businesses next begin to leverage the principle of least privilege.
This principle –also known as “least privilege access” –is the idea that users in the IT environment should only have access to what they need in order to perform their responsibilities, and nothing more. This maxim arises from the fact that the more resources a user has access to, the greater the potential danger if their account is compromised or if they become an insider threat.
For example, a member of the organization may need access to the company website hosted on company servers because they’re part of the web design team. While it’s true they need access to the site’s file system, they do not need the ability to configure the server or to access other data stored within. Any access they have beyond what is needed to complete their job puts additional resources at risk.
When it comes to implementing the principle of least privilege, how an organization does so will depend heavily on the organization’s structure. For businesses with a single owner-operator, it could simply mean creating user accounts for everything and using them for daily activities. The owner will only using administrator accounts when admin privileges are needed.
As an organization grows, it will become increasingly difficult and costly to deploy the principle of least privilege if a foundation wasn’t laid while the company was small. At the same time, the risks presented by not leveraging it will grow. This is why we want small business owners to learn about this principle early on, even if it doesn’t mean a dramatic change in how the business operates.
You can learn more about the Principle of Least Privilege here.
Guardian Angel IT Academy
As a company, our goal is protecting small businesses from threats by providing security-first IT. Everything we do is with small business security in mind.
But we want to go beyond providing helpful services. We also want to help educate and empower small business owners and decision makers.
That’s why we’ve put a lot of effort into developing the Guardian Angel IT (GAIT) Academy, offering high-quality, affordable courses with certificates of completion, as well as publishing free courses, articles, and tutorials on this website.