As small businesses begin to grow, they’re often quick to hire new employees, find a bigger workspace, and increase their rate of production. Amongst countless new responsibilities, one thing often gets left behind: upgrades to cybersecurity.
More devices, basic systems, and rudimentary policies are all features of a rapidly growing company—and all vulnerabilities in the network, ripe for exploitation by cybercriminals. Small businesses are now the number one target for hackers, with 47% reporting at last one cyber-attack in the past year.
The good news is, blocking attacks doesn’t have to be complicated or expensive. In this article, we’ll cover some of the biggest security mistakes small businesses make as they grow, and what you can do to prevent them.
1. Avoiding Integration
Without lots of hardware to protect, most small businesses begin by installing their security software independently on each device.
While this works to begin with, it becomes a problem as the company continues to grow, adding more computers but continuing to protect them on a device-by-device basis. Hackers have a huge variety of tools in their arsenal that can bypass the protective software used on individual machines. If they can compromise just one, the whole network is theirs to exploit.
To effectively safeguard your network, you need a variety of different methods to deal with a variety of different threats. Your security strategy should be integrated — protecting the entire network rather than individual devices.
One solution to this issue is investment in ‘unified threat-management platforms’, or UTMs. These take the place of the router that most people use to manage their network traffic.
The UTM will integrate antivirus protection, a firewall, and content filtering into one piece of hardware or software, with one set of controls. This is easy to maintain and effective in terms of both time and cost.
2. Lack of Staff Awareness
Your employees will always be your strongest asset and your biggest security risk.
When you’re only employing a handful of workers, it’s relatively easy to get everyone up to scratch on cybersecurity best practices. But when a wave of new workers join, this type of training can take a backseat.
This is when things can get dangerous. One thoughtless click by a new hire can spell potential disaster for your business. Cybercriminals are smart and like to target new employees, exploiting the naivety of those not yet familiar with company protocols.
For those looking to bolster their team’s awareness, there are many external resources available that can offer guidance for small companies. The SBA’s Office of Entrepreneurship Education has a free course on cybersecurity, and there are plenty of third-party companies that offer training.
Effective security in a company of any size relies on management support, strong internal communication, and individual accountability for online activity. It’s sensible to put an awareness program in place that keeps you and your staff up to date about good online security practices.
3. Open Permissions & Data Pools
In the early stages of growth, it’s typical for small companies to have networks that pool users and their data in the same place. This ensures everyone using the network can collaborate, communicate, and share information.
As networks grow and rising numbers of people need access, collective permissions for these shared databases can become a problem. Whether it’s employees or clients, there’s a higher chance that the wrong people will get their hands on sensitive information.
To contain this risk, expanding SMEs should segment their networks so that critical information is only accessible to appropriate employees in certain zones. Segmenting can be achieved with simple software or hardware like switches, UTMs, and routers.
Having been segmented, each zone can be given its own role and level of security. Should there be an attack on one of these zones, it won’t affect the others as quickly, since communication between them is limited. This gives you more time to identify, assess, and resolve the threat — mitigating your damages.
Once these segments are set up, it’s sensible to routinely review the permissions which determine who has access to what — something that’s easily overlooked if there are frequent changes to the team.
4. Weak Bring-Your-Own-Device (BYOD) Policies
Letting employees do business on their own phone or laptop can be a great boost to productivity. But when many new employees come on board, it can be difficult to keep track of what devices are being used and by whom.
That means your business information can now walk out of the door with your employees, and will most likely be stored in third-party apps and platforms. This becomes a problem in terms of data ownership and accountability.
At the end of the day, anything connected to your network needs to have the same level of security as the system itself.
It’s crucial to lay out and enforce a clear policy regarding what personal devices are permitted onto the network. It’s sensible to require safety features on relevant applications such as two-factor authentication, and encourage employees to use virtual private network (VPN) software, which will secure their traffic when working remotely or on public networks.
Certain VPN services are notoriously unreliable when it comes to privacy and security, so be sure to recommend a trustworthy provider. There’s plenty of choice, but most review websites consider Private Internet Access and Vypr VPN to be sensible options.
It’s also recommended to install mobile-device-management software, which gives you the ability to remotely secure any devices that are lost or stolen.
5. No Back-Ups
As ransomware becomes an increasingly serious threat, many companies are being caught off-guard and without the means to restore their systems.
Regularly backing-up your data is an incredibly simple way to safeguard against malicious activity, device failure, and theft. The extent of the backup, as well as the number you create, will depend on the nature of your business. Whichever you choose, it’s important to safeguard the copy by storing it offline and in a secure location.
Powerful ransomware can lock the files on backup drives and shared networks, so it’s essential these are disconnected when not in use. Fortunately, there are various programs available that can automate this process to a certain degree. Some of these come with popular operating systems, while others can be purchased separately.
Ultimately, even the most basic preventative measures can help, such as staying up to date with upcoming threats and how best to protect against them.
Understandably, cybersecurity is often a low priority for organisations with limited resources. That being said, the danger posed by cybercriminals is severe enough that many small businesses are unable to recover. It’s not just the financial impact – it’s the reputational cost, the loss of future business, and the legal implications that can follow an attack.
Small investments can go a long way in protecting your company and safeguarding your customers’ data.
William Chalk is a security researcher at Top10VPN.