Three people with serious expressions sit and stand around a pair of computer monitors, which are turned away from the viewer. The man sitting down has a pair of white headphones hanging around his neck. He looks up at another man, who wears a hoodie and leans over the desk. On the other side of the seated man is a woman in a chambray shirt and glasses; she looks at one of the monitors. In the foreground are more computer monitors, out of focus.
A cybersecurity assessment of your business's vulnerabilities can be carried out by a managed service provider or can be handled by an in-house team. — Getty Images/gorodenkoff

With large corporations focused on hardening their security infrastructure, cybercriminals are increasingly targeting small to mid-sized businesses. Cybercrime complaints increased by 7% from 2020, according to the FBI’s 2021 Internet Crime Report. And “the majority of those victims were small businesses,” FBI Supervisory Special Agent Michael Sohn told CNBC. Therefore, a proactive approach is the best way to protect your business from being hacked.

The National Institute of Standards and Technology (NIST) provides a cybersecurity framework to prevent attacks, and the Cybersecurity and Infrastructure Security Agency (CISA) offers guidance for small businesses. Using this information, we developed the following recommendations for reducing cyber risks.

Assess your cybersecurity posture and critical processes

Awareness is key to preventing, detecting, responding, and recovering from a cyberattack. An assessment helps you learn which activities and hardware are vital to operations, identify potential threats, and evaluate vulnerabilities. Managed service providers (MSPs) offer cybersecurity audits and assessments, or your information security team can handle them in-house.

NIST suggested that small businesses start with its internal report, Small Business Information Security: The Fundamentals. It provides templates and details ways your company can systematically and proactively reduce risks.

On a basic level, your assessment should include:

  • A list of mission-critical business processes and assets, like protecting customer data or keeping payment software functioning.
  • An inventory of your hardware and software, including on-site, remote, and cloud-based applications and devices.
  • A flowchart of how collected information enters your business and where it goes (i.e., public cloud or software as a service (SaaS) cloud storage).
  • A cybersecurity risk assessment that identifies and documents threats, consequences, and risk levels. TechTarget’s five-step process is easy to follow.

[Read more: CO— Blueprint: Defending Your Business From Cyber Threats]

Develop a cybersecurity program

All businesses, regardless of size, should designate a security program manager, establish a zero-trust security culture, and outline cybersecurity policies and procedures. Additionally, your program should include regular training for all employees and leaders. However, according to NIST, “organizations have unique risks—different threats, different vulnerabilities, different risk tolerances—and how they implement the practices in the Framework to achieve positive outcomes will vary.”

Your incident response and disaster recovery plans are part of your larger business continuity plan.

In short, there isn’t a one-size-fits-all cybersecurity solution. But taking no action isn’t an option. The FTC’s Cyberplanner helps you build a custom cybersecurity plan, and SANS offers security policy templates. Also, check out the Cyber Basics for Small Businesses Training and free cyber awareness videos.

Secure your IT infrastructure

CISA provides an expansive list of free cybersecurity tools and resources to protect your business from being hacked, assess threats, and respond to incidents. Take a multilayer approach using various tools and services to detect malicious activity and secure your organization.

Here are suggestions from NIST’s small business report for securing and hardening your infrastructure:

  • Use multifactor authentication, privileged access management tools, or password managers.
  • Regularly update and patch software and firmware for all assets listed on your inventory sheet.
  • Apply the principle of least privilege to control access to systems, applications, and hardware.
  • Set up firewalls on all business networks, including those of remote employees.
  • Use an Intrusion Detection / Prevention System (IDPS) to analyze network traffic.
  • Follow best practices for configuring your wireless access point and networks.
  • Consider requiring remote employees to use an encrypted virtual private network (VPN).
  • Install email and web filters to reduce spam and block unsecured websites.
  • Back up your systems and applications regularly.

[Read more: 8 Best Practices for Keeping Customer Data Secure]

Craft incident response and recovery plans

Time is critical when your business is under attack. Everyone should follow role-based steps when responding to and recovering from a cyber incident. Your incident response and disaster recovery plans are part of your larger business continuity plan. Together, these living documents help your business remain operational.

NIST’s Incident Response Plan (IRP) Basics offer these recommendations for protecting your company from a hacking attempt:

  • Have an attorney review your plan.
  • Conduct attack simulation exercises regularly.
  • Go over your documents quarterly.
  • Keep printed copies of your incident response plan and contact list.
  • Have a press response ready.
  • Know what outside firm you will use if under attack.
  • Print cyber insurance policy information.

CO— aims to bring you inspiration from leading respected experts. However, before making any business decision, you should consult a professional who can advise you based on your individual situation.

CO—is committed to helping you start, run and grow your small business. Learn more about the benefits of small business membership in the U.S. Chamber of Commerce, here.

A message from
Seamlessly hire and pay employees and contractors
Growing your business? Gusto’s all-in-one platform allows you to hire, pay, and manage your team—no matter where they work. We’ll help you every step of the way.
Learn more
Published