Too many small business owners think that threat intelligence, Zero Trust protocols, and network security impact only global corporations. But no matter how small your business, you need to give cybersecurity your time and attention.
While many of today’s much-hyped security solutions may be beyond your budget, most of the best practices for maintaining network security — tactics and tools that protect your customer and financial data, intellectual property, and office systems — are affordable and practicable.
8 vital best practices for network security your small business needs:
- Hacker-proof passwords
- Virtual private network
- Spam filters and anti-virus software
- Multi-factor authentication
- Mobile device management
- Updated software
- Ongoing employee training
- Backup and a recovery plan
1. Create hacker-proof passwords
While it’s doubtful anyone is still using “password” as their password, it’s a good bet you’re still using some version of your birthday, address, or college mascot.
“I understand passwords can be a real pain in the rear. Every time you turn around, a new service requires you to set up an account, and before you know it, you’re using the same password across multiple services because it makes life easy,” says Bob Salmans, trainer at .
“The problem is that data breaches are happening more and more frequently, and once the breach occurs, the ‘bad guys’ are putting a list of usernames and passwords out into the world. Then they attack every online service imaginable. The truth is that you most likely have user credentials that have been compromised and are floating around the internet.”
So, how do you create an effective password?
The lowest level of protection requires using a mix of upper- and lowercase letters, symbols, and numbers — none of which are related to your birthday, address, or other identity markers — and to change your passwords at least once a quarter. But the best passwords are long, indecipherable character chains that spell nothing and are definitely not memorable.
Password managers are simple applications you install on your computer that generate and store your passwords.
Each time you set up a new account, you use the password manager to generate a new secure password, which you copy and paste into the account setup. All your accounts can have unique secure passwords, and you need to remember only one password, which is the password you set up on your password manager application.
Password managers start around $35/year per user. Some offer a business or family plan, which can reduce the per-user cost.
2. Use a virtual private network (VPN)
A VPN is a service that protects your privacy and anonymity when you connect to the internet through a public connection.
You log into your computer through the VPN, which then encrypts data so your communications can’t be intercepted. It also keeps your web browsing history anonymous, masks your IP address, hides your location for streaming, and protects your connected devices from hackers. They are essential in today’s world of remote work.
“However, nowadays you can download an app where you can use hundreds of servers from around the world for a secure connection. You don't even need an IT expert for this. All you need to do is google VPN companies and subscribe to the one that suits you.”
According to , the average cost to rent a dedicated small-business server is $100 to $200/month, while purchasing a secure server would cost $1000 to $3000. VPNs, on the other hand, can run as low as $5 to $14/month, with the average small business cost running around $40.
3. Use spam filters and antivirus software
Using spam/anti-malware filters and antivirus software should top your network security checklist if you want to prevent cyberattacks.
Businesses often deploy spam filters and anti-malware filters on their email gateways as the first line of defense against phishing attacks, explains Jason Firch, CEO of . Spam filters block traffic at the source by using global threat dictionaries that list known malware signatures. If a known signature is detected as an attachment in an email, then the threat is blocked transparently from the user’s perspective.
“But setting up a spam filter is a balancing act,” says Firch. “On one hand, the network administrator wants to block all malicious traffic. On the other hand, if the filters are too aggressive, legitimate traffic gets blocked and end users start to complain.”
After two to three weeks of use, he says, a baseline for the network can be established and further adjustments can be made. These filters cost from $10 to $20/month per user.
Additionally, you should install antivirus software on every host in a Windows-based system. Antivirus software is updated daily to reflect thousands of new cyber threats. You’ll need to install the software on every device connected to the network; when it detects a malicious file, it simply deletes it.
4. Use multi-factor authentication
One of the top cybersecurity practices for small businesses is to implement multi-factor authentication (MFA). Multi-factor authentication requires a password and another identifier, such as a PIN, a thumbprint, or a code. If you’ve used online banking, you’re probably familiar with this system.
If your password was stolen or revealed in a data breach and an attacker tries to use it to gain access to your network, multi-factor authentication would prevent that attacker from being successful. These solutions are often free with other software you’re already using (such as Microsoft Office 365).
“In this remote-work world, it’s like wearing a mask,” says Patrick Kelley, CTO, . “It’s a bit more trouble, but it will keep you safe. There is no downside to multi-factor authentication, and it is the top recommendation I have for SMBs.”
5. Practice mobile device management (MDM)
Mobile device management is similar to endpoint security — it refers to securing devices connected to your network. However, MDM is specific to mobile devices such as phones and tablets, where endpoint security includes computer workstations, printers, scanners, and other office equipment.
Mobile device management determines which devices can access the network and enforces the security policies. It manages encryption, monitors for security and regulatory compliance, and remotely wipes lost or stolen devices.
“With MDM, organizations can require mobile devices meet specific security standards before being allowed network access,” says Almi Dumi, CISO,. “They can also enforce acceptable use policies determining application access and block risky activities. MDM is inexpensive, and other than the initial number of users, there are no costs to manage. It’s definitely worth the return on investment if employees access the network from their devices.”
You simply load the MDM app on your network server, then register all users and each device to be managed. Dumi recommends hiring a knowledgeable contractor to set up the app to ensure it is done correctly. From that point on, the business owner can periodically check reports to look for anomalies.
6. Keep software updated
This is an easy step, and one for which you’ll receive automated reminders if you confirm the auto-update feature in settings. Software vendors issue “patches” that amend software code to protect against new threats as they are discovered.
Regularly remind employees to restart their computers once a week, to ensure they download the latest security patches available for the software on their laptops and workstations.
“If you manage your own wireless network, check the software levels of your routers at least every six to 12 months; otherwise, ask your IT consultant how often they update your network software,” recommends Michael Puldy of . “In most cases, they never do it.
“It’s also a good idea to plan a technology upgrade every three to four years, so you and your employees have current technology and the latest software. The performance improves, and a technology swap also reduces the probability of your technology failing just because it’s old.”
7. Train employees regularly
No matter how thorough your computers’ network security, your network security plan is only as effective as your employees’ awareness and cyber hygiene. According to Firch, security awareness training has risen in popularity because 98% of cyber attacks rely on social engineering — phishing emails opened by unsuspecting employees — as their entry point into a network.
The goal of security training is to inform and educate employees on how to identify common attacks used by threat actors. Training is just as important to companies with a handful of employees as it is for a large enterprise’s corporate network security.
For example, sending regular phishing email campaigns to unsuspecting employees, says Firch, is an effective way to test their understanding of current scams used by threat actors. If a user falls victim to this test, additional training can be assigned.
You may be surprised how many employees can’t identify a phishing scam or won’t update passwords regularly. Don’t take anything for granted; be sure to regularly require cybersecurity training to keep employees aware and vigilant.
“Employee education is not a best practice — it’s a must practice,” says Kelley. “The problem with employee education is that it’s easy to forget. It’s hard to make time for it when you have deadlines, and it’s an ongoing process that must be revisited again and again.”
Key reminders should include:
- Review of your cybersecurity policy
- Only use work email for work communications: When an employee signs up for a third-party service with a company email and that service gets breached, it can mean trouble for your network.
- How to spot phishing emails: Communicate the latest bogus emails through your company newsletter or intranet between training sessions.
- Don’t overshare on social media. If a scammer has your pet’s name, school name, family member names, and birthday, they may gain insight into your security questions and be able to impersonate you.
- Don’t auto-forward work emails to your personal email address when you’re out of the office, and don’t use an automated “out of office” email reply.
- How to respond to ransomware attacks (immediately disconnecting from the internet and intranet)
- How to respond to a computer virus (don’t back up files until the virus has been removed)
8. Backup regularly and plan for recovery
Back up everything. Bonus points if you learn how to retrieve the backup when disaster strikes.
Data can be compromised for any number of reasons — a ransomware attack, disgruntled employee, or hardware failure. You should back up data and system configuration daily and have multiple backups, both on-site and off.
“There are many ways to develop a comprehensive backup solution. Several providers will help you with this process if you don’t have the staff to do it yourself,” Kelley says. “ comes to mind as a respected backup provider that is used by many small businesses. The important bit is just to do it. You’ll thank yourself later if you ever need it.”
Although a critical component of your network security plan, backing up data doesn’t have to be expensive or complex. For smaller companies, you can buy an external hard disk drive with 2 terabytes of space for $59 on Amazon.
Additionally, most computers (and phones) come with software that can perform backup and recovery, which might include a small monthly fee depending on how much space you need. There also are many local and cloud backup solutions.
“Be aware that cloud backup solutions are great until you need to recover a 1TB hard drive,” warns Puldy. “The recovery will take a long time over the internet. Also, it’s important to know how to perform the steps for completing the recovery, and there are many YouTube videos that describe the process. If you aren’t sure, an IT consultant may be your next best step.”
Good backups are never cheap, he says, but “they can save you from bankruptcy.”
Secure all your entry points
The most important thing to remember is that good cyber hygiene takes time to do well, and it can only be achieved when you secure your people, processes, and technologies, according to Firch.
“Understanding where you have gaps is vital to a successful program and to ensure cost is controlled,” he adds.
As with many other challenges around security, it may be worth the investment of hiring an outside consultant to evaluate your system and assets, then make recommendations regarding what you need to protect, and how to do it.
“The good news is, with the exception of backup and recovery and maybe incident planning, most small business owners can resolve these issues on their own without an IT consultant or any external help,” says Puldy. “Of course, time is money, and sometimes it’s simply faster and more efficient to hire an expert.”