Cybersecurity has long been a pressing issue for small businesses. By one recent estimate, a whopping 46% of cyber attacks were against companies with 1,000 employees or fewer.
The results of these attacks can be especially crippling. In fact, a 2023 analysis by IBM found that for companies with 500 employees or fewer, the average data breach costs $3.31 million — a massive blow to any business, let alone a newer or smaller one.
For most small businesses, a fully equipped IT department is out of the question. Many of these companies can’t afford any cybersecurity resources at all, despite the risks.
So how can small business owners protect themselves? The reality is there are several affordable resources — and a few best practices — that could go a long way in preventing a potentially ruinous cyber attack.
Use a managed security service provider
For companies that can afford it, managed security service providers (MSSPs) can be the solution to nearly all of the most straightforward cybersecurity woes.
These providers are external teams that monitor the security of your company’s systems and devices. They perform a wide range of functions, depending on what you need — everything from firewall management and VPN hosting to regular vulnerability scans. Best of all, most operate 24/7, so they will constantly be monitoring your data for threats and breaches.
There are a variety of different MSSP plans, which could include paying per employee, per device, or even per the amount of data that needs managing. Prices vary, but if you have more than a handful of employees, you could quickly find yourself paying upward of $10,000 a year.
If your business is on the smaller side, you’d be paying much less. MSSPs can be a fairly comprehensive answer to the problem, but companies of all sizes need to evaluate their needs, budgets and risks before committing to one.
Educate your employees
Research shows that human error accounts for up to 95% of all cyber attacks. This isn’t necessarily an indictment on anyone’s technological savvy — there are quite literally dozens of types of attacks that are commonly used against employees to access company-wide data, and many of them are enormously tricky.
However, a little education can go a long way. If you don’t have the resources to hire the experts, the next-best step is to turn your whole team into cybersecurity amateurs.
Of course, if you do have a cybersecurity expert or small team on staff, then the solution is simply holding regular training. If not, then you can rely on the vast array of third-party companies that provide programs for teams of all sizes. Some, like Proofpoint, have a curriculum especially geared toward small businesses.
Even without an interactive program, there are plenty of basic practices you can instill in your team, like stressing the importance of strong passwords and setting guidelines for company internet use. And having a written-out cybersecurity policy — however simple it is — can help detail the penalties for violating certain rules.
This policy doesn’t have to be a finished product, either. Remember that it can grow and evolve as both you and your team become more educated.
Create rules for mobile devices
A crucial part of any security policy — so crucial, in fact, that it warrants mentioning on its own — is a set of rules around how your employees use their phones.
In the post-COVID-19 world, with so many people working from home, logging in on the go and blurring the lines between their personal and professional devices, the risks have never been higher.
If your employees are going to access any company data on their phones, they should be required to password-proof their devices and apps. Even better, they should be required to use third-party verification platforms in order to log on.
Back up files regularly
This goes hand in hand with employee education, but in some cases, the benefits can be even more systemic, providing security at every level of your business.
It may sound simple, but regularly backing up files can make a big difference in the event of an attack. Lost data can be one of the most costly effects of a cyber attack, because even if the culprits are caught, your data still may be damaged, encrypted, or otherwise inaccessible.
Ransomware attacks, for example — which comprise nearly 25% of all cybercrimes — work by locking or encrypting victims’ data, rendering it totally inaccessible. If your files aren’t backed up on an external drive or the cloud, they could be lost forever.
This includes all databases, financial files, human resources materials and any other important documents. The best-case scenario is to use programs that back up your data automatically, but if not, try making a practice out of a weekly sweep through your important files.
Backing up data isn’t free, but it’s certainly cheaper than other, more hands-on solutions — and in the end, it could be the difference between a nightmare scenario and a manageable one.