No entrepreneur goes into business to learn how to fight off cyberattacks. They go into business to create the best bakery in town, to build beautiful new homes, or to sell things they love. Almost no business, however, can operate in the modern world without a digital footprint, which means that every business is exposed to cyber criminals.
The pervasive threat of cybercrime
Cyber risk is the risk that businesses face from bad actors—be they rogue operators, criminal enterprises, or even nation-states—who try to break into information systems to steal money, misuse data, take systems hostage for ransom, or otherwise wreak havoc. Unlike the threat of a physical break-in, there is no “move to a safer neighborhood” option with cybersecurity. The very fact that a company is always online means that attackers have virtually endless access and opportunity.
Making things worse, automation and AI are being used to increase the volume and sophistication of cyberattacks, with ever-growing impact. Ransomware and fraudulent funds transfer attacks on small businesses have increased yearly. According to Microsoft Threat Intelligence, Ransomware as a Service (RaaS) has led to the evolution of a gig economy that lets small cyber criminals increase their reach and scale. Simply put, technology has allowed bad actors to automate and scale their cyberattacks, making cyber criminality a large global business.
Cyber protection essentials for small businesses
The escalating threat landscape requires proactive measures to safeguard small businesses from cyberattacks. Fortunately, while the risks may be growing, the protections against them are keeping pace with improvements in quality and usability. And that means every business has the option of dramatically improving its security posture.
You don’t need the security of a giant enterprise to mitigate the risk of your small business getting hacked, rather – you just need to master a few basics. In the Microsoft Digital Defense Report 2022, researchers found that “Over 80 percent of security incidents can be traced to a few missing elements that could be addressed through modern security approaches.”
With this in mind, here are four key strategies that every small business leader can take to sleep a little better at night:
- Keep up to date
To start, one should learn to love those software updates that we’re constantly being notified to install from Microsoft and other trusted vendors. One area of increasing cyber threats is through exploited software. Even long-trusted software may have vulnerabilities. Fortunately, software security providers and ethical hackers work directly to identify these vulnerabilities as fast or faster than bad actors so the software provider can craft fixes proactively.
Those updates are useless if the technology domain owner doesn’t implement them. Implementing a rapid patching plan is an easy best practice for any small business. Indeed, some cyber insurers have begun to deny coverage for cyberattacks if relevant software is not up to date, while others have put incentives like increasing deductibles in place to encourage timely patching.
- Keep score on your security posture
Beyond tracking updates, it can be hard to understand precisely how vulnerable your business is. So one essential tool is a measurement service like Microsoft Secure Score, which evaluates your business’s security posture based on your security configurations and provides insights and recommendations regarding security controls.
In fact, many businesses now make it a best practice to share their Secure Score with their IT security partner and their insurer, yielding good advice that’s tailored to their particular business.
- Implement essential controls
One doesn’t need to be a cybersecurity expert to secure their online presence. Business leaders just need to focus on leveraging a set of key controls. Most cyberattacks on small businesses still come from the least sophisticated sources like social (for example phishing), malware (such as viruses and ransomware), and device and network hacking (like endpoints). Fortunately, there are some basic, proven ways to protect against these kinds of attacks. While no one security measure will stop every attack, there are a set of relatively simple-to-use controls that every small business should put in place. Five security controls really stand out as high impact:
- Multifactor authentication (MFA)
- Email and web filtering
- Data security and backups
- Privileged access management (PAM)
- Endpoint detection and response (EDR)
These critical cyber-hygiene controls create multiple layers of defense, making it harder for cybercriminals to exploit common attack vectors. And they can be implemented without a lot of friction or cost—especially when measured against the pain and disruption that can happen when a business fails to put them in place.
Implementing these controls isn’t as hard as it sounds—most modern cloud-based software has multiple players of built-in protection. For example, implementing MFA in Microsoft Office 365 is a three-click procedure. Similarly, Microsoft OneDrive has built-in ransomware protection tools that automatically detect and guide recovery from ransomware attacks.
- Team up with cyber insurers and your IT experts
Just as a burglary can happen even when you have all the best door locks, a cyberattack can succeed even when businesses have the best cybersecurity measures in place. Consequently, preparation and planning are essential. It is therefore important to work with insurers to determine the best security coverage for your specific needs. Cyber insurance offers financial support, incident response coaching, and access to specialized teams that can assist in limiting the damage caused by cyberattacks.
Businesses should also work with an IT provider who can build an incident plan that leverages one’s insurer in case things go wrong. Working together, these partners will make it easier to get a business back up and running if an attack should ever succeed.
Smart Scaling: Ensuring Cybersecurity Along the Way
Like property protection and professional liability, cyber insurance is now a necessary cost of doing business. By simplifying the essential steps to mitigate cyber threats, every small business can enhance its cybersecurity posture, reduce the likelihood and impact of attacks, and keep insurance costs down. Done well, effective cybersecurity can even build confidence in making new investments and driving new innovations.
Remember, cybersecurity is a team sport. By working together, we can create a safer digital environment in which any small business can thrive.