Easy and quick ways to improve small business cybersecurity

While there are countless ways to improve small business IT Security, there is a handful of "low-hanging" fruit that make a dramatic difference and do not take much time or expense.

Easy and quick ways to improve small businesses cybersecurity:

  • Turn on 2FA for all email accounts
  • Hackers love getting into your email and using it to rip off your customers, vendors, and other employees. But with Two Factor Authentication (2fA), even if they get an employee's password, they can't get into their email without a random code that changes every minute or so.

  • Block all incoming ports on the firewall
  • Do not allow direct access to any computers, servers, or systems like DVRs on the network. Require external users to first connect via a secured VPN before accessing any network systems.

  • Use 2FA for all remote access
  • Setup all remote access to require users to have both a password and a randomly generated code that only goes to them. Limit who is allowed to remotely get into the firm.

  • Encyrpt all laptop hard drives
  • For any and all computers that leave the firms physical office, encrypt the hard drives so that if they are lost or stolen the data on the computer is completely inaccessible

  • Ensure all users are not local adminstrators
  • Users should have the least level of permissions on their computers and unable to install or upgrade software. This blocks ransomware and many known attacks. If software needs to be installed or an advanced change made, they should require an administrator user or if they are an administrator, they should have to log in with a different account than what they operate as.

  • Complete segregate internal and guest WiFi
  • Never use the WiFi that has access to your server or network for guest access. Use an entirely separated WiFi that has no access to anything but the internet for guests.

  • Stengthen and expire all passwords
  • User longer and strong passwords. Require complexity. Uppercase, lowercase, numbers, and symbols should be in the passwords and no dictionary words. Force passwords to be changed regularly.

  • Setup alerts if any forwarding rule is added to any email account
  • One of the top things that hackers do when they get into email accounts is set up rules to forward all emails to an outside mailbox. Setup an alert that if any mailbox gets a forwarding rule created, you get notified immediately.

  • Install a ransomware honeypot
  • You can set up fake folders with names like "111 - Ransomware Trap - Do NOT enter" with fake files in them such as Excel, Word, PDF, Text, etc. Then configure the server to instantly lock out any user that goes into such a folder and to alert management. Thus, if a user gets ransomware and it tries to spread to the network, that user gets locked out immediately to stop the spread.

  • Secure all 3rd party sites (including banks, payroll services, investments, etc) with 2FA
  • It's almost always free to turn on 2FA for all banking, investment, and other sensitive sites. This dramatically and easily improves security and potentially the theft of money.

  • Automate and have a strong review system for local and offsite backups
  • Backups are crucial to recovering from many cyber attacks. Don't trust that they are working. Have a redundant and thorough system to check and test backups daily. Have automatic offsite backups that are kept offline and protected. Secure backups and do aggressive annual tests.

  • Limit physical access to the server room
  • Make sure servers are behind locked doors. They should also be kept off the floor.

  • Quarterly or semi-annually, have a strategic meeting to review and improve security
  • Regular, have a formal meeting to review and discuss IT Security. Ideally, bring in an outside expert and/or IT specialist. Decide on a few improvements every meeting so that you are continually improving security.

  • Use an advanced email spam/phishing filter
  • There are lots of advanced services like Microsofts Advanced Threat Protection that are much more aggressive about testing email for phishing or security concerns. Since many attacks come in this way, it can be money well spend to boost the scanning of email.

  • Automate log off screensavers to lock computers after 20 minutes of inactivity
  • Make sure user computers automatically lock when they are away from their computers. Don't count on them to log off manually but rather automate the process.

  • Formally train and test users on Phishing attacks"
  • There are tons or resources online to learn what to look for in phishing attacks and train staff. But that is not enough. Setup a system that actually tries to Phish and trick users. There are services that will send out fake emails to staff and tell you who fell for it. You can then have them do remedial training.

While there are countless ways to dramatically improve the security of a small business for minimal investment and time and money. It's never been more important to take steps to secure and protect your small business.