These Are the Top 4 Cybersecurity Solutions Your SMB Should Prioritize

By Ben Hartwick

For most small- to medium-sized businesses (SMBs), the thought of suffering a ransomware attack is overwhelming and worrisome. An attack that compromises infrastructure or leaks sensitive data can impact an owner’s ability to remain in business.

Protecting the company’s data assets is critical, but many business owners just don’t know where—or how—to begin. Others don’t have the financial resources to deploy full-scale, automated solutions that continuously scan networks and alert for anomalies or vulnerabilities that might leave the business exposed.

While security is challenging, SMBs are not powerless. There are small yet effective security basics that organizations can implement without investing a lot of time or money.

One analogy I use with customers is that cybersecurity is like eating an elephant. No matter what you try, it can’t be done in one bite. It’ll take some time—or maybe a whole village—to eat that elephant. Similarly, a sound cybersecurity posture will take time. It's also not linear. You can’t just do all the things at once, and then be done with it. You have to pick a starting point and move forward.

That’s the key idea: share some security basics that are easily accomplished, one at a time, that won’t cost a business much money, but will help the company begin moving forward. The very worst thing you can do is nothing.

Here, I’ve highlighted several accessible security best practices for a business of any size or budget.

Low-cost cybersecurity solutions for small businesses

Review your network infrastructure

The first place for an SMB to protect against cyber threats is its network infrastructure. This is what allows the business to function, so you’ll want to make sure all of these systems are updated on a regular cadence, whether quarterly or twice yearly.

While it seems simple enough, this area is often where many businesses fall victim because they fail to do basic patching and software updates. Specifically, firewalls or VPN appliances, and anything geared toward the external infrastructure should be kept current. This makes it more difficult for threat actors to use vulnerabilities within these to access the environment and deploy ransomware.

Additionally, I’m a huge proponent of multi-factor authentication (MFA) as a way to safeguard sensitive data and user access to that data. You don't necessarily need to purchase a MFA tool. There are free ones like the Google Authenticator app. It is not as robust as some others, but it can help seal up the perimeter and add an extra layer that’s better than not using authentication technology at all.

Ensure you have strong passwords

My next tip is everyone’s favorite topic: passwords. But more specifically, password policies. Password hygiene is an Achilles' heel for many organizations, and stolen or compromised credentials are often the direct cause of ransomware attacks. Common recommendations about passwords have historically been that they should contain at least 8 upper and lower case characters, and a number or a special character.

It may surprise some people how easily an 8-character password can be cracked by a brute force attack. Numbers or lowercase letters only can be cracked in less than five seconds. The addition of upper and lowercase letters, numbers and special characters can increase that time to 8 hours for an 8-character password. This is better, but still breakable.

Bumping the length of a password up to even just 9 or 10 characters (and using upper/lower, numbers and special characters) moves the timeframe to crack to weeks, months or years. But to significantly improve security, I recommend increasing passwords to 16 characters or more. While that sounds difficult, utilizing words or phrases to create a pass-phrase or sentence, such as IloveMyd0gSparky!, makes it easier to recall and darn near impossible to brute force attack (93 trillion years in Sparky’s case!).

Look into network segmentation

When I suggest this best practice to clients, it feels obvious to me, but it often is not to them. Think about network segmentation that keeps your users on one VLAN and your data on another. In the unfortunate event that a threat actor actually gains access to your environment, if your systems are separated, they would be less likely to hit the different VLANs you are maintaining.

In the small business sector, it's easier to spin up a Class C or something like that or create a flat network. But spending just a little bit of time and segmenting your network will make it harder to get a hold of your critical data.

Related to segmentation is knowing where this critical data resides. Most commonly this is Personally Identifiable Information (PII), such as Social Security numbers or credit cards, or personal health information (PHI), such as data kept at doctor's or dentist's offices and hospital organizations. Unfortunately, there can be so much PII or PHI on various machines or hard drives because users tend to find it easier to save data onto a computer to make changes than uploading to a file share. This can create a footprint greater than what most SMBs can actually defend.

To solve this vulnerability and reduce the attack surface, keep critical data in a specific location and only permit work to be done using that specific location. This spotlights the data too, so that if there is a security event, it is easier to report which file store held all of the PII, and if it was password protected or encrypted in some manner. Should a threat actor get a hold of it, it would be unusable.

Utilize antivirus tools

Since the late '80s, we’ve known about some form of antivirus (AV) technology. And while it has gone through many iterations as devices and internet connectivity have evolved, it is still an important part of your network security posture. The challenge is that AV is often taken for granted, and users don't update it as frequently as they should, which results in missing newer definitions that would offer stronger protection against threats such as drive-by attacks and phishing attempts.

While modern antivirus tools are not as robust as an endpoint detection and response (EDR) solution, they can still be an effective layer of protection for SMBs. However, you do need to be sure the tool is working optimally for what it’s meant to do, which means engaging the automatic updates. While users may complain that this slows down a computer, it’s essential to ensure that users are up-to-date, as secure as possible, and are less likely to become compromised.

Ongoing best practices to protect your small business from a cyberattack

As mentioned earlier, building a cybersecurity strategy and sound posture for SMBs is best considered as a process that is continually improved, not something that is completed once, or in one fell swoop. There are other low-cost best practices to consider as well, such as:

Log management: Creates a repository of all logs so they are easily accessible. These logs are critical for an incident investigation and sometimes for regulatory compliance.

Backups: I recommend the 3-2-1 approach for backups, meaning three copies of the data, on two distinct forms of media, and one offline or offsite backup.

Privileged access: For business owners who want a more granular approach to defenses, consider using provisioned access among staff, so that only users who absolutely require access to computers or the network to do their jobs will have it.

Security training and awareness programs: Teach all employees to avoid common security pitfalls, like using unsecured Wi-Fi connections or clicking emailed links from unknown sources.

All of these tips are practical, simple and cost-effective ways of keeping your employees and customers safe from the threats that lurk in cyberspace.

Small business cybersecurity FAQs

About the Author

Post by: Ben Hartwick

Ben Hartwick is a security and incident response veteran at MOXFIVE, a specialized technical advisory firm helping organizations of all sizes to minimize the business impact of cyberattacks.

Company: MOXFIVE
Website: www.moxfive.com
Connect with me on Linkedin and Twitter.