By Chris Hobbick, Founder and CEO of First-Rate Technological Consulting
As the founder and CEO of a small technology consulting firm, I know firsthand the importance of prioritizing cybersecurity. Our clients trust us with sensitive information, and we are responsible for protecting that data. After a recent security incident, I realized our cyber defenses needed an overhaul.
I dove into researching best practices for small business IT security. This guide summarizes what I learned. While not exhaustive, implementing these steps will significantly improve your cyber readiness.
Designate an IT Security Leader
Your first move should be designating an IT security leader. This person will manage your cyberstrategy, including training employees on security practices. Choose someone eager to learn about IT security, even if they lack technical expertise.
Initially, this can be a part-time role. But as your company grows, it will likely become a dedicated position requiring substantial technical skills. Your IT security leader’s responsibilities include:
– Training employees on cybersecurity best practices
– Supplying security tools like VPNs to employees
– Assessing employees’ security knowledge
– Overseeing network security
– Leading incident response
Create a Threat Model
Next, work with your IT security leader to create a threat model. This assesses your assets, threats, and vulnerabilities. Key steps:
– Inventory sensitive data like customer records or intellectual property.
– Identify threats like hackers, untrustworthy employees, or spyware.
– Determine vulnerabilities, like risky third-party services or poor network security.
– Create a data flow diagram showing how data moves through your company.
– Rank risks once you map assets, threats, and vulnerabilities.
Your threat model will reveal security priorities like additional staff training or upgrading software. Revisit your threat model periodically as your company evolves.
Formulate Security Policies
Formalize your security approach in written policies for employees. Include:
– IT security policy listing required practices like strong passwords.
– Data breach response plan detailing notification, investigation, and remediation steps.
– Data minimization guidelines to only collect essential customer information.
Ensure employees receive security policies during onboarding. Refreshers keep policies top of mind.
Secure Devices
With bring-your-own-device policies, employees’ laptops and smartphones represent a significant vulnerability. Implement these device controls:
– Encrypt devices to protect lost or stolen data.
– Install antivirus software and keep apps updated.
– Create device inventories detailing approved vs. prohibited devices.
– Limit software installation to trusted sources only.
– Use firewalls and VPNs, especially on public Wi-Fi.
– Never share devices or account credentials.
Additionally, train employees on social engineering threats like phishing. Test their knowledge with simulated attacks. Ongoing education is essential.
Enforce Email Security
Most cyberattacks enter through email. Stop threats by:
– Training employees to identify phishing attempts. Provide examples of suspicious links or requests.
– Implementing DMARC authentication to prevent spoofing.
– Using privacy-focused encrypted email services like ProtonMail.
– Disallowing auto-downloads of remote content which could contain malware.
– Reporting suspicious emails to your IT security leader for investigation.
Create a straightforward process for notifying your security team if an employee falls for a phishing scam—rapid incident response limits damage.
Protect Your Network
Once your company establishes an internal network, its protection becomes vital. Your IT security leader should:
– Segment networks, allowing no access between corporate and guest networks.
– Install network firewalls permitting only authorized traffic.
– Require VPNs for secure remote access.
– Regularly patch vulnerabilities and scan for malware.
– Closely monitor activity logs to catch irregular behavior.
– Disable ex-employee accounts immediately upon departure.
Implementing robust network protections requires technical expertise. As your company grows, your IT security leader will need deeper skills.
Adopt Security Solutions
While proper training and processes provide a strong defense, security solutions add another layer of protection:
– Use encrypted messaging apps like Signal or Wire for sensitive communications.
– Store files in encrypted cloud services like Tresorit.
– Install password managers such as Bitwarden.
– Enable two-factor authentication for account logins.
– Encrypt hard drives using VeraCrypt.
– Install antivirus software like Bitdefender on all devices.
Evaluate free and paid solutions for usability and security fit. Weigh the tradeoffs.
Prioritize A Security Culture
Creating an IT security-conscious workplace culture is challenging but pays dividends. Employees should view security as an integral part of business operations rather than an afterthought. Reinforce the message that everyone has a role in securing company data.
While deploying privacy-focused software enhances defenses, nothing replaces an alert, well-trained staff mindful of risks. By designating a knowledgeable IT security leader, formulating clear policies, implementing technological protections, and promoting sustained awareness, you position your small business for cyber resilience. Contact 212–508–9700 if you need help getting started. I’m a pro at this stuff.
