Cybersecurity Policies and Procedures for Small Businesses

Summary: this article underscores the necessity for SMBs to establish company-wide cybersecurity policies and procedures. By doing so, you can identify vulnerabilities and prevent, detect and respond to cyber threats effectively. Moreover, it ensures that all your employees are on the same page, working together to protect your hard-earned business data.

Cyberattacks on small businesses have become rampant. Hackers are constantly seeking new vulnerabilities and targets. Ironically, many SMB owners falsely believe that cybercriminals are not interested in attacking them because of their size. On the contrary, cyberthieves love small business targets because they often have insufficient cyber security in place and are much easier to breach. However, cyber security for any business is not a one-person operation. Even if your business is lucky enough to have an in-house IT professional to address hardware, software, network and security issues, all of your employees must be guided by an established, detailed, mandatory set of cybersecurity policies and procedures. Everyone must be taught their role in protecting your company’s entire computer network and the possible consequences if they do not all work as a team. If, after reading this blog, you are still uncertain about how to create thorough policies and procedures, we suggest enlisting the help of a professional small business IT security and support company.

It All Starts With A Company Password Policy

Passwords are one of the first layers of cyber defense and an essential component of any data security policy. The days of using easy-to-guess birthdays, anniversaries and pet names are long gone. Today, passwords must be unique and complex and contain multiple characters, including upper and lowercase letters, numbers and special characters. Establishing a comprehensive company password policy regarding password creation, storage and use is required to maintain security. All current employees should be bound by data security policies and protocols, and all new employees must be taught how to comply. Company password policies should include the following:

• Mandatory Strong Password Requirements – Strong, unique passwords are the first line of defense against cyberattacks. Everyone in your company must be 100% compliant with the safe creation and storage of passwords. Using reputable password managers to generate and store unique, multi-character passwords is advisable.
• No Reuse of Passwords – Employees must never reuse passwords. Every new password must be new and unique. Reusing passwords creates new opportunities for bad actors intent on breaching your company’s data.
• No Password Sharing – No one needs to know your password. Even your trusted work friend who sits near you and wants to help should not know your passwords. Keep them to yourself and keep them safe.
• Scheduled Password Changes – By scheduling regular password changes, you can reduce the risk of having your credentials stolen by a hacker.
• Implementation of Multi-Factor Authentication (MFA) – MFA is quickly becoming a new standard in cyber security. MFA is a login process that requires additional steps and asks for more information after entering a password to authenticate your identity further. MFA can require entering a code that has been emailed or texted to an account or device, answering security questions and using a fingerprint or other biometric identifying factors. It is especially important to include MFA in the “Bring Your Own Device” security policy.
• Use of Password Managers to Generate and Save Passwords – Password managers have become the “go-to” app for generating unique multi-character passwords and storing them securely. A reputable password manager will eliminate the worry of generating, storing and remembering passwords. Businesses should require all employees to use password managers consistently.
• Encryption of Stored Passwords – Password managers use encryption methods such as AES 256-bit, XChaCha20, RSA or DES to protect passwords, making it very difficult for hackers to retrieve, unscramble and use them.

Cybersecurity procedures map out how your employees and business partners should securely access company resources and internet platforms and share data over your network. These policies and procedures must apply to everyone, even those working remotely or using their own devices.

What Is A Bring Your Own Device Security Policy?

A Bring Your Own Device security policy applies to all employees who use their own smartphones, tablets and laptops to access work resources. Bring Your Own Device policies outline the company’s ownership of data and software and specify which apps are permitted for installation and use. Generally, employers supply additional IT support for remote employees, including their mobile and personal devices, and strict adherence to the rules is required. Also, the use of Virtual Private Networks (VPNs) should be mandatory for anyone logging in to a company’s network.

Permissions and Acceptable Use Policies (AUPs)

Access to your network, resources, data and internet platforms must depend on a user's role. For example, a bookkeeper in a company’s accounting department does not need access to proprietary designs in the company’s graphics department. In addition, the most sensitive business data should be restricted to upper management as appropriate for their roles. Rank-and-file employees should not have “permission” to access such files. Also, limiting permissions reduces the chances of insider attacks.

Other components of robust cybersecurity policies and procedures include:

• Vendor Management – If your vendors have any access to your network, your cybersecurity and procedures plan must include detailed security requirements for them. Complete transparency from all parties that access your network is required to ensure their compliance and security as well as yours.
• Use of Removable Media – Your policies and procedures must also govern the use of removable media, such as flash drives and external hard drives. Removable media can infect or transfer malicious code to your entire network and anyone who logs on.

Having a detailed data security policy is key. You might have state-of-the-art cyber security for your business. But, as always, humans are the weakest link. Establishing comprehensive cybersecurity policies and procedures to guide your employees in how they must help protect your company’s data is crucial to the security of your SMB. Enlist professional expertise with the help of a small business IT support company that has network security experts on staff.