Proton

A cybersecurity guide for small businesses

The Internet allows businesses of any size to work and reach markets around the world. Unfortunately, this potential for increased productivity and profitability is tempered by the security risks that the Internet presents. The fact is that cybersecurity must be a part of any business plan going forward. This is meant to be a quick guide to help small businesses begin to secure their data, although some of these steps may require the assistance of a team of trained IT professionals.

Cybersecurity and data privacy are important for everyone

Data leaks(nieuw venster) have become more and more common, and not just tech companies have been affected. Plenty of more traditional companies, such as Mariott, have suffered massive leaks. Not only do these leaks erode consumer confidence, but they are beginning to incur financial penalties and regulations under the GDPR(nieuw venster). While certain exceptions are made for small businesses in the GDPR, putting good cybersecurity and data protection practices in place will reduce your exposure.

As profit-seeking entities and organizations with a responsibility to society, small businesses must work to protect the data their customers have entrusted them with.

Learn more: GDPR checklist(nieuw venster)

Understanding your threat model

A threat model(nieuw venster) is a method of evaluating security and privacy risks in order to mitigate them strategically. Different kinds of organizations will have different kinds of threats and vulnerabilities(nieuw venster). You can use it to determine your business’s own cybersecurity priorities. Start by answering the following questions:

  • What kind of data do you process in your business?
  • How is that data handled and protected?
  • Who has access to that data and under what circumstances?

Answering these three questions will help you know exactly what data you have, where you keep them, and who has access rights to them. Drawing a diagram to visualize these relationships can be very helpful as well. For instance, perhaps you have data securely stored on a local, encrypted server, but then you realize that as the data travels over your business’s network that it is not encrypted, or that too many people have unnecessary access. Creating a threat model will help you identify where the data are vulnerable to hacks and leaks.

Now that you know the data you need to safeguard and where the potential weak points are, you can start to put processes in place to protect it.  

Protect your network from cyber attacks

Your network is where your business’s data lives. It must be secured if you are going to protect your customers’ data, even if it requires technical assistance from professionals. To get started, you must identify all the devices and connections on your network, set boundaries between your company’s systems and outside systems, and create controls that ensure that any unauthorized access to your network can be stopped or contained.

Another vital part of protecting your network is maintaining the software of connected devices. You can help prevent attackers from installing malware on your company’s devices by keeping your apps and operating systems up to date. Software updates often include security patches for recently discovered vulnerabilities. You should also use anti-virus software.

Passwords and authentication

Passwords are the first line of defense on your all your company accounts. Make sure that everyone in your company uses strong, unique passwords to secure their accounts and devices. A password manager can help your employees generate and store passwords so that they don’t have to write them down.

The second line of defense is two-factor authentication(nieuw venster) (2FA). This is a way to secure accounts with a second piece of information, usually something you have with you on your person, like a code created on an authenticator app or fob.

Tell your employees to avoid using public computers to access their company accounts because keyloggers can record and steal the login information and compromise their account. If your employees absolutely must use a public computer, tell them to be sure they log out of their account afterwards.

Many services (such as Proton Mail and Proton VPN) allow you to see when and from what IP address an account has been accessed and log out of other sessions remotely(nieuw venster).

Create a mobile device action plan

Mobile devices present significant security challenges as they can hold confidential information or access your corporate network and also be easily stolen or lost. Your cybersecurity plan should anticipate these eventualities. So it’s essential to have your employees use strong passwords to protect their devices and make sure they encrypt their data. There are apps(nieuw venster) that allow you to wipe, locate, and potentially identify the thief if a device is stolen. Also be sure to set up a procedure for reporting lost or stolen equipment.

Practice email security

Email(nieuw venster) has become the primary way of handling a business’s communications, from internal management to customer support. It is also one of the easiest ways for hackers to get into your company’s database. It is crucial you train your employees to be alert for phishing attacks(nieuw venster), in which the attacker tries to trick you into clicking on a link, downloading an attachment, or giving up sensitive information (such as entering your username and password into a spoofed webpage).

Learn more: Email security practices your team should be following right now(nieuw venster)

Use encryption as much as possible

Encryption is the process of converting readable information into an unreadable string of characters. Without encryption, anyone monitoring the Internet could see all the data being transmitted, from credit cards to chat messages. The vast majority of online services use some form of encryption to protect the data traveling to and from their servers. You should encrypt any data that your company considers sensitive.

However, only a few tech companies encrypt your information in such a way that even the company cannot decrypt it. This kind of encryption is called end-to-end encryption(nieuw venster) (E2EE). Often, there is an E2EE alternative to less private services. For example, Proton Mail is a private alternative to Gmail(nieuw venster) — and is HIPAA compliant(nieuw venster). Instead of Google Drive, which can access your files, your company could use Proton Drive(nieuw venster). For notes, Standard Notes(nieuw venster) is one E2EE option. These services prevent anyone but the owner (and in Proton Mail’s case, the receiver of the email) from decrypting the file and accessing the data.

For instant messaging, there are a number of options — though the most popular services are still unsecured. Neither Skype for Business(nieuw venster) nor Slack(nieuw venster) offer E2EE protection for its users. For better chat security and privacy, we recommend using Wire or Signal.

Train your employees and manage access

None of these steps will have any effect unless the employees of your company correctly implement them. Establishing clear, useful guidelines that also detail penalties for violating the company policy is crucial for any cybersecurity plan. All employees should be well versed in standard phishing attacks, strong password best practices, encrypted services, and whom they should contact if they encounter a problem.

To minimize risk, no one employee should have access to all your company’s data systems. They should only have access to the specific data they need to perform their jobs, and administrative privileges, like installing new software, should only be given to trusted, key personnel.

Developing these systems and training your staff on them will be time-intensive, but your employees are your first and last line of defense against data leaks. Now that the GDPR has been implemented, businesses have had to be more forthcoming about data breaches, and the reports have shown human error to be the cause of more data leaks than malicious attacks.

We hope this guide helps you to establish a cybersecurity plan for your business. For businesses interested in a more thorough resource, the Federal Communications Commission has issued a Cyber Security Planning Guide(nieuw venster) which will cover much of the same ground in greater detail. 

At Proton Mail, we believe that security and privacy are everyone’s responsibility. By following these guidelines and by using security-focused services, you can significantly improve your cybersecurity.  

Best Regards,
The Proton Mail Team

You can get a free secure email(nieuw venster) account from Proton Mail.

We also provide a free VPN service(nieuw venster) to protect your privacy.

Proton Mail and Proton VPN are funded by community contributions. If you would like to support our development efforts, you can upgrade to a paid plan(nieuw venster). Thank you for your support.

Gerelateerde artikelen

how to write a professional email
en
Easy steps and examples for writing a professional email. See how Proton Mail can make your emails stand out.
Email etiquette: What it is and why it matters |
en
Find out what email etiquette is with key rules and examples, why it is important, and how Proton Mail can help.
A cover image for a blog about how to create an incident response plan that shows a desktop computer and a laptop with warning signs on their screens
en
Do you have an incident response plan to protect your business from financial and reputational damage? Find out how Proton Pass for Business can help you stay safe.
Shared with me in Proton Drive for desktop user interface
en
  • Voor bedrijven
  • Productupdates
  • Proton Drive
We've improved Proton Drive for Windows to make it easier to securely collaborate with others from your desktop.
Smart glasses that have been modified for facial surveillance and dox you in real time, finding your personal information after seeing your face.
en
Students modified smart glasses to find someone’s personal data after just looking at them. This is why we must minimize data collection.
The cover image for a blog explaining what password encryption is and how Proton Pass helps users with no tech experience benefit from it
en
Password encryption sounds complicated, but anyone can benefit from it. We explain what it is and how it’s built into Proton Pass for everyone to use.