8 Security Essentials for Growing Businesses on a Budget
Small and midsize businesses with big ambitions face a dilemma: how to protect their business against an intensifying threat landscape with only limited resources available for security. With growth as their top priority, they don’t have room for high-priced security professionals and solutions in their budget, and their small IT teams have their hands full with day-to-day operations. Their employees are focused on delivering products to market, not security training. Meanwhile, business strategies revolving around proliferating digital touchpoints and ecosystem relationships make their attack surface larger and harder to defend.
It may seem that smaller organizations are too small to be worth the time of cybercriminals, but the risks they face are all too real. They’re often seen as easy prey and quick wins for attacks from thefts of personally identifiable information (PII) and payment card data to fraud and customer impersonation. And the impact on these businesses can be devastating, from the direct financial cost of lost data, disrupted operations and recovery efforts to reputational damage. Customer perception and brand trust is critically important for establishing credibility; according to McKinsey, nearly 10 percent of companies have stopped doing business with a supplier after learning of a data breach. In fact, effective cybersecurity can be a strict prerequisite for business growth, as partnerships with larger companies bring new requirements to be met.
In this blog, we’ll talk about eight cost-effective security measures every SMB should take to protect their growing business and its customers.
1. Use secure methods for data transfer
Modern business runs on data—but the paths it takes are perennial targets for hackers. Application and network firewalls are a baseline requirement for any organization, but they’re only part of the picture. According to the Verizon 2023 Data Breach Investigations Report, business email compromise attacks now represent more than half of social engineering incidents.
With email systems so vulnerable to manipulation, growing businesses should turn to more secure channels for sensitive documents such as contracts. Instead of leaving it to employees to transfer information manually from application to application, systems and workflows should be integrated as much as possible to limit the movement of data and prevent leakage across systems and devices.
2. Keep your software up to date
For years, security experts have been warning about the known security vulnerabilities that are allowed to linger in business systems—and yet the problem continues. One recent report found that only 13 percent of these gaps were being remediated at all, with an average delay of 271 days from the time the vulnerability was first disclosed.
To keep cybercriminals from exploiting these security holes, it’s essential to apply any product updates, firmware updates and security patches as soon as they become available. When available, auto-update should be enabled. End-of-life or otherwise unsupported software for which patches are no longer provided represent an unacceptable risk and should be removed immediately.
3. Train your employees
According to Verizon DBIR, nearly three-quarters of all breaches include the human element, including user error, privilege misuse, use of stolen credentials or social engineering attacks like phishing. That makes employees both a common attack vector and vital participants in your security strategy.
Set clear expectations about the responsibility of every employee to do their part for security. Conduct cybersecurity training regularly, and incorporate it into onboarding for new employees, including safe browsing, phishing awareness, password hygiene and how to identify signs of a possible attack, as well as detailing the risks posed by shadow IT and non-secure consumer tools. Assign a trusted employee in a management role to oversee your security procedures and how well they’re being followed.
4. Tighten up access
While some attacks rely on malware or brute force methods to breach systems, it’s more common for hackers to simply “walk in the front door.” Verizon reports that 86 percent of basic web application attacks involve the use of stolen credentials. With so many different logins to keep track of, users often re-use the same password across many or all of the systems they use and refresh their passwords rarely if ever. In an organization with shift-based workers and shared workstations, a single account breach can easily spread across multiple users.
A password manager can make it easy for users to generate a unique and frequently refreshed strong password for each account while only needing to remember a single master password. The implementation of single sign-on across all of a user’s business applications can provide a similarly convenient yet effective security experience. Multi-factor authentication (MFA), such as a verification text sent to a second device, is critically important, making it possible to keep even a valid password from allowing unauthorized access. As with outdated software, it’s also crucial to delete user accounts that are no longer being used or belonged to departed employees.
For more effective centralized security, consider adding organizational access control to systems such as e-signature solutions that might currently be deployed on an ad hoc basis as individual accounts. Access control solutions such as a cloud access security broker (CASB) can help reduce the risks posed by remote work and employee-owned devices.
5. Stop fraud
Even in the age of AI-generated malware and Internet of Things (IoT) hijacking, many cybercrimes are as simple as someone pretending to be someone else. In fact, the digital age has made impersonation easier than ever, as businesses struggle to verify the identity of a customer miles away while ensuring a smooth and painless experience. But identity fraud can put legitimate customer accounts at risk, make contracts unenforceable and pave the way for stolen data, services and money.
The latest generation of identity verification tools provide a variety of ways to make sure people are who they say they are, from basic measures for routine interactions to higher levels of verification and trust for more sensitive matters. By integrating these solutions into your customer and employee experience, you can make identity verification quick, accurate and convenient. Managing agreements centrally across your business can help you ensure full visibility, simplify auditing and prevent human error such as lost documents or stalled workflows.
6. Build security into user devices
As employees use more devices in more places—especially in SMBs without IT-provisioned user hardware—they can expose data to risk in more ways. To prevent leaks and breaches, data should be encrypted end-to-end both in transit and on the endpoint. Antivirus and malware scanning and blocking should be deployed on endpoints to prevent these exploits from compromising locally stored data or entering the corporate network. If you do provide users with endpoints, choosing devices with built-in security capabilities such as remote recovery and self-healing can offer an added layer of protection. Set these capabilities to run automatically in the background when your computer starts up and disable your employees’ ability to turn them off.
7. Watch for trouble
No defense is perfect. When gaps or incidents do occur, early detection can help you limit the damage. Software and APIs should be scanned monthly for bugs and malware. Monitoring and alert systems for ransomware and distributed denial of service (DDoS) attacks offer real-time visibility into potential attacks in progress. Data loss prevention (DLP) tools can detect potential violations of security policies by employees or attempted breaches by hackers in real time so you can move quickly to limit risk.
The industry standard NIST cybersecurity framework offers detailed guidance to identify and address the highest priority risks to your business, while the MITRE ATT&CK framework details the tactics and techniques currently being used by hackers. Complemented with subscriptions to cybersecurity newsletters, NIST and MITRE ATT&CK can keep you fully informed about how to secure your environment, recognize potential threats and respond effectively to protect your growing business.
8. Plan for the worst
When even giants like MGM and Alibaba can be breached, it’s clear that any business can be a victim of cyberattack. In fact, many security experts recommend a mindset of assuming you’ll be breached and planning accordingly.
To this end, take the time to develop a comprehensive incident response plan, including who’ll lead your technical recovery, what measures you’ll take to limit the damage and who’ll communicate with customers and other key stakeholders. Data should be backed up frequently, and backups should be tested to ensure that you’ll be able to get back to business quickly. Scenario planning and tabletop exercises will help your response team gain familiarity with these procedures so they can work effectively when real trouble arises. Finally, cyberinsurance is now just as essential as general liability insurance, commercial property insurance, worker’s compensation insurance and any other kind of business coverage.
Cybersecurity doesn’t have to be a luxury reserved to the enterprise. There are ample resources available to help businesses of any size defend themselves more effectively, including guidance from the National Cybersecurity Society (NCSS), the U.S. Federal Trade Commission (FTC), the National Cybersecurity Alliance (NCSA) and the STOP. THINK. CONNECT. campaign led by the Anti-Phishing Working Group (APWG) and the NCSA. By taking these realistic and cost-effective measures, businesses of any size can take meaningful steps to lower the risk of an attack, protect their organization and its customers and safeguard their future prospects.
DocuSign maintains a strong commitment to protecting our customers through comprehensive network security, information security, and compliance with US, EU and global security standards. To learn more about the measures we take, visit the DocuSign Trust Center.