Sorry for the bad news, but... no, you're not too small. Not convinced? Stay tuned, I'm going to cover how this dangerous false perception is leaving small businesses all over the world defenseless to cyber criminals. Nearly every day I have to explain that the size of your business doesn't matter, then work through the realization that not only do they need to be concerned about cyber security, but that they desperately need to do something about it (and fast).
It's frustrating because if you didn't think you needed cyber security, then you also haven't set aside any kind of budget for it. I wish I had better news here for you, but it does in fact take more money to protect your business. Worse yet, your alternative is possibly no longer having a business when, not if, you're compromised and completely unprepared. Businesses close due to cyber attacks every single day. If you look through that very realistic lens, the price isn't so bad, but we'll get to that.
Quick terminology review
Bad Actor: In the cyber security world, the most common term to refer to a nefarious individual or organization out there trying to "hack" you is "bad actor". Imagine the generic guy in a black hoodie surrounded by graphics from the Matrix film with 3 keyboards and 15 screens. Close enough.
Vulnerability vs Exploit: Vulnerability refers to an unintentional weakness of hardware (network equipment, computers, servers) or software (applications you use for like your email, office, etc) that have the potential for a bad actor to gain access to it. Just because there is a known weakness doesn't mean anyone has figured out how to use that weakness to gain access. If someone has figured out how to use that weakness to successfully gain unauthorized access, it's now considered an exploitable vulnerability, or exploit for short.
Tl;dr: vulnerability means potential, and exploit means documented, known ability to gain unauthorized access.
Unrelated ADHD moment: just for fun, check out https://hackertyper.com/ if you want to look like a real life hacker to your friends/coworkers and get a laugh. You're welcome.
Let's take it from the top: "I'm too small, hackers don't care about us"
This is unfortunately completely disconnected from reality because the bad actors out there have no idea how big you are when they're trying to hack you. Not because they can't look you up, but because they don't really care how big you are. Size is often insignificant to how much money gaining access to your systems may be worth.
One of the most common small business cybersecurity misconceptions is the idea that attackers only target large organizations. When asked why they don't have any cybersecurity measures in place, 59% said they were too small to be a target.
- Verizon Business (source here)
You could be a 5 person company that manages a 100 million dollars, or a company of 100 people that manage 10 million dollars. This means the first lie is that the "size" of your business determines whether or not you're worth it.
The main reason however is that mostly all bad actors, for at least the first several stages, are using automated tools that scan the entire internet for specific applications or services that they know to be vulnerable or exploitable in some way. Once their automated scans find matches for the applications or services they're looking for in your business, scripts or programs kick off a set of automated attacks for the specific application or service they were looking for. At this point, a real person hasn't been involved at all, so there has definitely been no consideration of your business size.
Another common method would be blasting email campaigns trying to get you to fall for a fake login screen to your email, download an infected file, or similar (there's a lot, we can't cover them all here). Again, this stuff is automated from purchased lists of emails. Volume is the game here, casting a big net to see what they catch. They have no idea how big, or small you are.
I do want to be clear that targeting specific people or businesses is a method that's used by bad actors, but it does not represent the majority by a long shot.
Bad actors often hide, they don't want you to know they are watching
In the past, you knew when something malicious happened to your computer because you'd get a popup or a background change with something to the effect of "You've been hacked, send us money!". This is becoming less and less common because it can be so profitable to stay hidden.
Bad actors have figured out that if they can stay quiet inside your systems and just watch (sometimes a week, sometimes months), they can figure out how your business works.
For example, they may want to understand who on your team authorizes wire transfers, how wire transfers from your internal team or clients are requested, and your typical process for how you verify it's the right person you're sending that wire to. This would give them what they need to change the destination of a wire, or request a new wire without suspicion.
When they finally feel like they have valuable enough information, or they feel that you are "on to them" (as in, you suspect bad actors are in your systems and so you may kick them out soon), they will make themselves known.
Maybe they just configured all of your email accounts to forward them a copy of every email you send or receive so they no longer need access to your email, and then made a rule to automatically delete the record that those emails were ever sent to them...
Just some examples, but no matter what kind of business you are, you have a lot of sensitive data going through your internal communications and general systems.
If a bad actor was able to be inside all or most of your systems for months and you didn't know they were there, not only is that scary, it has some horrific indications for your business, and your clients.
So, how do we know if a bad actor is in our systems already?
Now we're getting to the "why you need cyber security" discussion. The answer is that you have no idea if bad actors are in your systems, and you can't really know unless you're an absolute expert of IT and cyber security, you have an IT and/or cyber security team of some kind, or you have at minimum the right set of tools to tell you what's going on to fill the gaps for your lack of knowledge.
The tough part is not only do you need to look at your computers these days for bad actors, but also in your email, your file storage, your network, your applications... they could be anywhere, so you need a strategy of what matters most, what you need to protect, and how you're going to protect it.
Sound overwhelming?
It kind of is just to be fully transparent. On my side, not overwhelming because I don't know how to help you, but because I know the amount of time and money it can take, the sacrifices that will have to be made because you truly can't solve everything, and I know this entire discussion is a bit uncomfortable. In a lot of ways, cyber security is like insurance. I've never seen anyone excited to go buy insurance... you just... need to, and it's the same thing here.
You can't solve everything, but a lot of cyber security "experts" will tell you, or at least imply that you can
Security is a journey, not a destination. You take steps to mitigate your biggest risks, and you accept the smaller ones. There's never a point where you're "safe from everything!", and truthfully sometimes you accept bigger risks than you want to because the cost is too great to protect yourself the way that you want to (or should). Money is a real constraint.
Luckily, even when eliminating the risk isn't in your budget, a great guide will walk you through ways to reduce that risk until you get there.
Hopefully it's beginning to become clear that this means the person guiding you on where money needs to be spent to address those risks, and where it doesn't, is a difficult role and requires a great deal of experience and trust.
So which risks do you accept, and which ones do you have to mitigate?
My goal of this blog though is to bring you as much value as I possibly can, so for that reason, I'm going to outline the base minimum cyber security things you should be doing as a business regardless of your industry. What I can't do is promise these are the perfect answers for your specific business and industry, and I can't make blind recommendations on what risks to accept. There's nuance all over the place, but I can promise you that if you implement what's on my list, you're in a significantly better position than most and have gone from "nothing" to "reasonably secure".
If this feels like a lot to take on yourself, this is exactly what I do every day– I'm an experienced, trusted guide that can walk you through this. If you think it may make sense for me to be that guide for your business, reach out and we can see if my services are a good fit >> Talk to me one on one
What do we protect?
The first question we have to ask before we put tools and time all over the place is "what are we protecting"? To do this correctly, you should spend extensive time in thought and review of every application and system you use for your business and document where all of your company data lives. These are the things that need to be protected.
Since I'm trying to make sure this is generic and wide serving as possible, we're going to assume a fairly standard business case:
- Files
- Computers
- Phones
- Line of Business Applications
To get the most bang for the buck, we're going to focus on what I know to nearly always represent the biggest risks– email, files, security awareness training, and computers. The rest do matter, but this is a baseline minimum list we're working on. We can get more in depth later, let's start with the basics.
Base minimum cyber security requirements for all businesses... yes, even your small business
All businesses should at a minimum have the tools in the list below. I am not including the extensive list of "whys" on this list for right now, but if that would be valuable to you please let me know by dropping a comment and I may put together a downloadable one-pager with this list + the why.
I will include my recommended tool solution in sub bullet points, with some information on the best ways to obtain them as well at the end.
Here we go:
- Business email through Microsoft 365, or Google workspace. This should be configured so you have a work email address that looks something like "yourname@yourbusiness.com" and not "yourname@gmail.com".
- Microsoft 365 Business Premium
- Google Workspace Plus
- Something monitoring, and protecting that email platform above. Preferably, you also have a SOC reviewing suspicious activity observed in your email, files, and login attempts in this platform.
- Field Effect
- Huntress
- Blackpoint Cyber
- All of your company files should be in that same system as your email.
- Microsoft Onedrive + Sharepoint
- Google Drive
- Your email should be monitored and protected against phishing, malware, and general spam
- Rotate
- Avanan
- Proof Point
- You need security awareness training for you and your team
- Rotate
- KnowB4
- Huntress
- Your emails, files, calendars, and everything else should be backed up. This would be in Microsoft 365 or Google Workspace and contrary to popular opinion, they are not backed up for you... you need to have that separately!
- DropSuite
- Every computer that accesses your business email, business files, or business applications needs to be protected by Endpoint Protection, preferably something called an "EDR". Even more preferably, you also have a SOC reviewing suspicious activity that this endpoint protection finds.
- Field Effect
- Huntress
- You should have a password manager with unique passwords for everything– no reused passwords for anything.
- Proton Pass
- Bitwarden
- You should never be using shared accounts, every employee should have their own username and password to every system.
- Everything you login to should have 2FA configured– a password alone is no longer even close to good enough. DO NOT skip this one!
- Microsoft Authenticator
- Google Authenticator
- Proton Authenticator
- Your computers should be configured to automatically be updated both for the operating system (Windows, MacOS), and applications (Google Chrome, Adobe Reader, etc).
- NinjaOne RMM
- If you work in finance or medical, you should also have a SIEM, and a SOC team reviewing it.
- Field Effect
- Huntress
- There's a discussion to be had here around using a VPN or similar technology of some kind (SASE, ZTNA). Since this is a minimum list, I'm going to say that even a basic consumer VPN is a great bet to get started, but moving to the more business grade solutions would be best. It does get pricey and complex quickly so we're not going to officially worry about it, and instead give a nod to a consumer VPN service which requires 0 setup and 0 maintenance. 100% done for you and adds great protection to public wifi scenarios.
- Proton VPN
Putting all of that in place
That list truly is the MINIMUM you need to have in place, so don't find a way to convince yourself you don't need it. You do. If you skip it, your business is at risk with absolutely insufficient or non-existent protection and when, not if, a bad actor gets in, it may be the end of your business.
I know that's a lot to swallow, but I'd rather be honest and save your business from an avoidable mistake than sugar coat it so this felt like a better/easier read.
- If you have an internal IT team, work through that list with them and make them prove to you that you have all of that in place. I really mean PROVE it. "Yeah we got that" is not proof, so get more information, be specific, find out.
- If you have an MSP, work through this list with them. The same as above, get PROOF.
- If you don't have internal IT, an MSP, you're just so small that it doesn't make sense to have a team, or you already have internal IT but you want to level up your protection strategy, reach out and I can help get you the tools you need, and the strategy to get there. I love working with internal IT teams and MSPs.
Wrap up
If you enjoyed this and/or if it brought you value in any way, please consider subscribing on this page. If you really enjoyed it, please consider a paid subscription. It's basically buying me a coffee a month (you can choose the monthly option) and makes me feel less like I'm screaming my thoughts into the void. When I post a blog in the future it will send it right to your email– no spam. Thanks for reading!
