Part 1: How to prevent a cyber attack

In this Article:

• Preventing a cyber attack
• Passwords and multi-factor authentication
• Software updates and data back ups
• Securing networks and devices
• Cyber training and education
• Also in this series

Cyber crime is big business. According to the FBI’s Internet Crime Report 2023, the FBI received complaints of cyber crimes in 2023 that totaled $12.5 billion, and the agency estimates it receives complaints in only about 20% of cases. This includes crimes committed against individuals, as well as businesses of all sizes. Everyone should be concerned about cyber security, and small businesses are certainly not immune.

Since the big data breaches are the ones that make the news, small businesses may feel that the cyber criminals only have big companies in their sights, perhaps looking for the biggest possible payday. But the fact is that small businesses are vulnerable too and may be even easier targets than the big firms, simply because they may have fewer safeguards in place.

If you own a small business, here are three steps you can take to limit the impact of the increasing risk of cyber attacks and protect your businesses. You need to prevent an attack from happening in the first place, detect an intrusion quickly if one does occur, and mitigate the damage to your business and your reputation.

Preventing a cyber attack

The best-case scenario, of course, is to prevent a cyber attack from ever taking place. This can be challenging, since hackers always seem to be one step ahead. But there are steps you can take to minimize the likelihood that you will be the victim of a cyber attack.

Here are 10 best practices to help your small business keep data safe.

Back to top

1. Use strong passwords

Everyone knows you shouldn’t use ‘password’ or ‘123456’ for your password, but a lot of people still use the same password for multiple accounts. If you do this, a hacker who gets access to one of your accounts can easily access them all.

🛡️ Pro tip: Password managers can generate a random password when you first set up an account on a new site. It will be stored in the password manager so you don’t have to remember it, and it will be much harder to crack because it won’t be your dog’s name or your anniversary. PC Mag lists five favorites.  

2. Change your passwords frequently

If a password of yours is compromised you may not realize it right away, and once you do it may be too late. So get in front of it by changing your passwords every 90 days.

🛡️ Pro tip: There’s a reason why many sites won’t let you use a password you’ve used in the past – the object of the game is to avoid having a detectable pattern.

3. Use multi-factor authentication

It’s annoying to have to enter a six-digit code every time you want to access a frequently used account, but it’s even more annoying to have your data compromised by a hacker. Multi-factor authentication requires you to enter a password and then verify your identity by entering a code you receive on a different device. Use multi-factor authentication (MFA) wherever possible.

🛡️ Pro tip: If you want to add multi-factor authentication to an existing account, check the security settings on the account, and look for ‘multi-factor authentication’ or ‘two-factor authentication.’ The Cybersecurity and Infrastructure Security Agency (CISA) has more information on multifactor authentication.  

Back to top

4. Keep your software up to date

One of the most common ways a hacker can get entry into your system is through a vulnerability in your software. Once software providers learn of these vulnerabilities, they write code to repair, or ‘patch,’ them. But that doesn’t help you unless you install the patch, which is typically done via an upgrade. So whenever a program or operating system asks you if you want to update, the answer is ‘yes,’ and the sooner the better.

🛡️ Pro tip: Running patch management software on a regular basis will help ensure you don’t miss any updates. If you use an IT consultant to help with your system, they should be able to manage this for you. 

5. Back up your data regularly

Having up-to-date data backed up to a secure location will help you get back to business if your data is held for ransom or destroyed. Back up your data regularly – a daily automatic backup is best – to the cloud or to an external device that is stored away from your physical office space.

🛡️ Pro tip: For most businesses, backing up data to the cloud is going to be the easiest solution. There are a lot of options, so look for the one that best fits the size of your business and the configuration of your system, as well as your budget. Read about PC Mag’s best picks for cloud backup for business.  

Back to top

6. Make sure your Wi-Fi network is secure

Make sure your Wi-Fi network is encrypted with WPA2 (Wi-Fi Protected Access 2) or WPA3 and that your password is secure. WPA3 is more secure than WPA2 so if your network supports WPA3, use it.

🛡️ Pro tip: If you haven’t updated your router in a few years, it may still be using WPA2. Updating it to one that uses WPA3 is a good idea. Learn more about WPA3 and how to set it up from PC Mag.  

7. Control physical access to devices

Only authorized staff should have access to your company’s devices, and only to the ones they need.

🛡️ Pro tip: If you have employees using their own devices (known as BYOD or bring your own device), make sure you have a written acceptable use policy that includes documentation of required security measures and how you address data protection and privacy concerns. Have a policy for removing company data from any employee-owned device in the event an employee leaves the business.

Back to top

8. Educate yourself and your employees

Learn how to recognize a phishing email or smishing (text) message, and how to recognize and report a suspected cyber incident.

🛡️ Pro tip: Conduct phishing simulations by sending emails to your employees that look legitimate and ask the recipient to click a link or download a file. If you notice any clicks on this link, it will alert you that more training is needed.

9. Have a security plan in place and keep it updated

Develop a written plan for what to do in the event of a cyber attack, including whom to contact and what to do immediately. Revisit the plan at least yearly to be sure it’s current.

🛡️ Pro tip: A written plan that everyone has access to, with roles and responsibilities identified, will make your response to a cyber incident much more efficient. The Federal Communication Commission (FCC) has a great tool for creating a security response plan for your business, and CISA offers some helpful tips too.  

10. Monitor your system

Keep an eye out for unusual activity, using an intrusion detection system or security information and detection management system. These systems will monitor your network and detect any unusual activity.

🛡️ Pro tip: Intrusion detection systems can range in price from free to tens of thousands of dollars, but even the pricier ones are cheaper than a cyber attack. If you don’t have an IT person on staff, you may need to hire someone to set up your IDS, but once set up it will monitor your system continuously.

Back to top

💡✍ This sounds like a lot, but it’s worthwhile, as it protects what could be your company’s most valuable asset: your data. Prevention is critical, but unfortunately it’s not completely foolproof. To learn what to do if you are attacked, read Part 2: Detect an Attack Early.

📢 Also in this series:

• Small Business Guide to Cyber Security Part 2: Detect an Attack Early
• Small Business Guide to Cyber Security Part 3: Mitigate the Damage of an Attack

Back to top