One of the most common errors we see small to mid-sized businesses make is a lack of focus on the basics of IT security.
We get it. Security is a pain in the butt, especially when it comes to the DIY route. But consider this: Your offices have locks on the doors and most likely an alarm as well. You also probably have 24/7 monitoring so the police can arrive in a timely manner if someone tries to break in.
You need at least the equivalent of that level of security for your company’s IT systems. How do you go about achieving that? Here’s how:
1. Use commercial-grade firewalls in physical offices
Commercial-grade firewalls are physical appliances that sit between the internet and your company’s network. Obviously, this sort of device won’t work for a company that is entirely remote, but for actual offices, the protection they provide is absolutely critical.
Not all commercial-grade firewalls are created equal, however, so it’s important to go with one that is manufactured by a reputable IT security company like Cisco, SonicWall, WatchGuard, and others.
Also keep in mind that these firewalls have many features available that require an experienced professional to set up correctly. They are not “set-it-and-forget it.” That’s why it’s recommended that small to mid-sized companies use an IT provider to configure, manage, and monitor firewalls in order to maximize the investment.
2. DNS filtering should occur on every device
DNS is the internet’s version of a phone book. (Remember those?) It references every web domain back to the IP address it’s hosted on.
Unfortunately, many domains today are known for hosting malicious content or activity. By using DNS filtering software on every device, you’re provided with a level of protection against known bad websites.
DNS filtering can also be done on a network level for companies with physical offices, making it possible to automatically block specific websites or content that employees should stay away from while at work.
3. Implement endpoint detection and response software
Despite its rather bland name, endpoint detection and response software (or EDR) is the first line of defense against malicious actors looking to infect your company’s workstations.
It’s also the newest generation of antivirus software, going above and beyond products like Norton, Symantec, and Webroot. By utilizing AI to monitor for behavior on a device that might be a threat, EDRs can quickly stop viruses and other bad activity in their tracks.
4. Enable email spoofing and phishing protection
Phishing is when a bad actor sends an email to an individual in an attempt to steal credentials. Spoofing is when someone uses an email similar to an individual’s in an attempt to gain access to another email or website.
Robust email filtering prevents these types of emails, along with malicious links and attachments, from getting through. And for even greater security, third-party security tools or add-ons are available for Microsoft 365 and Google Workspace. Use them.
5. Conduct regular security awareness training
To quote the old G.I. Joe cartoon, “Knowing is half the battle.” User education is always the first line of defense, especially as cyber criminals continually change their tactics.
A good security awareness training program combines awareness (tell them about the types of attacks), education (showing examples of the attacks), testing (running simulations on each employee to see how they respond to phishing emails), and reporting (figuring out who did what and if they learned from their mistake).
While there are a wide variety of packages available to assist with training, such as Bullphish and KnowBe4, any training program you use will only be effective if you do it frequently and consistently.
6. Implement centralized identity management
Centralized identity management uses a system like Microsoft’s Entra ID (formerly Azure AD) or Google Identity and Access Management (IAM) to create a database of users, passwords, and permissions in one place so they can be securely managed by an IT administrator.
It’s generally recommended that the system you use should be in line with your email provider of choice, while for companies with large on-premises server deployments, identity management is often integrated with Active Directory servers.
7. Single sign-on is your best friend
Single sign-on is a term used for software, generally cloud-based, that links access and security to an identity management provider like the aforementioned Microsoft Entra ID and Google IAM.
For most companies using multiple software packages, this alleviates having to maintain a separate user account and password database for each application. It also ensures that multifactor authentication (MFA) methods (see below) being used are up to current best practices rather than using out-of-date methods like text message.
8. Multifactor absolutely everything
MFA is possibly the most important feature you can turn on in your software and systems today.
MFA ensures that a user attempting to log in is who they say they are based on a unique code from an authenticator app, message, or call.
Every single account your company has on every website should use MFA when possible. It not only protects your business, it makes changing passwords regularly far less important — although you should still update them as well.
9. Secure your Microsoft 365 or G Suite platforms correctly
Your email and productivity platforms are the heart of your business. They are where most of the work is done and most of your data is stored.
The thing is, these platforms are not inherently secure. They need to be constantly monitored for malicious activity and regularly modified to use new features and implement best practices.
This can be difficult for most businesses to do unless they have a full in-house IT security team. While it can still be done — and both Microsoft and Google have extensive documentation to help — for greater peace of mind, you’re probably better off using the last item on this list…
10. Partner with a managed IT and cybersecurity firm
Look, most businesses are really good at something — and it’s not internal IT management or cyber security.
For smaller businesses (less than 200 employees), you’re better off financially and security-wise if you outsource your IT to a provider with a strong track record.
Keep in mind, though, that any IT firm worth its fees will start with a comprehensive IT and security audit to ensure they know your landscape and threats and can help you build a comprehensive IT budget and roadmap.
This post was originally published on March 5, 2019. It was updated on February 22, 2024 to add additional details for relevance and accuracy.