Cybersecurity: Protecting Your Small Business

Despite popular belief, small businesses can easily fall victim to data breaches.

These businesses face the same cybersecurity and data privacy challenges as large enterprises. But they often lack the resources to protect themselves properly.

Fortunately, applying affordable techniques to keep the personal data your business collects from breaches is possible.

To keep data secure, small businesses should conduct formal risk assessments, limit who has access to the data, and train all employees.

Cyberthreats and Small Businesses

People sometimes think small businesses are ‘too small’ for criminals online to care about. But in reality, they're often seen as easy targets.

Bad actors know that many small businesses use basic or outdated security practices.

They also know the employees likely aren’t trained to recognise common cybersecurity scams.

Hackers exploit this limited knowledge. They steal data from under-prepared organisations. Then, they use the data sets for illegal monetary gain.

If you look at a list of the biggest data breaches, you’ll notice cybercrime doesn’t follow any patterns.

For example, in 2023, data breaches impacted nonprofit organisations. Freecycle fell victim to a breach that affected 7 million users.

But they also impacted popular mobile apps. Duolingo was part of a breach that affected 2.6 million users.

The aftermath of this kind of breach is devastating for small businesses.

Data suggests that 60% of SMBs close within six months of experiencing an attack (National Cyber Security Alliance).

To me, it's clear. No business of any size can afford to ignore cybersecurity and data privacy.

Common Cyber Threats to Small Businesses

To develop a cybersecurity strategy, you must know what threats your business may face.

The following cybercrimes are common for small businesses:

• Phishing attacks are fake emails or messages that trick individuals into giving personal or sensitive information.
• Ransomware is harmful software that locks access to computer systems. The criminal then demands a ransom to “unlock” the systems.
• Malware is malicious software designed to gain unauthorised access to systems.

Luckily, cybersecurity and data privacy are all about prevention.

Having a strong security plan today can help you avoid falling victim to one of these crimes in the future.

Six Steps to Develop a Strong Cybersecurity Plan

To help protect your business from data breaches, I’ve outlined six steps you can take to develop a cybersecurity plan.

Step 1: Conduct Regular Risk Assessments

The first step in making a security plan for small businesses is determining where you are most vulnerable.

Perform a formal risk assessment to understand where there might be weak spots in your business’s security practices. Doing this helps you prioritise your resources.

For example:

• If you collect personal data, double-check your servers for security gaps
• Implement new protocols to strengthen passwords
• Make multi-factor authentication mandatory

While you can conduct an assessment independently, you can also work with a cybersecurity consultant.

They can do a more thorough evaluation of your security systems.

Step 2: Implement Strong Access Controls

One of the best ways to prevent bad actors from stealing data from your business is to use adequate access controls.

In other words, limit who on your team has access to customer personal data or other information you want to keep safe.

There should also be a policy your team can follow to delete or return data in a secure, legally-sound manner.

Additionally, consider storing data behind secure login portals and use multi-factor authentication.

These strong access controls help put barriers in place so criminals can’t easily steal the data you store.

Step 3: Keep Software Updated and Patched

Make sure your employees regularly update their software. This includes operating systems, applications, and third-party plugins. Doing so is vital to keeping your business safe from data breaches.

It’s very common for cybercriminals to take advantage of weak spots in outdated software.

The good news is software updates and patches usually fix these vulnerabilities.

Consider setting up automatic updates wherever possible. This way, you and your team never miss important security fixes.

Step 4: Train Your Employees

Training your employees in cybersecurity and data privacy best practices can significantly reduce the risk of a breach.

This is because human error is often a leading cause of data breaches.

Without proper training, your employees might click on a phishing email or use weak passwords. This puts your business at risk.

It’s best to train your team and ensure your employees can:

• Recognise phishing attempts.
• Use strong, unique passwords and enable MFA
• Understand the importance of handling data safely
• Know how to report suspicious activity.

The training should be ongoing!

Refresher courses help your team stay aware even as technology and cyber threats adapt and evolve.

Step 5: Back Up Data

If a data breach occurs, ensure your small business has data backups. They should be encrypted and stored in multiple locations.

This helps you recover lost data and minimise damage caused by cyber-attacks.

You should also regularly test your backups to ensure you can restore them effectively in the event of a breach.

Step 6: Implement Strong Security Measures

Your small business should set aside a budget to invest in proper security measures to keep any personal data you collect safe.

For example, you might encrypt the data. This scrambles it using secret codes so it cannot be read or understood without the decryption key.

If a breach occurs, criminals cannot access or interpret the data unless they also steal the key.

Other security methods include firewalls, implementing back-ups and restores, and limiting data access.

How Data Privacy Protects Customer and Employee Data

Protecting personal data is not just a security matter; it's also legally required.

For example, the following privacy laws outline requirements that may impact your business or consumers:

• General Data Protection Regulation (GDPR): The GDPR requires you to keep data secure and transparently present users with details about the information you collect.
• California Consumer Privacy Act (CCPA): The CCPA grants individuals rights over their data, including the right to pursue legal action against businesses if specific data is compromised.

To help simplify compliance with these and other laws, I recommend implementing the following measures:

• Minimise your data collection: Only collect the personal data you need to conduct your business. The less data you collect, the lower your risk.
• Keep personal data secure: Ensure any personal data you store is encrypted, access-controlled, and regularly audited for security vulnerabilities.
• Publish a privacy policy: Your business should post a privacy policy on your website. In it, explain what data you collect and use and how you protect it.

What to Do If a Breach Occurs

Despite your best efforts, data breaches can still happen. But if you have a clear response plan in place, it can help minimise damage.

Here’s what I recommend small businesses should do immediately following a breach:

Identify and Contain the Breach

When your business detects a data breach, isolate all affected systems to prevent it from spreading further.

Some standard containment methods you might implement include:

• Taking any compromised equipment offline
• Having forensic experts assess the situation
• Restricting any remote access or wireless access points
• Quarantining malware, rather than attempting to delete it
• Preserving firewall logs, data back-ups, and system logs

Assess the Damage

Next, you must determine what data was compromised in the breach and how it occurred.

To help you do this, try answering the following questions:

• What type of personal information was involved in the breach?
• How far did the breach spread?
• How did the bad actor gain access to the data?
• What harm does this cause to the affected individuals?
• Are there regulatory requirements you need to meet to ensure legal compliance?
• Who discovered the breach, and who reported it?

Your answers will help you plan the next steps so you can recover faster. It also enables you to identify security gaps that you should address.

Notify Affected Parties

After a breach occurs, notify the proper regulatory authorities and affected individuals as required by law.

Otherwise, you risk facing legal repercussions and large fines.

For example, data breach notification laws exist in all 50 US states. They require businesses to inform customers if their data is compromised.

Similarly, under the GDPR, you must inform individuals about a breach within the first 72 hours of discovery.

Remediate and Prevent Future Breaches

After you contain the breach, you can start addressing the issues that led to it occurring.

This might involve:

• Updating software
• Revising access controls
• Conducting additional employee training

It depends on what type of cybercrime impacted your business, how much data you lost, and how much you were able to recover.

Conclusion

Small businesses must take steps to reduce the risk of data breaches. It’s no longer a question of if but when.

Fortunately, staying ahead of cybersecurity and data privacy risks doesn’t have to be complicated.

To reduce your chances of a data breach, you can:

• Conduct risk assessments
• Implement access controls
• Keep software up to date
• Train employees
• Adhere to privacy regulations

Having a security plan in place helps protect your business from financial loss. It also safeguards your reputation and makes it easier to comply with applicable laws.

About the author

Masha is the Director of Global Privacy @ Termly and has been a privacy compliance mentor to many international business accelerators. She specialises in implementing, monitoring, and auditing business compliance with privacy regulations. Masha studied Law at Belgrade University and passed the Bar examination in 2016.