16 Effective Ways A Small Business Can Enhance Its Cybersecurity Profile

Regular stories of data breaches at high-profile companies have definitely raised awareness of the importance of robust cybersecurity for businesses. Ironically, though, such stories may result in a false sense of security among small-business owners who think their organization isn’t significant or large enough to be of interest to hackers.

In reality, there’s no such thing as “too small to be attacked.” If your company works with any type of digital data, it’s a target for bad actors. While a small business may not have the resources to employ a full-time tech team, there are easy, affordable strategies it can leverage to boost its cybersecurity stance. Here, 16 members of Forbes Technology Council share simple steps any small business can take today to enhance its cybersecurity profile.

1. Implement Two-Factor Authentication

For any business—from the smallest local pizzeria to the Forbes’ Global 2000—the biggest cybersecurity bang for the buck is to implement two-factor authentication for access to all computers, servers, infrastructure services and business applications. Implementing 2FA adds a broad level of protection against hackers getting access to business-critical data and services. Leading cloud service vendors such as Microsoft report seeing hundreds of millions of fraudulent sign-in attempts every day. Two-factor authentication blocks 99.9% of account takeover hacks. – Ed Gaudet, Censinet

2. Protect Your Personal Accounts And Technology

Hackers now regularly attack the personal digital lives of family businesses to bypass company security controls and move laterally into the organization. To reduce this emerging risk, it’s essential for small family businesses to protect company leaders’ online privacy, personal email, personal devices and home networks with the same tenacity as they protect their company’s digital infrastructure. – Christopher Pierson, BlackCloak

Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?

3. Scan The Dark Web

Enlightened companies are partnering with threat intelligence agencies to conduct targeted scans of the dark Web for company-specific keywords. This helps a company understand its exposure areas and vulnerabilities. The scan provides a “hacker’s” view of the company, enabling a deeper understanding of threat actors, motives and campaigns. This data can then be used to improve a company’s risk profile. – Michael Henry, Singapore Sports Hub

4. Implement Security Awareness Training

Now that hybrid workplaces are the norm, consider implementing security awareness training for employees. This can include tips on spotting suspicious emails, best practices for password creation and protecting sensitive business information. While this may seem obvious to tech workers, regular reminders to all employees can help prevent cyberattacks and secure your company’s digital presence. – Anna Frazzetto, Tential

5. Provide Devices With Built-In Security

Nearly half of global office workers bought a PC, laptop or printer to enable remote work during lockdowns. But 68% said security wasn’t a major purchasing consideration. One step to address this would be to provide users with devices that have security built into the hardware—for example, devices with remote recovery capabilities and self-healing firmware so they can recover in case of compromise. – Ian Pratt, HP

6. Use The MITRE ATT&CK Framework

I advise technology leaders to leverage the MITRE ATT&CK framework to better understand adversary tactics, techniques and procedures. This free, globally available guide is based on real-world data and can help all security leaders better understand the threats facing their organization and how specific attacks are likely to be carried out by threat actors. – Stephan Chenette, AttackIQ

7. Add A CASB

With the continued shift to remote work environments and the prevalence of bring-your-own-device policies, organizations are struggling to maintain security settings that limit access to sensitive assets in the cloud. Implementing a cloud access security broker or similar access-control solution is an effective step a small business can take to improve its security posture. – Ian Paterson, Plurilock Security Inc. (TSXV:PLUR)

8. Don’t Share Sensitive Information On Social Media

Stop oversharing on social media. While it is great to see a small or new business grow, telling us about what you have invested in, the network you use or a new customer can expose you—or worse, the customer—to an attack. By understanding your network, hackers can look for vulnerabilities and gain access, while sharing a customer name allows for spear phishing against them in your name. Only share basic information. – Keven Knight, Talion

9. Focus On Internet-Facing Connections

One of the simplest ways for a small business to enhance its cybersecurity profile is to focus on internet-facing connections and implement firewall (network and application) best practices, as well as denial of service solutions. The internet-facing connections are the most exposed and attacked areas of any technology infrastructure. – Mark Schlesinger, Broadridge Financial Solutions

10. Set Up End-To-End Encryption, And Don’t Sell Customer Data

Security should be top of mind. Implement end-to-end encryption. Assure your customers that their protection is your No. 1 priority. Most importantly, design your business model around customer protection. You should not rely on selling your customers’ data to succeed as a company. Just note the public perception of Apple and how they have been able to win customer trust and loyalty. – Nicholas Domnisch, EE Solutions

11. Implement SSO

Implement a single sign-on solution. SSO provides users with a single set of credentials that can be used to access all of the applications and data they need. Not only does this make it easier to grant, audit and revoke user access to company resources, but it also mitigates the risk of password reuse and other common security vulnerabilities. – Patrick Zhang, Trellis

12. Carry Out Monthly Scans

Implement and execute a plan for monthly vulnerability scans. There are plenty of recommended providers with limited free solutions (I like this list from OWASP). As your business grows and shifts, these monthly scans can help you identify any new weaknesses to prioritize for remediation. – Eva Pittas, Laika

13. Get Cyber Insurance

Any small business dealing with personal and financial data such as Social Security numbers, credit cards, phone numbers and health information must consider getting cyber insurance. Many of the policies available today at very reasonable prices cover lost revenue, ransomware payments, risk assessment, regulatory fines, legal fees and even protective measures in case of a cyber breach. – Ritesh Mukherjee, Inseego

14. Stay Up To Date On Cybersecurity News

One of the best things you can do to enhance your cybersecurity profile is to stay up to date on the latest cyberattack methods and cybersecurity news. Keep an eye out both for problems and potential solutions. Hackers move fast. If you’re not aware of a new scam, you could accidentally put your business and sensitive customer data at risk. – Thomas Griffin, OptinMonster

15. Take A Layered Approach

Toss out any procedure manuals or company handbooks purporting to outline cybersecurity policy. Cybersecurity isn’t a thing that can be conveyed in static language; it’s a process and a mindset that must be internalized within the company culture. Security requires constant care and feeding in order to be effective. Use a layered approach, because no one product can guarantee protection. – Adam Stern, Infinitely Virtual

16. Make Sure You Haven’t Already Been Attacked

Check to see if your company hasn’t already been victimized by a cyberattack. A significant percentage of security audits reveal an attack that went unnoticed by the company in question. Before asking “big” strategic questions, it’s important to undergo an external audit. The results will help you make future decisions regarding rules and procedures that will help protect your intellectual property. – Robert Strzelecki, TenderHut