Security Experts:

Top 10 Tactical Recommendations for SMB Cybersecurity

In my previous column I introduced the concept of “Think 360, Demand 360” as it applies to data protection, privacy, and cyber security.  The concept is as follows: whether you represent a small business, a Fortune 50 company, an NGO or a government entity, what you are protecting and who you are protecting it from is really a 360-degree exercise.  

It’s not a narrow problem, and you shouldn’t pursue narrow solutions nor accept them when presented to you.  Unfortunately, the problem statement is not simple, and it’s not static.

Fortunately though, process best practices abound, technology is getting better and easier, and the right mindset(s) to approach all of this is emerging.  We’re still, in aggregate, losing - but there is hope, and how you frame the problem is the first step in advancing toward better outcomes.  

How does all this apply to small business?  That’s what I’ll explore first.

I recognize that small and medium-sized businesses (SMBs) drive the world.  An individual business may be small compared to the Fortune 500 – but their impact in aggregate far outweighs that of big business. Second, your business may be small in absolute terms – but everyone should recognize that it means everything to you as an owner.  Any provider of services or technology to you that doesn’t treat you as the CEO of a large business does not deserve your business.  And finally, while I work for Intel at the time of this writing, and while I do mention other companies by name, all of the general recommendations and specific product citations are solely my personal opinion (which I am not being compensated for.)

Before I get into specific tactical recommendations, let’s talk about general (and critical) philosophical/operational guidance:

Identify your trusted advisors for information and do what they say!

Be accountable. But, even though you’re listening (and acting on) experts – you are not off the hook!  You must take responsibility – this is a key theme in security from the individual contributor in any industry to the board of directors at the very largest.

Don’t count on the government.  The best thing – actually the only thing – the government can do is (1) set regulations to generally guide solution providers/enterprise on MINIMUM requirements, and (2) and throw someone who breaks the law in jail. The former is the minimum - and so generic as to be almost of no value in some cases.  The latter is, well, hardly ever implemented.  Regardless, neither of these help consumers and SMB after they have been compromised.

Take action.  Don’t just study something to death.  Don’t get analysis paralysis.  Take action – any action – and don’t procrastinate.  If you find a better alternative, you can always adjust later.

Choose services – don’t DIY.  This can range from individual services you may buy up to the complete outsourcing of your security / IT infrastructure.  Rent a service instead of buying.

Hold your employees accountable!  You are ultimately responsible but make sure you make every employee, from every admin to your warehouse worker to your CFO, know that you hold them responsible for breaches caused by their actions (or inactions.)

OK, with those strategic considerations out of the way, now let’s move on to critical top 10 tactical action items – equally important actions every SMB should take to protect itself.  None of this is expensive.  None is complicated to implement or difficult to understand.  Yet, if you’re not doing these – every single one – you are unnecessarily putting your entire business at risk:

1. Keep a reasonable hardware refresh rate.  I work for Intel and, sure, we would love for you to buy a new PC every year.  We know that’s unrealistic.  That said, a refresh rate that extends beyond 3-4 years means you’re taking additional risk.  Hardware manufacturers invest billions of dollars in ‘under the hood’ security improvements annually, many of which you’re not even aware of as a user.  All you have to do to benefit is keep your infrastructure – from PCs to phones to servers – reasonably fresh.

2. Stay on a modern OS.  The same basic concept behind the hardware commentary above.  I list it second because, well, I work for Intel. If you’re still running Windows* 7, then you’re putting your company at unnecessary risk – Windows 7 will not be supported after January 14th, 2020.  Just say “Windows 10!”

3. Use a high rated endpoint security solution.  I won’t recommend any specific solution because of one main reason – all of these vendors are in an arms race trying to outdo each other on detection rates, performance, etc.  Every year multiple review services rank/rate the antivirus providers – so annually review your chosen provider’s performance and switch if there is a better solution available.

4. Download and install all patch / updates regularly.  Patches for operating systems, hardware (even IP cameras, unfortunately!) and critical business software are critical for security.  Often technology suppliers fix very serious vulnerabilities in patches/updates.  It’s a boring, often tedious job to keep up with this – but it’s not optional.

5. Follow good password hygiene & use modern management for them.  Always change default passwords for new hardware (routers, etc.) and software you acquire.  Use “strong passwords” and change your passwords a couple times a year.  Do not use the same or similar passwords for multiple devices/services!  To make all this easier you can use top-notch “password managers” – there are many, including the best in my (albeit biased) opinion – those that have hardware optimizations like Dashlane.

6. Use two-factor (or more) authentication – otherwise known as “2FA”.  If consumers and business used two-factor (or more) authentication, I am not certain what percentage of data and privacy breaches would be eliminated but, let’s say, a vast majority.  It’s free.  It’s easy.  It works.  If there’s one ‘no-brainer’ in cybersecurity, this is it.  And also, very closely associated with this, choose your suppliers differently – from financial services to office supplies – based upon how they respect and protect your identity.  Demand 2FA.  Demand that your suppliers have a clearly articulated, easy to understand, a statement on privacy & security.  If you don’t understand what’s written, or if you are uncomfortable with anything on it – it is NOT your fault, it is the provider’s fault, and you should move on.

7. When you compute on the road, do so safely.  First, always use a VPN when connecting to hotspots.  Always, always, always.  One of the major ways to get hacked is by connecting to a public hotspot that is fake/broadcast by criminals.  You connect, the Internet works fine, and at the very least you give up all your passwords while using it.  Worst case you leave the hotspot with undetectable malware (keyloggers for example) lurking on your system.  Second, if at all possible, it’s even better to use your cellular connection instead of a public hotspot.  Most modern mobile phones allow themselves to be used as a personal hotspot so that you can connect to them on your PC for Internet use. 

8. Backup, backup, backup.  Besides all the historical reasons why backing up your data, now we have a new reason – ransomware.  Again, there are many providers of cloud-based back-up so you’ll have to do your homework to determine which one’s features most closely matches your requirements given the nature of your business.  One critical feature to insist on is ‘unlimited copies’ – meaning the service saves a copy of your files every single time you change them – not just the last copy.  This is important because with a ransomware attack you’ll want to identify the exact point the infection happened and back-up files just before then.  I also STRONGLY recommend a local file back-up server (‘network attached storage’ or NAS) as a back-up to the back-up – and having local back-up also gets you back up and running after an incident as it takes a while to download terabytes of data off of a cloud service.  But, don’t JUST do local back-up because then you are subject to physical dangers (e.g., fires.)  Back-up is boring, and tedious and, in the case of NAS difficult to set-up.  But, you have to.  Local service providers like Best Buy can help set-up NAS – and you can do the cloud set-up yourself.

9. Trust but verify – hire an auditor annually.  Few people recommend this but, depending upon how important data is in the operation of your business, I think it’s a worthwhile investment.  There are companies out there that will examine your patching, evaluate your protections, review your employee policies, and do a risk assessment on your back-up set-up.  If data breaches can put you out of business, get you sued, or generally completely ruin your life – this is a step worth taking.  The answer to this question may vary depending upon whether you are a health provider or a construction company – but it’s worth considering. 

10. Don’t forget insurance!  Identity protection/recovery insurance is offered by multiple vendors and is very cheap.  Also, broader cyber insurance is also becoming more common and is worth evaluating.

Nothing mentioned here represents an amazing breakthrough in thought leadership but, hey, some things require repeating.  Further, if the specific ways I’ve chosen to organize, describe or emphasize certain elements here offer value and cause every SMB that reads it to take at least ONE action, just ONE – then it represents success, and it was worth my time in writing it.  

More than anything else though, in the spirit of “Think 360” regarding data / privacy protection, my hope is that my take on SMB fosters thought towards not only dimensions of the problem statement - but also how easy it is to take some simple steps to improve an SMB risk / security / privacy profile.  You don’t have to be perfect.  There is no perfect. You do have to be constantly moving forward, learning, improving.  That’s the spirit here. Oh, and no DIY.

view counter
Jim Gordon is GM of Security Ecosystem Strategy & Development at Intel Corporation. He is an Intel veteran of 20+ years and has held a variety of roles over this time. He has held leadership positions in Intel’s channel product, influencer, and software & services groups. Most notably he served 3.5 years as Chief of Staff and Technical Assistant to Intel’s then President Renée James. He currently is GM of the Ecosystem & Business Development Intel’s Platform Security Group. He holds a BS in economics from the University of California at Davis as well as an MBA from Purdue University. Jim is also a self-motivated and very active contributor to diversity and inclusion (D&I) efforts at Intel specifically and in general across tech – even though he does not work and has never worked in HR. For Intel in D&I he has served as a top leader in its internal “Inclusive Leaders” program – a program dedicated to engaging, training, activating and supporting those influential “male majority” business leaders to take responsibility for and take proactive actions towards full inclusion.