The cyber security landscape for small businesses, and the tips and tools that can help

If you’re an IT leader for a small business, you’re operating in a rapidly changing business landscape – the world has undergone seismic changes in recent years. More employees than ever before are working from home or multiple other locations, and they’re using a whole range of different devices, both company-owned and personal.

Also, if you thought smaller businesses are less likely to be targeted – unfortunately, the opposite is true. Cyber attacks on smaller businesses are in fact increasing, with today’s primary security threats now coming from extortion or disruption from ransomware. Data from the UK Government’s Office for National Statistics (ONS) shows 65% of medium-sized businesses have experienced at least one cyber attack in the past 12 months – which is a higher rate than for enterprise-sized organisations. The ONS also found that year-on-year, fewer micro and small businesses have vitally important measures in place, such as up-to-date malware protection and network firewalls, perhaps due to resource pressures.

While these challenges are acute and very real, with the right partners and support you can still manage and mitigate cyber risks effectively.

What’s more, being able to make flexible work – well, work – is worth the effort, because it unlocks so many positive new opportunities for business growth, staff wellbeing and productivity.

“Running a small business is challenging at the best of times; this is compounded further by having to navigate both the opportunities and risks posed by flexible, remote work. The onus is on business owners to stay aware of the cyber risks small businesses are facing, choose the right person to lead IT, and then give them the support and investment needed to defend the organisation.

“IT security has become too important to let it fall through the cracks.

“In my experience it’s also vital that SMB IT leaders can own the security agenda internally and are empowered to equip the business with the right tools and systems to mitigate the threats posed by malicious actors.”

Rajeeb Dey MBE, Founder & CEO of workplace learning marketplace Learnerbly

Being the right technology partner for small businesses

The top priorities for SMB IT leaders are improving the experience of remote work; helping employees stay productive and connected; and ensuring the security of their data and devices in a distributed work environment. As well, of course, as keeping a close eye on costs in the face of ongoing uncertainty and inflation.

That’s a lot to manage!

In response to these challenges, we are continuously working to ensure that, as well as being best-in-class, Microsoft tools and solutions also connect seamlessly together to create an integrated platform. One that is consolidated and plugs any gaps that might present a security exposure, which can be a challenge when using a lot of separate point solutions.

This approach helps us offer a service that’s simple yet powerful, and easy to manage – but still reduces costs for SMB IT leaders. In fact, we were thrilled to hear, just a few months ago, that our commitment to SMBs was recognised when Microsoft was named as a Leader in IDC’s MarketScape reports for Modern Endpoint Security, for small and midsize businesses (SMB).

As part of our commitment to ‘security for all’, we have renewed our pledge to keep bringing enterprise-grade security to SMBs. One of the best examples of this, is the recent launch of Microsoft Defender for Business, which is now included in Microsoft 365 Business Premium and also coming soon as a cost-effective standalone option for those who don’t have that subscription yet.

Defender for Business has been designed to help businesses with up to 300 employees, raise their game from traditional antivirus to next-generation endpoint protection, detection, and response (EDR), as well as threat and vulnerability management from a single dashboard.

It also offers simplified configuration and management with intelligent automated investigation and response, to help protect your endpoints, without you having to deal with repeated, low priority security alerts.

By bringing together all these security capabilities in one cost-effective, easy to use, package, there’s no longer any need for separate web and network protection, threat, and vulnerability management solutions.

So, you can see how Defender for Business, either as part of Microsoft 365 Business Premium or as a standalone, can help make getting the job done a lot easier for IT leaders, by simultaneously increasing security and simplifying your workload. As well as making other small business owners your biggest fans! Because by lowering IT costs, you’re helping them invest in, and improve, other business processes too.

On that front, here are a few additional security tips and recommendations of what tools and features to use, that can help make life a lot easier.

Key practices, tools and features for SMB users

1. Turn on multi-factor authentication (MFA)

For businesses of all sizes, passwords are the weakest link in the security chain and, without any additional verification, can become a single point of failure. If you only do one thing to help protect your organisation, it should be to turn on multi-factor authentication (MFA) – which can prevent 99.9% of identity attacks.

The Microsoft Authenticator is free to download from the Apple and Android app stores and supports everything from biometrics, push notifications and one-time passcodes for any Azure AD-connected app. There are also ways you can minimise the disruption of transitioning to MFA by setting up access policies so that users are only prompted to use it when necessary, with conditional access.

2. Assess your security posture with Microsoft Secure Score

Microsoft Secure Score is an excellent and very practical tool for measuring your organisation’s own security posture and seeing what actions you can take immediately to improve it.

You will find it at https://security.microsoft.com/securescore in the Microsoft 365 Defender Portal. The higher the score, the better – and to help you find the information you need more quickly, improvement actions are categorised across Identity, Devices and Apps.

The overview page shows you how your points are split between these groups and what points are available, as well as recommended priority improvement actions that can be taken to improve your score. To make it easier to track and manage your progress, you can even assign statuses, such as ‘to address’, ‘planned’, ‘risk accepted’ or ‘resolved’ – to each action, as well as adding any notes.

3. Safeguard users’ identity against malware and fishing

• There are some key features in Microsoft 365 Business Premium that can be particularly effective for protecting your users against phishing and ransomware. The Safe Links feature does what it says on the tin and checks website URLs and links to Office files in real time, warning users if the destination would be malicious and can block them from going there.
• The Safe Attachments feature scans every single attachment coming in via email, so when a Safe Attachments policy is in place, email attachments are opened and tested in a virtual sandbox environment. If determined to be malicious, the attachment will not open, with this protection also applying to attachments share via SharePoint Online, OneDrive or Teams.
• Anti-phishing is a feature which uses machine learning to analyse past email patterns and relationships to find anomalies that indicate spoofing has occurred, helping to combat the latest methods, where attackers often impersonate a person or a brand.

4. Secure and manage the devices that access your company’s data

With employees working across multiple locations, using both personal and company owned devices, you want a way to manage and secure these devices and the work data on them as easily as possible. Microsoft Intune makes it straightforward to manage and safeguard Windows, Mac, iOS and Android devices, plus, the Autopilot feature makes it just as easy to quickly provision and deploy new devices to employees remotely.

Generally, you can take the mobile application management (MAM), approach, where you have control over just the applications that are used for business purposes, which means users can still use their personal devices to access company IT resources.

Or you can use mobile device management (MDM), which is typically applied to company owned devices, and means users must ‘enroll’ their devices, and in doing so get certificates which allows to communicate with Intune.

MAM tends to be more common for SMB users, as they tend to be in more of a BYOD environment

5. Educate staff on steps they can need to take themselves when working remotely

It’s also important to remember (and remind people) that security is everyone’s responsibility, it’s not all on your shoulders!

Microsoft can also help with training your users about how they can take control of their own security – by managing their environment.

This includes everything from being mindful of what network they’re connecting when out and about, to fixing their router security at home. And even thinking twice before they throw any equipment or printed documents away or plug their device into a charge point (also a data point) that’s connected to who-knows-what.

So, we hope you found these pointers useful. If you’d like to find out more about the ways in which Defender for Business might be able to help you, and learn how technology can help you improve communications, productivity, and security in a remote and flexible work environment – please visit https://aka.ms/SecureSMB for more guidance.

Related:

Securing your business in the hybrid workplace — Ensure your business is prepared for the increasing threat of cyber crime.