SMB - Steps to secure your business

SMB - Steps to secure your business


Cyber threats are increasing in scale and complexity.  The old days of antivirus and a firewall are long gone.  Attackers, such as hackers or cyber criminals, can bypass these with no effort at all.  Anyone can download free tools to easily hack a company that has only these for protection (google Metasploit), there are even online tutorials on how to do it.

We detailed in an earlier article how catastrophic a successful cyber attack can be for an SMB (over 60% go out of business within 6 months). Neither of us want your business to be the next victim.

The question is, how, as an SMB, with competing priorities and budgets, can you protect your business cost effectively?

This is what this article is about - helping you to secure your business.  Some of the things you can do yourself, and some you need professional help with, that is the part we do.

I will make this short, sharp and clear so that you can implement these in a step by step method. Of course, at anytime you can feel free to reach out to use for advice or assistance.

The things you (or your IT provider) can do to secure your business:

  1. Limit access to your systems and data (implement strong Role based Access Controls - RBAC)
  2. Have only one or two administrator accounts for people you trust implicitly only
  3. Set up everyone else as a basic user
  4. Only give users access to the app and data that they need for their jobs
  5. Manage passwords properly:
    1. Don’t use the same password across multiple systems, each service must have its own password - if not, a compromise of one is a compromise of all.
    2. Check out this website to see if any of your usernames/passwords have already been compromised:    https://haveibeenpwned.com/
    3. Even better, use a password manager and have your users use them as well.  A password manager (like 1Password, Dashlane, or LastPass) securely creates and stores different passwords for different systems.  It allows users to remember just one password to access the other passwords. It takes a little to get the hang of using it, but once you do, you will wonder why you never did it before.  Also, these are often free for SMBs.
    4. Force users to have passwords of at least 12 character long, and include uppercase, lowercase, a number and a symbol . . . But encourage ones that are easy for a human to remember such as:  Fish-Marble-Ostrich-56  or @EveryoneLoves2Donuts
    5. Don’t have users change passwords regularly - let them keep their password for a year or more, encourage them to change it only if they think someone else knows it.
    6. Don’t have users share passwords - if necessary, share them with a Password Manager.
  6. Use Multi-Factor authentication.  This means after they enter their username or password, they are prompted for a fingerprint, FaceId, to press a token, or to type in a code from an Authentication app (like Cisco Duo, Google Authenticator). We use Cisco Duo because it is the best, can be centrally managed and backup, and is the most secure and flexible to work with. If you choose to use Cisco Duo, let us know, we offer the service of managing it and monitoring it for you in our secure portal.
  7. Make sure all computers and mobile devices are kept up to date (their OS and apps). Updates fix security bugs and loopholes that attackers know and use. We use Cisco Duo to check that systems, device and browser are up to date.
  8. Don’t trust that your IT person or provider has secured your business.  Studies have shown that IT providers do not adequately protect businesses as they do not have the knowledge and exeperience required.  You wouldn't ask an electrician to do your taxes right?

Things to have Small Robot do (or another reputable security company):

  1. Assess your business to see what is the most risky and what needs the most protection - this helps limit what you spend and gives you the ‘best bag for your buck’
  2. Implement Microsoft 365 security - none of this is done by default, and there are a number of configurations that can be applied, but you really need to know what you are doing. We have seen many IT providers do this poorly.
  3. Implement strong email protection (many attacks come via email phishing so you need excellent protection for this)
  4. Implement internet access and activity protection (pretty much all attacks come and go by the internet, making this essential)
  5. Implement an endpoint detection & response solution (EDR) - which is like antivirus on steroids - it uses machine learning and behavioural analytics to detect threats on laptops, desktops, tablets and mobiles
  6. Implement 24*7 Security Monitoring & Response - The final key part, because even when you are sleeping, the attackers are not.  If no one is watching your security alerts or unusual activity, then the first you will know that your business is under attack is when you have lost access to your systems and data.

Things Not to do:

  1. Don’t do nothing - you are victim in waiting
  2. Don’t trust Microsoft 365 for security - it is not enabled by default; just about every organisation that was a victim of a cyber attack had Microsoft 365
  3. Don’t trust your IT providers for your security
  4. Don’t trust just an MDR service (Managed detection and response service) - they just look after a tiny part of your security and they don’t secure your business at all
  5. Don’t trust an XDR service, they only look after a small part, and they don’t actually secure your business

Small Robot have designed security solutions and services specifically for SMBs.  We have partnered with key technologies providers, such as Cisco and CrowdStrike, to bring you enterprise-level security and expertise at a price point for SMBs.

Small Robot take the worry out of cyber threats - we secure your business, we protect your business 24*7 through visibility, detections, analysis, monitoring and proactive security response to stop threats before they happen.