Mike Gutierrez, GoTo Solutions Consultant offers ten ‘top tips’ on safeguarding your SMB against cyber threats.
Cybersecurity is a growing concern for organisations of all sizes. Whie large corporations often grab headlines for cybersecurity breaches, small businesses are just as—if not more—vulnerable to cyberattacks. Emerging attacks, such as phishing, baiting, and impersonation, do not rely on sophisticated technical exploits but instead focus on manipulating individuals into divulging confidential data, performing actions, or making decisions that benefit the attacker.
Additionally, beyond social engineering attacks, there are a multitude of other threats that can pose significant risks to your small business. These threats range from ransomware attacks that can hold your vital data hostage until a ransom is paid to malware infections that can disrupt your operations and compromise your sensitive information. To help protect your small or medium-sized business (SMB), we’ve put together a practical cybersecurity checklist. It offers actionable steps to strengthen your digital defences and safeguard your valuable assets from potential cyber threats.
- Implement Security Awareness Training
Security awareness training involves educating your employees about cybersecurity best practices. This training helps them understand common threats like phishing emails and how to respond to them. For instance, employees can learn how to identify suspicious emails by looking for unusual sender addresses or requests for sensitive information. Regular training sessions and simulated phishing exercises can make your team more vigilant against cyber threats. Platforms like KnowBe4 or SANS Security Awareness offer user-friendly training modules and simulated phishing tests that help employees recognise and respond to online threats effectively.
- Enforce Access Control to Sensitive Data
Access control ensures that only authorised personnel can access sensitive data and systems. To strengthen your organisation’s security posture, implement a password management tool to encourage strong password practices and store credentials securely. You should also adopt a Role-Based Access Control (RBAC) system where access privileges are assigned to users based on their job roles and responsibilities. This approach ensures that individuals only have access to the resources and information necessary for their specific roles. For instance, only HR managers should have access to employee payroll data, while other employees are restricted from this sensitive information.
- Enforce Multi-Factor Authentication (MFA)
Multi-factor authentication (MFA) adds an extra layer of security by requiring a second form of verification, like a mobile app or a text message code, in addition to a password. This can include something you know (like a password), something you have (like a mobile app or a hardware token), or something you are (biometric data like fingerprints or facial recognition). Select a suitable MFA solution that aligns with your organisation’s size, budget, and technology stack. Google Authenticator and Microsoft Authenticator are popular choices, but there are other options available as well.
- Strengthen all endpoint security
Just as you prioritise regular health check-ups for your well-being, it’s essential to ensure the robust protection of all computers and mobile devices in your organisation using an endpoint protection tool. Integrated Partner Solutions, Inc., a company dedicated to automating engineering processes, is a great example of this. Through their use of remote monitoring and management (RMM) software, they successfully enhanced their endpoint security amidst tight engineering project timelines. Gene Perry, Vice President at Integrated Partner Solutions, underscored the value of this protection, especially when managing proprietary engineering data. He emphasised the confidence their clients felt thanks to their RMM software and its permission-based, end-to-end data encryption. Using mobile device management software in addition to RMM software can help ensure data security and compliance on mobile devices used for work so all company-owned and BYOD devices are protected.
- Implement zero trust architecture
If your business relies on third-party vendors or cloud services, like remote meeting tools or payroll software, assess their security practices and ensure they meet your cybersecurity standards. Pay particular attention to how they handle sensitive data, access management, and encryption practices. Depending on your industry, you may also want to ensure that your vendors comply with specific cybersecurity regulations (e.g., GDPR, HIPAA, PCI DSS) if they handle your data. Look for tools that offer advanced security protocols, like zero trust architecture, to give your organisation peace of mind when it comes to remote access security.
- Contingency plan
Create a comprehensive incident response plan with clear steps for cybersecurity incidents and assign roles and responsibilities for a coordinated response. For instance, appoint an Incident Coordinator who oversees the entire response effort, ensuring that actions are coordinated and aligned with the plan. Technical Analysts, on the other hand, are responsible for investigating and assessing the nature and scope of the incident. Legal counsel should also be part of your response team, ready to address any legal implications of the incident.
- Establish an employee off-boarding process
When an employee leaves your company, it’s crucial to remove their access to systems and data. This is similar to collecting keys and access cards when an employee leaves an office. One way to make the process easier is to create an access revocation checklist. This checklist should include all the systems, applications, and data repositories that departing employees have access to. As soon as an employee’s departure is confirmed, systematically go through this checklist to disable or change their access credentials. For example, if your business uses cloud-based services like to easily revoke access by deactivating their user accounts. Additionally, update password protocols to ensure that former employees cannot use their old passwords to gain unauthorised access.
- Unlock the age of AI
A recent UK government policy paper has revealed that AI-powered digital transformation could create hundreds of thousands of jobs and add billions to the tech sector. AI can accentuate the ‘human touch’ across departments like HR and IT— by implementing the technology to automate lower-level tasks like system updates or flagging potential security alerts, for example, you and your workers will have more time to develop new security safeguards and help guide company strategy by investing in the technologies which will drive new growth. Putting humans in the driving seat when it comes to AI’s development and implementation will ensure it only delivers positive results.
- Invest in your IT Teams
The GoTo 2023 IT Priorities Report found that 65% of organisations have seen an increase in IT workload over the past year, which shows us two things: just how vital IT professionals are, and just how much work and possible burnout they are experiencing. Turnover among your IT team can lead to loss of institutional knowledge, decreased productivity, burnout for your remaining staff, and increased costs for recruitment and training of new employees. This is at a time when maintaining efficient and effective technology solutions is more important to business success and security than ever.
When it comes to retaining IT talent specifically, you’ll need to go the extra mile given their particular skills and needs to ensure they feel fulfilled in their roles. To begin, create a dialogue with your IT professionals. Understand what their pain points are, and when there are more systemic issues arising around IT at the workplace. Then, aim to provide professional development and training on new technologies, based on feedback from IT on what they most want and need to develop their skillsets. In a recent survey, 86% of HR managers said that providing ongoing training increases employee retention. Plus, offer additional training in “soft skills” beyond the latest technological innovations to help employees with overall job effectiveness and demonstrate long-term investment in their careers.
Try to evaluate your cloud service providers and other vendors to determine opportunities to streamline or consolidate your tech stack to minimise IT’s workload. Create and update technological systems that improve workflow efficiency and minimise shadow IT and technical debt, two issues that can create larger problems for IT teams in the future. If your IT staff work remotely, help to maintain clear working hours and boundaries so they can switch off after work. Finally, foster connections between your employees and your IT teams. It’s important to remember the people behind the screens resolving your IT issues, especially in the world of hybrid work.
- Stay agile in the Digital Age
Cybersecurity is an ongoing process. By implementing these practices, you’ll significantly enhance your SMB’s security and safeguard your business in the digital age. Consolidated technology is a company’s best chance of mitigating the risk of cyber threats for small businesses and allows agents to protect and secure IT assets without disrupting end users. It proactively detects and automatically schedules needed patches across servers and workstations as well as monitors and manages antivirus software from a single dashboard.
Ultimately, the ever-evolving risk landscape—from the well-known (such as phishing and SQL injections) to the exponential rise of vishing, means that businesses must constantly be on the lookout for new threats and new mitigations. If organisations want to remain safe and successful, practising simple yet powerful steps towards cyber hygiene must be at the heart of their 2024 business trajectories.
