Cybersecurity incidents cost businesses millions of dollars annually. The financial consequences of security compromises and business disruptions to SMBs are severe. The average cost of recovering from business disruptions is approximately $1.90 million annually. Small and midsized businesses (SMBs) are even more vulnerable than enterprises because frequently they don’t have the operating budget to sufficiently mitigate security risks. Almost half of SMBs indicated their biggest challenge is not understanding how to protect against cyberattacks.

With the advent of remote working and a distributed workforce, the threat facing SMBs is even larger than before. Adding to the mix is the complexity of Bring-Your-Own-Device (BYOD) where IT administrators no longer have enforceable control of devices that employees are using to accessing the company systems. For that reason, to prepare for cyberattacks and data breaches, we recommend a mix of enforceable policies and accountable policies.

Cybersecurity Terminology

A bit of terminology before we start:

Enforceable Policies

When we say “enforceable policy” we mean policies that can be set and managed by an administrator that actively and proactively enforce certain criteria. An example of an enforceable policy may be “Passwords must be at least 8 characters long”. For most applications, administrators can set a minimum password length in the backend controls for the application. The application will then actively enforce that minimum password length and disallow a shorter password to be used.

Accountable Policies

“Accountable policies” on the other hand are actions that cannot be actively mitigated but can be enforced through disciplinary actions. An example of an accountable policy may be “Do not share your password with others”. Administrators cannot actively prevent this from happening. However, the company can impose disciplinary actions if it was discovered that an employee had in fact shared their password.

Your First Cybersecurity Policy

With that out of the way, let’s dig into some basic policies that should be included in any company’s first cybersecurity policy.

1. Protect personal and company devices

Your end point devices are one of the largest threat surfaces. Fifty-Six Percent of SMBs in a 2019 security survey [requires registration to download] believe mobile devices, including laptops, are the most vulnerable endpoint. As such, it is important to have mostly enforceable policies to safeguard these devices.

Some enforceable items to include in your policy should be:

• Up-to-date Operating System
• Up-to-date Anti-virus
• Encryption of devices

With Bring Your Own Device (BYOD) however, gone are they days where you can simply use IT managed enforceable policies to harden your IT environment. IT administrators can do very little to control personal devices. It then becomes important to incorporate accountable policies into your cybersecurity policy as well.

We advise companies to include policies such as:

• Avoid sharing devices
• Only login to company systems on a secured device
• Do not leave devices unattended
• Do not connect to unknown WiFi-hotspots

These accountable policies, along with user education, would go along way towards good cybersecurity hygiene.

2. Multifactor Authentication

Seventy-two percent of SMBs who responded to Ponemon’s security survey indicated that they experienced at least one cyberattack, with 53% of those attacks being Phishing and social engineering. These phishing and social engineering attacks are aimed at stealing employee credentials. Credential theft is one of the biggest threats to cybersecurity, and it’s one of the easiest attacks for cyber criminals.

As master manipulators, it doesn’t take cybercriminals a lot of effort to make vulnerable users fall for their tactics. Social engineering is also only part of the problem. As computing power becomes cheaper and readily available through Cloud vendors, computers are capable of executing 100 billion guesses per second. Which means, an 8-character password can be cracked via brute force in about 12 minutes.

That being said, complex passwords do help against brute-force attacks. We encourage companies to think more about passphrases rather than passwords: the longer the length, the harder it is for raw computing power to brute-force guess the password. However, what is more effective than complex passwords alone is implementing Multifactor Authentication.

Multifactor authentication, or MFA, requires a second form of authentication usually in the form of a software token in conjunction with passwords to prove user identity. This means the attacker cannot simply use a compromised user’s credentials to gain access to company resources without the second form of authentication. A Microsoft study shows that accounts are 99.9% less likely to be compromised if you use MFA. So, if there is nothing else you do, you should ensure your data – emails, files, corporate applications – are secured behind MFA through enforceable policies.

3. Data Protection

Data for your company exists in many forms. Most well known will be internal files. Email, is another component of company data. Your cybersecurity policies should holistically address how data should be accessed, stored, or shared.

According to Verizon’s 2019 Breach Investigations report, 94 percent of malware gets transmitted via email, so it’s important for your cybersecurity policy to address malware protection over email. Consider implementing enforceable email policies that block executables, macros, or other types of suspicious file types.

More comprehensively, as part of your user education, provide instruction to employees on what to do if they suspect something is unsafe by proving them an avenue to report the suspicious email.

As privacy legislation becomes stricter, companies also have to worry about data loss, whether through ignorance or intent. To protect against data loss, some items to include in your cybersecurity policies should include:

• Avoid using personal devices for work unless approved
• Avoid removable USB devices on the company network especially if the source is unknown
• Be aware of where data resides. Many online data stores such as OneDrive, SharePoint, Dropbox, Google Drive, have file sync agents that puts copies of your working files onto your local device. This creates a vulnerability when devices are lost or stolen, or exposed to ransomware.
• Encrypt the hard drive of any device that is used to work on business data. In the event the device is lost or stolen, any data present on the device will be protected from tampering.
• Implement and instruct users to use a VPN when connecting to corporate resources, especially on unknown Wi-Fi hotspots.

Every business should feel their data is safe. The only way to gain your clients’ trust is to proactively protect your systems. You can do this by having the appropriate policies in place, foster a culture of vigilance, and keep cybersecurity top of mind.

Disclaimer: The cybersecurity items highlighted in this article are meant as a basis and guideline for implementing a basic cybersecurity policy. It is not comprehensive and does not take into account local, state/provincial, or federal legislations. Neither the author nor (UpCity) will assume any legal liability that may arise from the use of these guidelines.