Cybersecurity for Small Businesses

Introduction:

Cyber threats pose a substantial risk to businesses of all sizes. Implementing fundamental cybersecurity practices can significantly safeguard your business and diminish the probability of a cyber attack. This comprehensive guide provides essential information, emphasizing key themes, preventative measures, and response strategies tailored specifically for small businesses.

I. Foundational Cybersecurity Principles

The core of small business cybersecurity revolves around understanding risks and implementing basic, yet effective, protections.

• Ubiquitous Threat: "Cyber criminals target companies of all sizes." This emphasizes that no business is too small to be a target.

• Proactive Protection: The overarching message is to be proactive. "Knowing some cybersecurity basics and putting them into practice will help you protect your business and reduce the risk of a cyber attack.”

II. Key Areas of Protection

Effective cybersecurity requires a multi-faceted approach, addressing various vulnerabilities within a business's operations.

A. Protecting Files & Devices:

This involves securing the physical and digital assets that store sensitive information.

• Software Updates: Keep all software, apps, web browsers, and operating systems updated, ideally set to automatic updates. This addresses "server vulnerabilities" that attackers exploit.

• Secure File Storage (Backups): "Back up important files offline, on an external hard drive, or in the cloud." These backups should be "not connected to your network" to protect against ransomware and other attacks.

• Physical Security: "When paper files or electronic devices contain sensitive information, store them in a locked cabinet or room."

• Password Management: "Require passwords for all laptops, tablets, and smartphones."

• Password Strength: "A strong password is at least 12 characters that are a mix of numbers, symbols, and capital lowercase letters."

• Uniqueness & Secrecy: "Never reuse passwords and don’t share them on the phone, in texts, or by email."

• Login Limits: "Limit the number of unsuccessful log-in attempts to limit password-guessing attacks."

• Encryption: "Encrypt devices and other media that contain sensitive personal information. This includes laptops, tablets, smartphones, removable drives, backup tapes, and cloud storage solutions." Encryption is also vital for "sensitive data, at rest and in transit."

• Multi-Factor Authentication (MFA): "Require multi-factor authentication to access areas of your network with sensitive information." This adds an extra layer of security beyond just a password.

• Device Disposal: "Have formal policies for safely disposing of electronic files and old devices." Simply deleting files is insufficient; "Use software to erase data.”

B. Protecting Your Wireless Network:

Securing the network's entry points is critical to preventing unauthorized access.

• Router Security: "Change the default name and password, turn off remote management, and log out as the administrator once the router is set up."

• Strong Encryption: "Use at least WPA2 encryption" (WPA3 is also mentioned). This "protects information sent over your network so it can’t be read by outsiders.”

C. Physical Security:

Cybersecurity begins with securing physical assets, as lapses here can lead to significant data breaches.

• Secure Storage: Sensitive paper files and electronic devices should be stored "in a locked cabinet or room."

• Limited Access: "Allow access only to those who need it."

• Employee Reminders: Regularly "remind employees to put paper files in locked file cabinets, log out of your network and applications, and never leave files or devices with sensitive data unattended."

• Inventory & Tracking: "Keep track of and secure any devices that collect sensitive customer information."

• Secure Remote Work: "Maintain security practices even if working remotely from home or on business travel.”

III. Smart Security - Integrating Security into Business Operations

Beyond technical controls, cybersecurity needs to be embedded into the daily fabric of the business.

• Staff Training: "Create a culture of security by implementing a regular schedule of employee training." This should include updates on new risks, and non-attendance might lead to "blocking their access to the network." Training is emphasized for ransomware, phishing, business email imposter, and tech support scam awareness.

• Incident Response Plan: "Have a plan for saving data, running the business, and notifying customers if you experience a breach." The PDPA’s Data Breach Response: A guide on managing and notifying data breaches under the PDPA (www.pdpc.gov.sg/help-and-resources/2021/01/data-breach-management-guide) is a recommended resource. This plan should be tested regularly.

• Vendor Security: Recognize that "Your business vendors may have access to sensitive information."

• Contracts: Include "provisions for security in your vendor contracts."

• Verification: "Establish processes so you can confirm that vendors follow your rules."

• Controlled Access: Limit vendor access to sensitive databases on a “need-to-know” basis.

• MFA & Strong Passwords: Require MFA and strong, unique passwords for vendor access.

• Data Safeguarding: Mandate strong encryption for vendor-accessed data.

IV. Managing Cybersecurity Risk

Best practice for managing cybersecurity risk. It is structured around five key functions.

• Identify: "Make a list of all equipment, software, and data you use." This includes creating and sharing a company cybersecurity policy outlining roles, responsibilities, and protective steps.

• Protect: Control network access. Use security software. Encrypt sensitive data. Conduct regular data backups. Regularly update security software. Have policies for disposing of electronic files/devices. Train all employees on cybersecurity risks and their roles.

• Detect: Monitor for "unauthorized personnel access, devices (like USB drives), and software." Check the network for "unauthorized users or connections" and "investigate any unusual activities."

• Respond: Have a plan for: Notifying affected parties. Maintaining business operations. Reporting attacks to law enforcement. Investigating and containing attacks. Updating policies with lessons learned. Preparing for inadvertent events. Test the plan regularly.

• Recover: After an attack, "Repair and restore the equipment and parts of your network that were affected." Keep employees and customers informed of recovery activities.

V. Understanding the CIS Cybersecurity Framework

The Center for Internet Security (CIS) provides a cybersecurity framework known as the CIS Controls Framework (or CIS Critical Security Controls). The CIS Controls Framework is a structured process for organizations to identify, assess, and manage cybersecurity risks. The framework is based on the 18 CIS Critical Security Controls, which offer prioritized, actionable best practices for managing and reducing cybersecurity risk.

1. Inventory and Control of Enterprise Assets
   Actively manage all enterprise assets (devices, servers, IoT, etc.) to ensure only authorized assets are allowed and to identify unauthorized or unmanaged assets.

2. Inventory and Control of Software Assets
   Track and manage all software so only authorized software is installed and executed, preventing unauthorized or unmanaged software.

3. Data Protection
   Identify, classify, securely handle, retain, and dispose of data to protect its confidentiality, integrity, and availability.

4. Secure Configuration of Enterprise Assets and Software
   Establish and maintain secure configurations for all assets and software to reduce vulnerabilities.

5. Account Management
   Assign and manage authorization to credentials for user and service accounts, including administrators.

6. Access Control Management
   Create, assign, manage, and revoke access credentials and privileges for all accounts and assets.

7. Continuous Vulnerability Management
   Continuously assess, track, and remediate vulnerabilities across all assets to minimize risk.

8. Audit Log Management
   Collect, alert, review, and retain audit logs to detect, understand, and recover from attacks.

9. Email and Web Browser Protections
   Enhance protections against threats delivered via email and web browsers.

10. Malware Defenses
    Prevent or control the installation, spread, and execution of malicious code on assets.

11. Data Recovery
    Maintain data recovery practices to restore assets to a trusted state after incidents.

12. Network Infrastructure Management
    Actively manage network devices to prevent exploitation of vulnerable services and access points.

13. Network Monitoring and Defense
    Monitor and defend the network infrastructure and user base against threats.

14. Security Awareness and Skills Training
    Implement a security awareness program to educate the workforce and reduce risk.

15. Service Provider Management
    Evaluate and manage service providers that handle sensitive data or critical platforms.

16. Application Software Security
    Manage the security lifecycle of all software to prevent, detect, and remediate vulnerabilities.

17. Incident Response Management
    Develop and maintain incident response capabilities to quickly detect and respond to attacks.

18. Penetration Testing
    Regularly test the effectiveness of security controls by simulating attacker tactics and exploiting weaknesses.

VI. Common Cyber Threats and How to Address Them

Detail specific types of cyber attacks, offering tailored prevention and response strategies.

A. Ransomware:

Malicious software that encrypts data, holding it hostage for payment.

• How it Happens: "Scam emails," "server vulnerabilities," "infected websites," and "online ads." Phishing emails are the most common starting point.

• Protection Plan: "How would your business stay up and running after a ransomware attack? Put this plan in writing."

• Backups: "Regularly save important files to a drive or server that’s not connected to your network."

• Updates: "Always install the latest patches and updates."

• Staff Alert: Train staff on avoiding phishing and recognizing infection signs.

• If Attacked: Limit the damage. "Immediately disconnect the infected computers or devices from your network."

• Authorities: "Report the attack right away to your local law enforcement."

• Business Continuity: Implement your plan, relying on backups.

• Paying Ransom: Law enforcement doesn't recommend it, and it doesn't guarantee data recovery.

• Notify Customers: If data is compromised, notify affected parties.

B. Phishing:

Deceptive communications designed to trick individuals into revealing sensitive information or installing malware.

• How it Works: Emails/texts appearing from known sources, asking for sensitive info, often with urgency. Clicking links can install ransomware; sharing passwords grants access to accounts.

• Protection: Verify the source. "Look up the website or phone number for the company or person behind the text or email."

• Communication: "Talking to a colleague might help you figure out if the request is real." "Pick up the phone and call that vendor, colleague, or client."

• Backups: Regularly back up data to unconnected storage.

• Updates: Keep security software updated.

• Staff Training: "Include tips for spotting the latest phishing schemes in your regular training."

• Email Authentication: Deploy technology to prevent phishing emails from reaching inboxes.

• If Fooled: Alert others, share the experience.

• Limit Damage: "Immediately change any compromised passwords and disconnect from the network any computer or device that’s infected with malware."

• Follow Procedures: Notify internal IT or contractors.

• Notify Customers: If data is compromised.

• Report: Phishing attacks that result in unauthorized access to or disclosure of personal data are considered data breaches under the PDPA. Make a report to PDPA (www.pdpc.gov.sg/report-data-breach/)

C. Business Email Imposters (Spoofing):

Scammers send emails that appear to be from your company's domain.

• Motivation: To get passwords, bank account numbers, or to trick recipients into sending money. It damages trust and can lead to financial loss.

• Protection: Use email authentication technology (SPF, DKIM, DMARC) that allows receiving servers to verify emails are genuinely from your domain, blocking imposters. "Make sure that your email provider has these three email authentication tools."

• Updates: Keep security updated.

• Staff Training: Teach staff about spotting these scams.

• If Spoofed: Report to local law enforcement (www.scamshield.gov.sg/i-ve-been-scammed/).

• Notify Customers: Inform them about the impersonation, preferably without hyperlinks in emails.

• Alert Staff: Update security practices and training.

D. Tech Support Scams:

Fraudulent calls, pop-ups, or emails claiming computer problems to gain money, personal info, or remote access.

• How it Works: Scammers pretend to be from known tech companies, use technical jargon, ask for remote access, install malware, sell worthless services, or demand credit card info.

• Protection: "If a caller says your computer has a problem, hang up." Unexpected tech support calls are scams.

• Ignore Pop-ups: Do not call numbers or click links in warning pop-ups.

• Direct Contact: If worried about a virus, "call your security software company directly, using the phone number on its website."

• No Access/Passwords: "Never give someone your password, and don’t give remote access to your computer to someone who contacts you unexpectedly."

• If Scammed: Change passwords on all affected accounts, using unique passwords.

• Remove Malware: Update/download legitimate security software and scan.

• Check Network: If the affected computer was connected to the network, check the entire network.

• Reverse Charges: Contact the credit card company for bogus services.

• Report: Report to local law enforcement (www.scamshield.gov.sg/i-ve-been-scammed/).

VII. Tools and Resources

• CIS Critical Security Controls: A set of best practices that strengthen cybersecurity posture. (www.cisecurity.org/controls)

• Data Breach Response: A Guide on managing and notifying data breaches under the PDPA (www.pdpc.gov.sg/help-and-resources/2021/01/data-breach-management-guide)

• Cyber Insurance: An option to protect against financial losses from cyber attacks.

• Coverage Considerations: Data breaches, cyber attacks on your data/network (including vendors), global attacks, terrorist acts.

• Policy Features: "Duty to defend," coverage in excess of other insurance, 24/7 breach hotline.

• First-Party Coverage: Protects your data (employee/customer info), covering legal counsel, data recovery, customer notification, lost income, crisis management, cyber extortion, forensic services, fees/fines.

• Third-Party Coverage: Protects from liability if third parties bring claims, covering payments to consumers, litigation costs, settlement expenses, defamation losses, accounting costs.

• Web Host Providers: When hiring, prioritize security features.

• Transport Layer Security (TLS): Ensures secure, encrypted connections (https://).

• Email Authentication: Ensure the provider can set up SPF, DKIM, and DMARC.

• Software Updates: Clarify who is responsible for keeping website software updated.

• Website Management: Understand who can make changes to the website after setup.

• Secure Remote Access: Change router defaults, enable full-disk encryption, stop auto public Wi-Fi connections, use up-to-date antivirus.

• Secure Connections: Require WPA2/WPA3 encryption for home Wi-Fi and Virtual Private Networks (VPNs) for public Wi-Fi.

• Policies & Training: Include remote access security in training and policies.

VIII. Conclusion

For small businesses, cybersecurity is not an optional extra but a fundamental aspect of operation. By understanding common threats, implementing basic protective measures, leveraging resources like the CIS Critical Security Controls, and continuously training staff, businesses can significantly reduce their risk profile. Proactive planning for incidents, including data backups and response plans, is also paramount for business continuity and recovery.