Cyberattacks represent a real threat to businesses of all sizes. Without proper cybersecurity measures in place, small businesses risk monetary losses due to cybercrime, including those resulting from a damaged reputation and even potential lawsuits. The latter is a particular concern in the case of data breaches, which can have a devastating effect on any business.
Cybercrime continues to evolve with more sophisticated attacks occurring as criminals find new and improved ways to ambush their targets. Things like DDoS attacks, ransomware, and phishing schemes weren’t a concern for businesses in the past but now represent daily threats.
However, it’s not all doom and gloom. With best practices and the right tools in place, you can rest assured that you’re doing all you can to protect your business. Our small business guide to data protection discusses some of the solutions available to small businesses in terms of protecting data at various stages. In this post, we’ll focus on providing options for tools available to help with all types of cybersecurity. Where possible, we try to recommend free or inexpensive tools that can be easily implemented.
Why do small businesses need cybersecurity?
To put things in perspective, here are a few small business cybersecurity statistics to digest:
- In its 2018 State of Cybersecurity in Small & Medium-Sized Businesses (SMB) study of companies with less than 1,000 employees, the Ponemon Institute found that 67% reported a cyberattack within the last 12 months and 58% reported that customer and employee information had been breached in the same time period.
- In the same survey, it was found that the average cost attributed to theft or damage of IT property (assets or infrastructure) was $1.43 million, and the average cost attributed to normal operations being disrupted was $1.56 million. These figures were up 33 percent and 22 percent over 2017, respectively.
- The Fortinet Global Enterprise Security Survey (2017) found that organizations overestimated their ability to thwart cyberattacks and failed to provide employees with sufficient security awareness training.
- Cybersecurity Ventures reported that damages to businesses due to ransomware attacks are expected to reach $11.5 million by the end of 2019, and by that time, a ransomware attack will affect a business every 14 seconds.
- A McAfee study revealed that in 2017, the average number of records lost as a result of hacking was 780,000 per day.
These are just a few alarming figures to show that cybersecurity should be a top priority for businesses of all sizes.
Tools to help with cybersecurity
Having a cybersecurity strategy and accompanying policies in place is a must for any business hoping to stay safe against cyberattacks. But to complement these policies, it is either helpful or necessary to have tools in place to help. We have some dedicated posts that provide comprehensive lists of many of these tools, but here we’ll give you a couple of our top budget options for each as a sort of one-stop-shop.
A good antivirus software is one of the first things you need to have in place as part of a solid cybersecurity plan. Antivirus software is designed to detect and remove viruses and other forms of malware. It won’t guarantee you security, but it can help a lot.
While many antivirus packages come with a hefty price tag, some free or inexpensive plans are available:
- Comodo: Unlike most antivirus providers, Comodo won’t charge you just because you’re a business. Its basic software is free for everyone to use, both at home or in the office. The full coverage plan is cheaper than most rivals at just $39.99 per year. Versions are available for Windows and MacOS.
- Bitdefender Antivirus Free Edition: Bitdefender Antivirus Free Edition is for home users, but may be suitable for very small businesses. Features include real-time threat detection, virus scanning and malware removal, anti-phishing, and anti-fraud. If you do decide to upgrade, prices are reasonable starting at $29.99 for three devices for one year. Windows, MacOS, and Android versions are available.
A firewall acts as a first defense by creating a barrier between your device or network and the internet. It does this by closing ports to stop communication with your device. This can help against threats, for example, by preventing entry of known malicious programs sent by hackers. It can also stop data leakage from your device.
Software firewalls are often built into your device’s operating system and hardware firewalls can be found built into many routers. Often, it’s just a simple case of making sure yours are enabled.
For added protection or if you don’t have built-in firewalls, there are some free options available in the way of third-party firewalls. Here are our top recommendations:
- ZoneAlarm Free Firewall 2019: Available for Windows, this firewall includes a stealth mode to help protect against hackers and block malware. It’s ideal for use when connected to public wifi networks (for remote or traveling workers) to add an extra layer of protection.
- AVS Firewall: This is another free option for Windows computers. It includes various security measures including blocking incoming connection requests and enabling users to select which application can connect to the internet. It also monitors registry activity, blocks alterations, and includes an ad and popup blocker.
It’s impossible to stress strongly enough the importance of using strong passwords for each and every account. Employees should be guided on best practices such as using a different password for every account and coming up with long passwords that are difficult to guess. While it seems convenient, passwords shouldn’t be shared among users.
One of the obvious issues with following these guidelines is the difficulty in trying to remember all of these passwords. Often, people feel forced to write them down, which brings about an even bigger security issue. A simple option is to use a password manager that will remember and autofill passwords for you. While it takes a little time to set things up, once you get started, you’ll wonder why you ever relied on the old way. Here are our top picks for password managers:
- LastPass: This password manager has a very functional free option that enables you to save and fill passwords, generate new passwords, share on a one-to-one basis, and enable multi-factor authentication. If you want additional features such as one-to-many sharing and priority tech support, paid business accounts aren’t too pricey. Team plans start at $4 per user per month.
- KeePass: This is a free and open source tool that does the job. It doesn’t provide the bells and whistles of other password managers but it helps you manage your passwords securely such that you only need to remember one master password.
Virtual private network
While many users know it as a means to bypass geo-blocking for personal use, a Virtual Private Network (VPN) is an excellent security tool. It takes all of the internet traffic flowing to and from a device and forces it through an encrypted tunnel via an intermediary server. This means that should anyone intercept the traffic, they will be unable to read it.
When you use a VPN, hackers or any other snoopers, such as government agencies or internet service providers, cannot monitor your business’ online activities. Some VPNs offer packages dedicated to small businesses while others simply offer multi-member plans. These aren’t free, but the monthly fees are typically very reasonable. Here are a couple of great options:
- Perimeter 81: Will secure your network within a customizable VPN service. A management portal enables you to add members, create groups, manage permissions, and monitor resource access, bandwidth consumption, and network anomalies. Plans cost $8 per month per team member.
- NordLayer: An application security system that combines connection security from a VPN with added identity and access management (IAM). This tool is great for businesses that have both work-from-home and office-based employees and use SaaS packages as well as on-premises software. The system provides one access portal to all services no matter where they are.
- ScribeForce: A lower price alternative is Windscribe’s ScribeForce. It costs just $3 per user per month. This is about the minimum you’d pay for a decent VPN for personal use, so it’s a good deal. You get all of the features that ship the Pro version of Windscribe’s personal VPN, plus a management panel, shared static IP addresses, and centralized billing.
For businesses with multiple sites, you may benefit from a site-to-site VPN to secure the intersite connections and enable multiple sites to share resources. These are more complex to set up, so you may want to go with a popular provider such as Cisco or Palo Alto, although these will require an upfront capital investment.
Alternatively, if you or your team members have the tech-savvy, you can set up a site-to-site VPN for free using open source software such as that provided by SoftEther VPN project or Freelan.
Is your website secure? Implementing HTTPS and getting an SSL certificate sounds complicated, but it’s actually pretty simple. Plus it offers great benefits, including encrypting the traffic going between your website and your customer — preventing things like ISP snooping or man-in-the-middle attacks — and letting users know that the site is authentic.
Getting set up is free with the following easy-to-use tools:
- Let’s Encrypt: This is probably the most well-known tool for getting a free SSL certificate. Provided by the Internet Security Research Group (ISRG), Let’s Encrypt is an automated certificate authority that provides you with the certificate you need to enable HTTPS on your website. The website explains how to go through your web hosting provider to demonstrate control over your domain and obtain your certificate.
- Cloudflare: Cloudflare offers a similar simple solution to obtaining an SSL certificate. However, note that their free option offers shared SSL certificates and they’ll charge you $5 for a dedicated one that you can get for free with Let’s Encrypt.
Some cyberattacks, such as ransomware and other types of malware, can result in loss of data. As such, it’s important to maintain regular backups. You can opt to store data on a hard drive, although it should be kept in a separate location (away from the main data source), in case of physical damage to the property (e.g., fire or flood) or theft.
A popular alternative (or addition) to hard drive backups is cloud backup. These services take the hassle out of backing up data and enable you to tweak settings such that you always know all of your information is secure and up to date. Some services offer free starter packages, although these are typically very limited in terms of storage space and features. There are, however, a couple of budget-friendly options to consider:
- iDrive: iDrive is one of the best online backup services out there, especially if you need to back up across devices. It does offer a free plan with 5GB of space, although this is unlikely to be enough for most businesses. The cheapest personal plan is usually $69.50, but if you’re switching from another provider, there’s currently an incredible 90% off deal, giving you 5TB for $6.95. This is for one user and as many devices as you like, so depending on your business, you might be able to make it work. iDrive does offer business plans starting at $74.62 per year for 250GB per year. These allow for an unlimited number of users, computers, and servers.
- Backblaze: If you do need to go with a business plan, then Backblaze offers cheaper plans than iDrive. For $60 per year per computer, you get unlimited, continuous, and complete backup, free hard drive restore, centralized administration, and more.
If you’re storing data in the cloud, adding a layer of encryption is a good idea. This way, if anyone does get their hands on your important files, they will be unable to decipher the contents.
Many cloud backup and storage services include encryption by default but it doesn’t hurt to be extra-cautious, especially if you’re trusting a third-party service with particularly sensitive information. A couple of inexpensive options for file encryption are below:
- nCrypted Cloud: This service does offer a free tier but it’s not available for commercial use. A business plan will cost $10 per user per month. This will encrypt all data in transit and in storage and offer the ability to manage users and devices and track data activity. It works with Dropbox, Google Drive, OneDrive, Box, and Egnyte and is available for Windows, MacOS, iOS, and Android.
- Encrypto: Encrypto offers a simpler solution for encrypting individual files and lets you add a password to select files. The file can then be uploaded to the cloud, stored on your computer, or shared with someone. This is entirely free and works on Windows and MacOS.
Full disk encryption
For files stored on your device, you could use Encrypto as mentioned above. An alternative is full disk encryption. This will encrypt the entire contents of a device so that no one can read files without the decryption key. This is especially handy for laptops that could be accidentally left in a public place or easily stolen. Note, however, that the encryption doesn’t necessarily apply to backups of data. Two top options for full disk encryption are:
- VeraCrypt: VeraCrypt works on computers running Windows, MacOS, or Linux. It’s free and open source, and allows you to create encrypted containers. This means that select data can remain encrypted even when you’re logged in to your computer.
- BitLocker: BitLocker comes built into many Pro and Enterprise versions of Windows, so may be a simpler option for some users. It’s free to use, and will encrypt your entire drive. However, there’s no option to create encrypted containers, so once you’re logged in to your device, everything is exposed.
Mobile device management
Many members of the workforce are now carrying out some or most of their work-related tasks on portable devices such as smartphones and tablets. As such, it’s important to have firm hold over the security of such devices.
Mobile Device Management (MDM) software can offer many of the perks of standard device finder apps (such as Find My iPhone, Google Find My Device), including enabling you to locate and track devices, and lock or erase them remotely. However, MDM software offers lots more in the form of securing communications and helping to reduce the risk of malware finding its way onto the device. Some MDM software comes with Mobile Application Management (MAM) functionality that enables you to control the delivery of software to various employee devices.
Some inexpensive MDM tools include:
- Kandji (FREE TRIAL) This is a unified endpoint management system that allows workers to switch between devices and continue with their work, as long as the devices they use are all provided by Apple. The cloud-based service allows onboarding and tracking for devices running macOS, iOS, iPadOS, and tvOS. These devices can be on your premises, out in the fields, or in the homes of remote employees. The starting price for this package is $399 per month, billed annually, to manage up to 100 devices. Kandji is available for a 14-day free trial.
- ManageEngine Mobile Device Manager Plus: This comes in both an on-site and cloud-based version and is a great budget option if you have a small number of devices to manage. It’s free for up to 25 devices, although if you need more than that, prices start at $495 per year. This software is more than just an MDM tool and also gives you mobile managers for apps, email, and content all in one.
- AirWatch Workspace ONE: This service combines MDM and MAM and is completely cloud-based. While it doesn’t offer a free tier, it does provide a bit more flexibility in pricing than ManageEngine, with the ability to pay per device (starting at $3.78 per month) or per user (starting at $6.52 per month). It also offers a free 30-day trial so you can see if it’s a good fit.
Do you do most of your communicating via email? Most businesses do these days, and many employees send sensitive information without a second thought. While everyday emails can be fine to send unsecured, you might want to use encryption for certain correspondence.
Email encryption doesn’t come standard with most providers, but there are a couple of options:
- Hushmail: Hushmail is a paid system that offers personal accounts for $49.98 per year. However, you’ll have to settle for an @hushmail.com address. To add your own domain, business accounts start at $5.99 per user per month. Plans come with a 60-day money-back guarantee. Note that although Hushmail will encrypt the contents of your email, metadata such as sender, receiver, and timestamps will not be encrypted. Hushmail offers special plans for companies in the healthcare industry, among others.
- SendInc: SendInc offers a free tier, so could be a better option for some than Hushmail. However, the free plan is limited: it only retains messages for seven days, and only allows emails to 20 recipients per day. Message storage is 100MB and max message size is 10MB. That being said, if you only need to encrypt a limited amount of correspondence and don’t need to retain email trails, this could work.
The use of digital signatures can help make email even more secure. These authenticate the email source and verify that the email contents have not been tampered with.
Although email and phone calls remain popular, plenty of communication these days is carried out via messaging systems and Voice over Internet Protocol (VoIP). There are several free options here, but while many purport to be secure, they are not all made the same. Key things to watch out for are end-to-end encryption and no logging of metadata such as sender and receiver IDs and timestamps. Here are a few to try out for your business:
- Signal: Signal is an open source project and is free for everyone to use. It allows for group, voice, video, text, document, and picture messaging, so could be all you need for your small business. For added privacy, you can preset intervals for messages to be erased and the apps even include a contact verification feature. Apps are available for iOS, Android, Windows, MacOS, and Linux.
- WhatsApp: Although it may not be quite as private and secure as Signal (it logs some metadata and there have been security vulnerabilities reported), WhatsApp does use the same underlying protocol as our first recommendation. A benefit to this service is that its widespread use means that many employees will already be familiar with the app and its features, which include a built-in camera and voice-recorder and support for voice and video calls. It works with Windows, MacOS, iOS, Android, and Windows Phone.
Other popular free options include Telegram and Ceerus.
Secure file transfer
Sending files securely can be tricky because you’re limited in terms of size when using encrypted email. An alternative is to use Secure File Transfer Protocol (SFTP) which uses a Secure Shell (SSH) server that understands FTP commands. There are many great free options, but here are a couple we recommend:
- SolarWinds: SolarWinds offers a suite of network administration tools, including a free SFTP/SCP server. This runs as a Windows service, allows for simultaneous transfers from more than one device, and lets you authorize a specific IP address or range of IP addresses.
- FreeFTP: Another free option for Windows, FreeFTP is quick and simple to get started with. It can be used as needed or can be set up as a system service. In the latter case, it will run continuously and always be available to SFTP users.
Hosted virtual desktop
Another way to protect your network from implications posed by remote work is to set up a hosted virtual desktop (HVD). Also known as Virtual Hosted Desktop (VHD) or Desktop as a Service (DaaS), this puts an entire PC desktop (including operating system and applications) in the cloud where it can be accessed from anywhere.
From a practical standpoint, this avoids having to install software on multiple devices and enables employees to share resources. From a security perspective, it prevents exposure to device-level threats, such as those related to wifi networks, USB ports, disk drives, and cameras. Providers also take care of things like backups and updates, giving you less to manage.
That being said, there are downsides to HVDs, including complexity when you have lots of users and devices, along with latency and bandwidth issues. Nonetheless, here are a couple of options to consider:
- Amazon WorkSpaces: If you only need to access your virtual desktop for a short period and for a small number of hours per week, for example for a short-term remote project, Amazon WorkSpaces could be a good fit. The free tier gives you you two WorkSpace bundles for two months, for up to 40 hours per month. Outside of that, prices vary greatly depending on location, starting at around $21 per month for 80GB root volume and 10GB user volume.
- Citrix Workspace: Citrix is another provider of HVDs, touting its service as DaaS. For actual pricing, you’ll have to contact the company, but the average cost for a standard plan is $14 per month per user.
Network access control
Another helpful solution, especially when dealing with remote workers or employees on a Bring Your Own Device (BYOD) program is to utilize Network Access Control (NAC) software. This allows you to control exactly who can access what. You can even determine when and where employees can gain access to certain data or applications. Here are two free options:
- PacketFence: This free and open source software is Linux-based but has been adapted to work with Windows systems. The developers behind this software prioritize ease of installation and use, so it’s accessible to anyone. Features include registration, vulnerability scans, detection of abnormal activities, isolation of devices with issues, and more.
- OpenNAC: Another free and open source option is OpenNAC. Although it’s not as easy to set up as PacketFence, it does work with more clients, including Windows, Mac, Linux and mobile devices.
Data loss prevention
No matter what size, pretty much every business is subject to the risks involved with human error or malicious intent. Thankfully, there are extra measures you can put in place to avoid employees accidentally or intentionally leaking sensitive data.
Data Loss Prevention (DLP) software allows you to apply rules to certain data such that employees can’t share it. For example, you could prevent anyone from sending an email that includes a specific keyword or block certain files from being shared.
- Endpoint Protector: This company offers several free tools for home users and small businesses, including a DLP tool. The full suite of tools is free for up to five computers and five mobile devices, so for any more, you’ll have to go to a paid plan. These start at €1 per computer per month for cloud-based DMP or €24 per computer (including one year of updates and support) for on-premise DLP, although the latter also includes MDM.
- CDome: This software from Comodo isn’t free but it does come with a free trial. It enables you to track and control sensitive data as it moves across your network, and options include cloud-based DLP or on-premise DLP. For pricing past the 30-day free trial, you’ll have to request a quote.
Common cybersecurity issues for businesses
While human error is a concern in many respects, cybersecurity often involves protecting against cyberattacks carried out by malicious parties. As such, it’s good to be aware of some of the main types of attacks that could affect your company. Here are some examples of the threats that are out there:
- DDoS attacks: A Denial of Service (DDoS) attack involves the flooding of systems (or servers or networks) with traffic. As a result, resources and bandwidth are exhausted such that the system can no longer deal with legitimate requests. A Distributed Denial of Service (DDoS) attack is one that involves multiple devices that have been compromised.
- Phishing attacks: These involve cybercriminals trying to find out information via various forms of communication, including email, message systems, or phone calls. Phishing uses social engineering to trick people into divulging private information. Spear phishing (targeted phishing) attacks, including whaling (where very senior employees are targeted), are of particular concern for businesses.
- Ransomware: This is a type of malware that holds systems or files hostage until a ransom is paid, often in the form of cryptocurrency.
- Man-in-the-Middle (MitM) attacks: In an MitM attack, the attacker will eavesdrop on traffic with the aim to steal data or to change or filter it in some way.
- Tech support scams: An employee could be duped into handing over remote control of their device or company information to someone posing as a computer technician. These types of schemes are often initiated over the phone.
- Physical theft or hack: Criminals might try to steal or gain unauthorized access to computers, hard drives, disks, USB sticks, or other devices containing sensitive information.
These attacks can often be avoided, or at least their damage can be limited, using a combination of cybersecurity savvy and some of the tools mentioned above.
Other ways to improve cybersecurity
So far, we’ve discussed lots of helpful software, but even the best tools can’t protect you against the human element of cyberattacks. Thwarting attacks often comes down to plain old common sense, which coincidentally is completely free. Many of the above attacks involve an element of social engineering, the best defense against which is having your wits about you.
Here are some tips to keep in mind and to share with colleagues or employees:
- Always use strong passwords and don’t share them among users.
- Keep software up to date. Updates patch known security holes.
- Be aware of social engineering tactics where people phish for information via phone or email.
- Don’t open emails or attachments from people you don’t know.
- For phone calls, verify a caller’s information by asking for a name and a callback number.
- Verify requests that involve money transfers, especially those that are urgent.
- Avoid clicking popups or ads, especially on unreputable webpages.
- Don’t leave devices open where someone might have access to them and use physical locks if needed.
- Don’t allow storage of business files and folders on employees’ personal devices.
Compiling a security framework for your business
The list of tools and best practices can become overwhelming. However, they can all fit neatly into a security framework that’s tailored to your business. The framework can incorporate everything we’ve discussed here as well as individual policies specific to your business’ unique operations.
Of course, it’s difficult to know where to start. Thankfully, various organizations offer resources designed to help small businesses. One great tool is is the FCC Cyberplanner, which lets you input information about your business and will deliver a plan a customized cybersecurity plan.
If you want to go deeper into security framework planning, here are a couple resources to get you started:
- National Institute of Standards and Technology (NIST) Framework for Improving Cybersecurity [PDF]: While this framework is 55 pages long, you can find handy summaries such as the one produced by Cipher.
- Center for Internet Security (CIS) Controls V7: This framework is probably more suitable for small businesses; while it’s less comprehensive, it prioritizes controls such that you’re likely to see immediate results. Developed by the SANS Institute, CIS controls are broken down by category (basic, foundational, and organizational), so you can start with the basic controls and decide if you need to go further.
One crucial aspect of any framework is employee training. While there are paid services available, there are some great free resources too:
- Free ESET Cybersecurity Awareness Training: Released in 2018, this interactive online course is designed to teach cybersecurity best practices.
- CyberSecure My Business™: This Stay Safe Online initiative, powered by the National Cyber Security Alliance (NCSA), helps small and medium-sized businesses with online security through webinars.
If you have room in the budget, there are a number of companies that offer testing of your company’s existing security systems and provide on-site training for employees. For example, KnowBe4 specializes in staff training to help prevent cyberattacks and larger companies such as Digital Defense and InfoSec Institute offer cybersecurity testing and training packages.
Image credit: Internet Security by Pete Linforth licensed under CC BY 2.0