We didn’t build the World Wide Web on fundamentally secure technology. As a result, with each passing year, the internet becomes an incrementally more hostile place to do business – especially small business.
Here’s how to protect yourself on a budget.
1. Study Existing Resources
As many as half of all reported cyberattacks focus on small businesses.
This is why watchdog groups and regulators in more developed countries continually publish guidance and recommendations for modestly sized businesses on a tighter budget.
For businesses looking to secure their attack surfaces inexpensively, it’s critical to know what kinds of free resources are available.
An obvious place to start is the NIST Framework from the U.S. National Institute of Standards and Technology.
Large, small, domestic, and foreign businesses can benefit from this framework because it establishes a strong knowledge foundation built on practical details.
It acts as a kind of tutorial to guide you through building the foundations of a strong cyber bulwark, including:
- How to identify threats unique to your industry or business.
- How to become proactive in thinking about cyber risks.
- Understanding the abilities and limits of detection tools.
- How to respond and recover from a cyberattack.
Similar resources include those published by the E.U. in support of the General Data Protection Regulation (GDPR).
These are more comprehensive guidelines for organizations, meaning they may be helpful in getting ahead of the regulatory curve in places like the United States.
Both bodies of knowledge are free, but they deliver significant value by helping you expand your knowledge base and harden your defenses without hiring an outside party to do it for you.
2. Invest in Team Member Training
As far as investments go, time spent wisely is among the most valuable.
Spending time on cybersecurity training for all personnel is essentially free, except for the time expenditure involved, but good training is a ward against some of the most successful cyberattack vectors.
Here are some examples of training elements and why they pay off:
- Train team members on spotting phishing attempts (Phishing and social-engineering attacks were named a top threat by 75% of business respondents in a recent poll.)
- Reinforce safe, security-minded data-handling protocols (Employees misplacing data or leaving it vulnerable to snooping is a preventable source of risk.)
- Ensure all team members practice safe password hygiene (Research has yielded surprising findings about how many people reuse passwords across multiple accounts even when they know better. Take the burden off their shoulders by investing in a paid password manager like BitWarden or 1Password.)
Unaware and underprepared team members become a liability. Ensure they know the risks and how to be proactive.
3. Understand What Your Operating System Offers
No matter what operating system (OS) you favor, there are certain security tools built into their infrastructure – and it’ll cost you nothing but time to learn how they work. Here’s a quick look:
- Linux: Linux offers an open-source approach to security and permissions that some view as superior to Windows or macOS. Organizations running Linux have a dizzying selection of free, open-source cybersecurity tools.
- macOS: Offers a firewall, software gatekeeper, secure password manager, malware removal tool, and frequent security updates (deliverable automatically in the background)
- Windows: Offers Windows Defender with automated virus and threat scans, parental controls, system restore points (useful in cyberattack recovery), Memory Integrity to prevent system tampering, and more.
You’ll have the option of letting your OS automatically download critical security updates. You should do this. It’s a free way to take advantage of your OS developer’s ongoing commitment to patching known exploits.
Ultimately, your OS might be an underutilized resource if you’re a cash-strapped startup, a world-changing nonprofit, or a small business looking to save money.
4. Develop a Cyber Response Plan
A cyber response plan will cost you nothing but time, but it ensures you won’t be caught entirely unprepared if you experience a data breach or cyberattack.
Your organization is unique, your attack surface is unique, and your priorities will be unique if you find yourself under attack.
Nevertheless, here are some essentials to remember as you document your cyber response plan:
- Inventory all of the assets currently at risk.
- Understand the disclosure requirements outlined by local and national cybersecurity and data privacy laws.
- Create a response matrix for the most applicable risks. This includes the likelihood of the risk, details of what it could impact, how you’ll be able to tell whether it’s compromised, who gets notified, and what specific actions each identified individual will take.
- Consult with an expert. It’s wiser to have cybersecurity experts on your IT payroll, but you can do the next best thing by reaching out to certified and knowledgeable experts once you’re in the thick of things and you want to be sure you’re doing the right thing.
5. Consider Cyber Liability Insurance
Cyber insurance is not free, but depending on the sector you serve, the data you capture or process, the nature of your business, and the level of risk in your industry, paying thousands of dollars in premiums per year could be the peace of mind you’ve been looking for.
This isn’t exactly a preventive measure. What it does is ensure your organization or company doesn’t fold under the potentially ruinous cost of sustaining a data breach.
For small businesses, the average price tag is $200,000 – an unsustainable figure if your assets aren’t liquid enough.
Moreover, the global economy finds itself on uncertain footing. Whispers and open talk of recessions have many businesses wondering how to survive economic tribulations.
The cost of a data breach may be too high to manage, but cyber insurance lets you spend your defensive budget manageably, over time, for protection that’s as comprehensive as you want it to be.
The U.S. Federal Trade Commission recommends some essential features to seek in cyber liability insurance.
Your chosen policy should cover direct data theft, attacks on your data when held by third parties, terrorist attacks, and clear expectations regarding legal representation during data breaches.
Protect Your Organization Without Spending a Fortune
It’s not clear if cyber insurance will become a legal requirement for businesses in the coming years.
However, laws like GDPR and the California Consumer Privacy Act continuously raise the barrier for entry – and spending, it seems – for business owners.
California even passed a first-of-its-kind law to ensure businesses adequately protect their internet of things (IoT) products.
Therefore, another free way to develop a stronger cybersecurity posture is to remain aware of which territories are quick to identify emerging risks and issue guidance about them.
You should also follow the tech companies whose products you rely on. For example, Microsoft recently disclosed two highly destructive exploits in Exchange servers.
Finally, remember that the cost of losing face with investors, partners, and customers if you fall victim to fraud or data theft is far higher than the cost of prevention. Start with this guide to do it cost-effectively.