Cyber hygiene 101: Six minimum controls for every small business

Written by Lee Stauss, Vice President of Cyber Risk Engineering at Sompo.

Virtually every small and medium-sized business (SMB) needs a minimum level of cybersecurity controls to operate and succeed. Maintaining fundamental cyber hygiene not only helps protect your business, but it’s also a precondition for securing cybersecurity insurance.

A strong cyber hygiene program requires vigilance, consistent employee training, and adherence to key security practices. At the very least, your business should establish the following six safeguards:

1. Use multi-factor authentication (MFA) everywhere: Whenever an employee or external party, such as a vendor, accesses hardware, software, or services connected to your business, they should be required to log in with at least two forms of authentication. In practice, this means every login requires a username, password, and another “factor” such as a fingerprint scan, hardware security key, or code provided by text or an authenticator app. It’s especially important to establish MFA for email, cloud platforms, and VPNs. MFA is the most effective safeguard against credential attacks. In addition, every business should implement a password management solution to enable employees to generate, store, and use unique passwords.
2. Use Multi-Factor Authentication (MFA): Multi-Factor Authentication (MFA) requires users to log in with at least two forms of identification, such as a password plus a fingerprint scan, hardware security key, or a code from an authenticator app. This adds a strong layer of security beyond just a username and password. To effectively reduce the risks of lateral movement and initial access by attackers, MFA should be focused on critical points like all privileged accounts, command line tools often used by attackers, and remote access tools such as VPNs and remote desktop connections. By enforcing MFA on these high-risk access points, organizations can greatly reduce the chances of unauthorized access and limit attackers’ ability to move within the network.
3. Close unused open ports: Ports are access points for network traffic, allowing various applications such as email and web browsers to communicate with networks. Open ports are necessary for legitimate network activity, but they also create opportunities for cyberattacks. You can reduce your network’s vulnerability to attack by scanning for and closing all unused open ports.
4. Encrypt sensitive data: Encryption renders data unreadable to unauthorized parties, and therefore effectively useless to cybercriminals. While attackers may still access and exfiltrate data, if the data is encrypted, they won’t be able to sell or expose your company’s information and communications. Encryption is especially essential for financial, legal, and healthcare organizations that hold highly regulated data.
5. Back up your data: Every organization should develop a layered approach to data and system backups that includes frequent, secure, and offsite backups. Test backups regularly to ensure that operations can be quickly restored if an attack compromises both your systems and data. Rapid recovery is especially important for businesses that can incur substantial losses with every hour of downtime – such as manufacturers and logistics companies. Insurance carriers require that backups exist, are segmented, and are tested frequently.
6. Limit record counts whenever possible: Many types of businesses, such as retailers and healthcare providers, collect vast amounts of data, including personally identifiable information (PII). Unfortunately, as organizations add more records, they become bigger targets for cybercriminals. While every organization must retain certain records for operational and legal reasons, you can also reduce cyber risks by purging all unneeded records.

Cyber hygiene can also be enhanced by clear, consistent communications and strong commitments throughout your organization. Your company should communicate regularly with employees, vendors, and suppliers about cybersecurity practices.

In addition, precisely documenting your cybersecurity practices in insurance applications and renewals can improve your company’s position in the underwriting process. Whenever possible, include comments about your cybersecurity practices on an application or renewal, rather than just checking a box.

Maintaining sufficient cyber coverage should also be considered a cornerstone of cyber risk management. Together, cyber hygiene and cybersecurity coverage provide your best defense in preventing and recovering from cyberattacks.

Many insurers also closely partner with their clients to strengthen cybersecurity. At Sompo, we help connect insureds with trusted cybersecurity vendors for cybersecurity strategy, monitoring, employee training, response planning, and recovery. With the right guidance and strategy, every business can take cost-effective steps to strengthen their cyber defenses.

Look out for our next cyber risk article, where we’ll take a deeper dive into the ways that insurers can serve as key partners in supporting your cyber resilience.