Securing A Small Business: Cyber Security Solutions For The SMB
For any small business cyber security solutions can present a challenge to implement due to budget restraints and expensive third-party services, however, many free-to-use solutions are available that are aimed at small businesses with a limited number of users and devices.
However, security incidents do still occur. Government studies show that around 32% of small businesses in the UK have been impacted by a cybersecurity incident.
CyberSecurity risks are not for the sole consideration of larger organizations facing advanced threats, the majority of attacks impact companies of all sizes and across all industries.
This is because a large amount of cybercrime is non-targeted, where cyber criminals rely on attacking different companies at a large scale, with the intention that a percentage of those targeted in this manner will be successful.
Securing Your Company With A Limited Budget
It is understandable that for any small business, cybersecurity solutions can become expensive, and many may stay at risk of security incidents simply due to financial strain.
While outsourcing cybersecurity solutions can be expensive, there are a range of options that can be implemented with minimal to no cost, which addresses a number of key considerations and can greatly improve any company’s overall security posture.
Although free-to-use cyber security solutions have some limitations in their features, and alternative paid-for options may be preferred, free-to-use choices can be considered as a temporary prospect to add an extra layer of protection to your company’s security.
As your company grows and budgets expand, these free solutions can be reviewed and resources invested into more fully featured paid-for options.
The following tools and resources have been compiled with this in mind, to provide a suite of cybersecurity solutions that can be used for free or within existing budgets and ensure companies of any size can protect themselves from a wide array of potential cyber threats.
Discuss Your Cyber Security With a Specialist Consultant
For any small business, cybersecurity advice and guidance should be sought after to ensure you are taking the appropriate steps to protect your assets.
If looking for some free advice within the field of cybersecurity it is always recommended to discuss your current setup with a specialist, who can help you focus on several key objectives and plan an appropriate set of actions to improve your organization’s overall security.
- Defensity offers a one-hour consultation call with a cybersecurity specialist who can help to provide some advice and guidance on how you can approach your company’s security.
- Round Cyber, offers a free risk assessment, where you can review your current assets and procedures and will provide an outline for recommendations and improvements.
- CyberSecOp provides a free assessment and consultation for companies to help identify potential weaknesses in their current security processes and policies.
While it can often be good advice to discuss your risks with a specialist third party, for many new small business owners, and more established small and medium businesses, budgets can still be limited for security tools.
While there are more cybersecurity solutions available to consider, the following are freely available for small businesses working with a limited number of assets.
Best Practice Security Standards To Setup Devices
A company’s devices and services should each be configured to a similarly secure standard before being used for business purposes. It can often be the case that the default settings for a device and service are not the most secure options available.
Security testing companies will often offer a configuration review service, which will review your devices against a set of recommended best practices, in addition to conducting additional checks. These reviews will typically assess your assets against security guidelines such as the following.
- The Centre For Internet Security (CIS) is a set of standards and benchmarks for a range of solutions.
- The Security Technical Implementation Guides (STIGS) are guidelines that can be followed for each of your assets.
- The National Cyber Security Centre (NCSC) has created cybersecurity guidance including information for different platforms, device types, technologies, and policies.
These standards are free to download and contain detailed descriptions and settings that explain the security implications, why they should be changed, and how to change the settings.
The devices and services used throughout your organization can be configured in line with these standards to ensure a secure baseline is achieved.
Track Assets With Management Software Solutions
As small businesses grow, they are likely to accumulate assets. These could be laptops, desktops, phones, routers, firewalls, and other hardware.
Your assets can also include user accounts, documents, proprietary data, and anything else relevant to your company.
Keeping track of all your assets is important for management and also your security, including information such as who has been assigned which asset, where the asset is located, whether it is working correctly, and ensuring your assets are returned if people leave your business.
Asset management is also an important part of many compliance standards, and by tracking each of your assets, it will be easier to maintain your management and organization.
The following tools can each be used for asset management, with some providing patch management options and other useful features.
- Miradore provides a tool to manage your mobile devices
- SysWard provides a free patch management solution specifically for two Linux operating systems.
- Action1 provides a patch management solution for your first 100 endpoints.
- AssetTiger provides asset management software for up to 250 assets.
- Shelf provides an asset management solution for unlimited assets
- IT Asset Tool provides asset management software for up to 35 assets.
Ongoing Risk Assessments For Your Business
As any company grows, there will be an increasing number of risks that can emerge which, if left unaccounted for, may have severe detrimental impacts.
It is worth taking some time to conduct a risk assessment and identify where your potential weaknesses are, what impacts may be considered minor inconveniences, and what impacts matter to your organization and will have severe consequences.
SimplerRisk Core is a free-to-use solution that provides a risk assessment feature through a series of questions related to how you currently manage your business and assets.
- The solution is useful as it can allow you to report, track, and mitigate risks and incidents.
- There are some basic asset management features that allow you to keep track of devices.
- If your business needs to work towards cybersecurity compliance standards such as ISO 27001 or Cyber Essentials, the risk management and auditing features can help you achieve this.
- The reporting tools allow you to determine your best course of action over time and view your progress.
- The tool is also customizable, allowing you to add and manage policies and configure the requirements for your business to meet.
Train Your Team In Cyber Security Awareness
Regardless of a businesses size, cybersecurity incidents can occur. To minimize the potential of a security incident it is always recommended to have all your staff trained in the relevant cybersecurity requirements for their role.
Cybersecurity awareness training can help each employee in your team understand the threats that the business may face, the types of cyber attacks they may encounter, and how to identify and respond to these types of incidents.
CyberSecurity awareness can cover a large range of topics and some areas may need to be customized to target your specific company, as well as individual roles within your company.
However, there are a range of subjects that will apply to any small or medium-sized businesses, such as strong passwords, unique passwords, protecting sensitive data, or not following a malicious link.
The following tools can be used to supply free cybersecurity awareness training to each employee in your team, which covers many topics and can provide a track record that your employees are regularly being trained with relevant educational content and cybersecurity tips to stop threats from impacting your business.
- Wizer is a free-to-use annual security awareness training solution.
- Amazon provides a free training tool for cybersecurity awareness.
- Staff Training for Cybersecurity is also available through free-to-use government-provided training material.
Protect Devices With Malware Protection Solutions
Protection from malicious software and viruses is an important consideration for any small and medium-sized business.
If you are using Windows as your main operating system for laptops and desktops Microsoft Defender will provide a suitable solution to the majority of threats.
In a comparison against other malware protection software, Microsoft was found to produce similar results to other tools, although there are products available with better detection rates, if you have the budget available to invest in a dedicated product.
While the majority of malware is largely targeted towards Windows operating systems, malware is still designed to target Macs, and their security should not be overlooked.
If your business utilizes Macs, the macOS does contain its own set of security and anti-virus software in addition to other features, such as sandboxing, and apps needing explicit permission from a user to access files and other data.
If there are still concerns for a Mac’s security, many anti-virus software solutions provide options for both Windows and Macs. The software solutions available for a Mac have also been tested for their effectiveness in identifying malicious files.
Where budgets are limited, and a dedicated next-generation antivirus solution is needed for your Windows, Mac’s, and Mobiles, the following tools have a free tier available.
- Avast provides a free-to-use version of their malware protection tools which can be used for a variety of computer operating systems.
- MalwareBytes has an available malware solution for Windows and Macs.
- TotalAV has a free option available for malware protection for your devices and mobiles.
- Bitdefender has provided a free version of its malware protection software, more targeted towards personal use for an individual computer.
Secure Devices When Working Remotely With A VPN
Where your team has a requirement to work remotely, using the wireless network for a hotel or coffee shop, there can be concerns over the network’s security, as discussed in detail within this post for wireless penetration testing.
To improve the security of your communications using technology, such as a Virtual Private Network (VPN), can provide an additional layer of encryption and security to safeguard your data.
Although it is preferred to maintain your own dedicated VPN solution, particularly for any critical business data that cannot be risked and for connections back to your company offices, there are several free-to-use VPN options available if needed.
- Proton VPN is a freely available service that protects data in transit and can be set up to improve the security of your communications.
- WindScribe has a free option for their VPN service, although this does have some data limits, for occasional use the data allowance is likely suitable for most users.
Protect Websites from Common Threats Using A WAF
Your companies website is one of the most common targets for attackers. Negative impacts to your public-facing website can also have follow-on impacts on your company, anyone who accesses the website, and your clients.
A Web Application Firewall (WAF) aims to protect your website from many of the most common types of attacks that can occur.
A WAF will often have additional useful features to limit denial of service attacks, brute force login attempts, and manage other security features for your website.
- Cloudflare provides a free tier for their WAF service, although the free tier is targeted towards personal use, a $20-a-month version is also available for companies.
- WordFence has a free website security plan if you are managing a website using WordPress.
Prevent Spam Messages Of Your Websites Inbox
Where your website includes contact forms, it will often receive Spam messages, Phishing attempts, and other unwanted content. This is often the result of automated tools posting similar messages to as many website contact forms as possible.
While many of these messages may be easily identifiable as spam and phishing attempts, there will be a percentage of messages that are more targeted, more convincing, and could lead to compromise.
Several approaches could be taken to protect your contact forms from the vast majority of unwanted messages, but a simple solution can be to use Google reCAPTCHA.
This option is free with up to 1 million assessments each month, which is likely more than would be needed for most small businesses, and can provide an added layer of protection from a large number of Phishing attempts.
Protect Web Application Authentication Systems
For any company, your website will inevitably encounter a range of different automated scanning and attacks, looking to identify weaknesses in your system and compromise login credentials.
Where your login pages are made publicly accessible to manage your website, several measures can be considered to protect your web application and your accounts.
Limit The Number Of Authentication Attempts
Websites will typically provide configuration options so your accounts can be configured with a lockout policy, to block further access after a number of failed login attempts.
Other signs of an attack can be multiple login attempts using a long list of possible usernames, many of which may not be applicable to your website. Where these login attempts are identified, your website options should be set up to block access to the source submitting these requests.
Configure MFA Options For Your Website
Common web hosting platforms will often provide Multi-Factor Authentication (MFA) solutions and where these are available, they should always be enabled to provide greater protection to your accounts.
Where MFA is not a default option, it can sometimes be added to your website using Google’s Authentication solutions, which is recommended to configure where possible.
Restrict Access To Your Authentication Portal
Where your login pages can be set up with restricted access, using the connecting source IP Address, this is recommended to implement if possible.
This will restrict the locations where you can log in and manage your website and require your company to maintain a static IP Address. However, it will greatly limit the potential for attackers to target your authentication portal.
Conduct Vulnerability Scanning Against Assets
Despite anyone’s best efforts to maintain a rigorous patching policy and secure all assets, vulnerabilities can emerge. This can be due to a variety of reasons such as missing patches, configuration issues, insecure user accounts, and other reasons.
Conducting regular vulnerability scans against each of your assets and any websites or services you have facing the internet is important to minimize your organization’s risk.
Automated scanning tools run by attackers will be checking for the latest vulnerabilities in every device they can identify. Small businesses should therefore be running their own scans and resolving any issues before others can identify them.
The following vulnerability scanning tools are each free to use and, although vulnerability scanning is not a complete replacement for Penetration Testing, it can provide an essential and regular review for your assets.
- Defendify allows you to run vulnerability scans to identify issues in your internet-facing assets.
- OpenVas can be used to scan for vulnerabilities against your internal and external assets but will require some manual setup and management, described in further detail here.
- Mageni can be downloaded for Windows, Mac, or Linux and can also run internal and external vulnerability scans, with some manual setup requirements.
- FractalScan can conduct a weekly review of your internet-facing attack surface, based on a given company’s email domain.
- RoboShadow can assess your external and internal assets, conduct a web application assessment, and review your Microsoft 365 environments.
- Nessus Essentials can conduct vulnerability scans against a maximum of 16 IP addresses, external or internal.
- Qualys Community Edition can also carry out vulnerability scans for 16 internal IP Addresses but also includes 3 external IP Addresses.
Where vulnerabilities are identified within your assets, the following guidance on the vulnerability management lifecycle can be used to help resolve each of the identified issues.
Maintain Backups For Your Devices and Data
To protect your critical data, and ensure business continuity, it is important to maintain data backups.
Microsoft 365 provides a data backup solution that should be utilized if already using a 365 service, and the Windows operating system also has a backup solution available to be used.
Macs also have a backup solution, called Time Machine, built into their operating systems which should be made use of where you have Macs in use.
For alternative backup software, the following solutions can also be used.
- Veeam has multiple backup solutions available for free to cover physical, virtual, and cloud solutions.
- Bacula also provides free backup solutions for a variety of device types including Linux.
Where you are making use of backup solutions to external drives or cloud storage solutions, it is important to consider the security of such solutions and ensure suitable encryption or authentication measures are in place to protect your backed-up data.
Security Features With Existing Email Solutions
If you are already using or considering using Microsoft 365 for your email and collaboration tools, there are several licensing options, including basic, standard, and premium.
If you have the budget available, it is recommended to invest in the Premium license option. This solution provides multiple features that are not available with the other license options and can greatly improve your cybersecurity solutions, including:
- Endpoint Protection and Device Security
- Email and Phishing Protection
- Data Security and Information Rights Management
- Conditional Access Restrictions for Business Applications
- Define and Apply Security Policies For Your Assets
- Mobile Device Management Solutions For Your Devices
- Remote Management and Remote Wiping of Business Data
Similarly, if you are managing your email through Google Workspace and can afford the additional cost, the Business Plus, and Enterprise options also provide a range of improved security features that will help protect your assets, accounts, and your whole organization.
Both the Microsoft and Google solutions also have their own defined CIS Benchmarks which can be followed to ensure you are configuring your systems in line with cybersecurity best practices.
Government Advice for CyberSecurity Solutions
Government advice regarding cyber security is often published for small businesses to help provide guidance on developing threats and how to effectively protect your organization.
Government-backed cybersecurity certifications and standards, such as Cyber Essentials, are also developed for companies to work towards which can help improve your overall security posture.
These certifications can be required for working on some government contracts, but also improve your ability to attract additional work to your company, as you demonstrate to your clients that you treat security and their data seriously.
The National Cyber Security Centre (NCSC) has developed a range of free resources that can be used to protect your assets and organization.
- Device Security Guidance is available, including information for different platforms, device types, technologies, and cybersecurity policies and settings.
- A Small Business Guide has also been developed to outline cybersecurity considerations for multiple areas of your company.
- Free Tools are also available to assess the current security configuration of your IP Address, Website, Email, and Web Browser.
- An Action Plan is also available as a survey that can be completed to create a personalized action plan of steps to improve your cybersecurity.
- Staff Training for Cybersecurity is also available through free-to-use government-provided training material.
IT And Security Management Using Third Parties
Many small businesses will outsource their IT Management to a third party. While this is a suitable approach if you don’t have the necessary expertise within your team, it is important to ensure your IT Management company is taking the appropriate steps to protect your organization.
Choosing from IT service companies who maintain cyber security certifications themselves, can be a simple method to filter your available options to organizations who have demonstrated they will maintain internal security standards with your data.
When working with a third party who will manage your assets on your behalf, it is recommended to ask questions regarding how they will manage the security of your assets. This can include similar topics covered in this post such as:
- Does the management company have any cybersecurity specialists within the company?
- Which security best practices are followed to set up devices and user accounts?
- How is account security set up for your company and for the IT management company?
- Is any cybersecurity awareness training conducted within the management company?
- Will any malware protection solution be set up as part of the service?
- Is a remote access solution implemented and how is this secured?
- Will any monitoring software be implemented to identify potential risks in your assets?
- How is vulnerability scanning or testing conducted and how are vulnerabilities managed?
- Are backup solutions maintained, and how often are backups taken?
- Are asset tracking and patch management software used to ensure logs and updates are in place?
Although a management company may provide a large number of your required IT services, it is always recommended to maintain a level of internal responsibility for your own assets.
This can include regular reviews to ensure your assets are all logged and accounted for, consideration for any new risks your company may face, confirming your devices are secure, vulnerability scans are conducted, and identified issues are resolved.
Conclusion
For any small business cyber security solutions can be difficult to implement, maintain, and manage. The difficulty can be increased when budget and resource restrictions limit the number of options that are available to protect your organization.
A cyber attack is unfortunately not exclusive to larger organizations with more resources available to invest in cybersecurity, but is often un-targeted, affecting all companies of all sizes.
If unprepared, a cybersecurity incident can heavily impact a small business, and even large companies can face closure in the wake of a serious data breach.
Implementing cybersecurity solutions is possible, even when facing financial restrictions. Some time invested in the proactive security of your small business can greatly improve your overall cybersecurity and reduce the risk of compromise.
Where you have any further questions regarding different cybersecurity solutions, our consultants are available to address any concerns you may have.