10 Security Mistakes that Every Small Business Must Avoid

10 Security Mistakes that Every Small Business Must Avoid

Every time a data breach hits a big organization, like what we have seen with Equifax, it makes the news [1]. These incidents encourage companies to take data security seriously and invest their resources and keep their security up-to-date. Even after putting in so much effort, when such big organizations are at risk, imagine how easy it is for the cyber attackers to bypass the security protocols of a small- or medium-sized firm. Many small organizations do not give importance to cybersecurity or information security and often end up closing businesses due to their inefficiency to avoid, contain, or handle the attack.

“60% of small companies go out of business within six months of falling victim to a data breach or cyberattack.” Cybersecurity Ventures

Perhaps the most surprising part of such a breach is that the majority of them can be avoided. Many businesses do fall victim to such planned cyberattacks, but most of the time, they are crimes of opportunity. It is only through some simple mistakes that small business vendors fall in the trap and invite trouble. Here are 10 security mistakes that every small business must avoid:

1. Absence of a security policy

When you have a small team, you deal with them personally and trust each one of them expecting that they perform to their knowledge. Overwhelmed by personal interaction, you don’t consider having formal security policy defined for your organization. However, the loss of one smartphone or laptop can result in major security breach and may put your clients’ information at risk. It is advised to have a security policy defining the do’s and don’ts about the company’s IT infrastructure.

2. Lack of staff awareness training

Whether you have a small group of people working in your organization or a big team, every member should be aware of the security policy, cybersecurity breaches, and the risks associated with negligence. In the absence of basic cybersecurity education among employees, your employees may not be aware of new viruses infiltrating through online sources. Investing resources and time on staff training might save you from a major breach.

3. Avoid backups

In the wake of so many ransomware attacks, it is mere negligence to not backup your data. When a ransomware hits you, you may not be able to pay for the demanded ransom and neither will you be able to retrieve your data. The data should be backed-up at both places—online and offline.

4. Unattended access to the infrastructure

Do you know who all have the access to your data? Do you remember the time you allowed a random client to access your system to download a document using a pen drive? How many times have you left your laptop unattended without locking before going on a break? There are many situations in everyday office when you might have either willingly allowed access to your system to an outsider or left it unattended with a fellow employee in the company. Either way, your data are at risk. Take complete responsibility of the security of your infrastructure and lay out the security strategy.

5. Not securing the cloud

Small and medium businesses are benefitted by cloud computing as it allows them to be productive and less concerned about their data. The problem arises when hired cloud services are not reliable or not competent to protect the data. For example, your employees might be storing data in cloud drives given by email account vendors. The data stored in these drives are not completely encrypted and are not compliant with federal mandates. You must ensure that the data in-storage and in-transit should be handled with priority.

6. Not performing updates

Updates are usually ignored because they are “inconvenient,” but they are vital for the security of your business data. Ignoring updates because of lack of time or due to the fear of losing functionality can put you at a greater risk. Intruders constantly search for vulnerabilities in software or operating system to execute a breach. Whereas, developers continuously strive to patch holes where required and that is why they releases patches or updates to secure your software. Your security policy should also be verified regularly and updated based on the latest cyberattacks.


7. Underfunding data security

Data security is expensive and while drafting a budget in small- and medium-sized organizations, the funding for security is given last priority. Investing in security infrastructure should be the first step to forget the risk of dire cyberattacks that your business is prone to. To avoid falling in this trap, calculate your security expenses and then compare it with the amount of loss that your business may incur in the case of an incident.

8. Mishandling passwords

One in five employees shares their email passwords with co-workers [2]. When considering data security, it is important that the password should not be mishandled and shared by trusted co-workers. Refrain from using weak or default passwords too. Password management should be a part of your security policy too.

9. No termination procedure

Most small and medium business organizations do not follow a comprehensive procedure for staff termination. When employees are terminated, their email accounts continue to exist, and the same credentials are retained for the data too. There is every possibility that such employees may try to misuse the data or intrude the software for their own malicious means.

10. Relying on consumer grade products

While it is convenient to not have to rely on the office for devices, it is important to first check if the computer being used is secure. Even due to the lack of sufficient funds, you may be forced to rely on consumer grade products, thereby compromising security, which may later lead to major damage. Instead of facing an unforeseen incident, hire professionals who can handle network, system, and end-points security.

Preparing for data security does not solely mean installing higher technical infrastructure or antiviruses. It is about understanding security requirements and taking appropriate measures to combat attacks. Many times, a major loss can be stopped by avoiding simple mistakes, such as the ones listed above and by implementing day-to-day security policies. Small and medium organizations are now looking for network defenders who can perform network security management. A network defender can defend the organization from any external and internal intrusions and identifies potential threats that penetrate the system or network of the organization. EC-Council offers the Certified Network Defender (C|ND) that focuses on creating network professionals who are trained to protect, detect, and respond to threats on the network. For more information about the program, you can follow this link https://www.eccouncil.org/programs/certified-network-defender-cnd/.


[1] https://www.infosecurity-magazine.com/news/equifax-has-spent-nearly-14bn-on-1/

[2] https://www.zdnet.com/article/one-in-five-employees-share-their-email-password-with-co-workers/

get certified from ec-council
Write for Us