Running a business requires a lot of determination and sometimes a leap of faith. Every day brings a new challenge, and many times it can feel like the stress and uncertainty are too much. That’s when you remind yourself why you took the leap—the satisfaction of realizing your own vision—and you keep going.
With that kind of commitment, your business can almost feel like a second home. And just like you protect your physical home with an up-to-date security system and sturdy locks, it’s critical to modernize cybersecurity for your business. Forty-three percent of all cyberattacks now target small businesses, and sadly, 60 percent of those businesses will permanently close their doors within six months of the attack.1 Those are staggering statistics, and they’re why we chose to include Microsoft Defender for Business with every subscription to Microsoft 365 Business Premium—because every business deserves access to enterprise-grade comprehensive security.
It’s always our ambition to make technology an equalizer, to enable a small business to compete with a larger business with the power of technology and close that gap.
—Brad Smith, Vice Chair and President at Microsoft
As part of Cybersecurity Awareness Month, Microsoft President Brad Smith joined the Administrator of the United States Small Business Administration (SBA), Isabella Casillas Guzman, at the inaugural Small Business Cyber Summit in October 2022 for an intimate fireside chat. The two discussed how small and medium-sized businesses (SMBs) can strengthen their cybersecurity capabilities on a limited budget. With that goal in mind, I’d like to extend an invitation for a free security evaluation consultation to learn where your business might be able to increase protection. In addition, this blog presents five simple actions that can help any business protect against cyberattacks—starting today.
1. Monitor everything around the clock
During his talk with Administrator Guzman, Brad Smith highlighted how moving to cloud-based security gives your business an edge in terms of making protection one less thing to worry about. “If everybody’s just trying to run their software on their own hardware in their own four walls, it means you have to do everything to maintain that hardware,” Brad Smith explained. “Whereas if you move to the cloud, that becomes our problem.”
The Microsoft Cloud currently tracks and analyzes 43 trillionthreat signals daily.2 That includes 35 ransomware families, and more than 250 unique nation-states, cybercriminals, and other threat actors. That enormous breadth and depth of protection are built into Microsoft 365 Business Premium. It delivers enterprise-grade protection against viruses, spam, unsafe attachments, suspicious links, and phishing attacks. You’ll also get constant protection against ransomware and malware attacks across your devices, along with antivirus and endpoint detection and response capabilities built in. That way, you can focus on making your business a success rather than chasing down cyberthreats.
2. Update the locks
Break-ins in the neighborhood often give us the push we need to replace any worn-out locks or add a security light (or two). Similarly, protecting your business from cyberattacks starts with one simple step—updating your existing systems. Microsoft and other technology companies release updates on Patch Tuesday (the second Tuesday of each month, beginning at 10:00 AM PT), or whenever vulnerabilities are detected. “These [updates] are available free of charge,” Brad Smith emphasized. “But make sure your computers are configured so that they’re downloaded. That’s one of the most important things that people can do to protect themselves.”
Also, make sure your business maintains an up-to-date IT inventory. With the move to remote and hybrid work, the phenomenon of bring-your-own-device (also referred to as “BYOD”) is now common. Using more devices, especially from home networks, creates a larger attack surface with more endpoints and potential vulnerabilities. As part of Microsoft 365 Business Premium, Defender for Business has threat and vulnerability management built-in, allowing you to secure multiple devices with a single tool.
Businesses can further protect themselves with regular data backups. Ransomware attacks increased by 300 percent in 2021.3 The phenomenon of ransomware as a service (RaaS) shows that bad actors are now confident enough to take their operations retail, much like a legitimate business.4 But ransomware attacks against your business data can be thwarted by regularly creating backup copies of your important files. Automating your backups according to a set schedule can help your business maximize limited resources while avoiding potential human errors.
3. Hide your keys well
Most of us keep a spare house key hidden under a rock or potted plant, but everyone knows better than to put the key under the mat. It’s the same way with passwords: if it’s easy, someone will find it. “It shouldn’t be ABC123,” as Administrator Guzman summed it up. But a recent survey found that among the most common passwords still in use, “password” and “Qwerty” are at the top of the list.5 In every cybercriminal’s toolkit today is a kind of brute force attack known as password spray.6 Simply put, an attacker acquires a list of accounts and runs through a long list of common passwords attempting to get a match. Since most businesses have a naming standard for employees (for example, [email protected]), adversaries can often get halfway in your door just by using the information found on your website.
Popular internet browsers such as Microsoft Edge come with a built-in password generator that will create—and remember—a secure password for you. Or your business may choose to eliminate passwords entirely with a solution like Windows Hello or FIDO2 security keys that let users sign in using biometrics or a physical key or device. Short of going passwordless, multifactor authentication, also known as two-factor authentication, is your best bet to generate secure access for your business. Multifactor authentication requires users to verify their identity through an additional factor, such as a one-time password (OTP) sent over email or text message. Other verification factors include answering personal security questions or using face or voice recognition.
4. Don’t open the door to just anyone
There’s a reason for the popularity of video doorbells—it’s simply unwise to open the front door without knowing who’s on the other side. For the same reason, every business should stay up-to-date on the latest phishing scams and social engineering scams that bad actors use to seek entry into your business. In 2022, the most common causes of cyberattacks are still malware (22 percent) and phishing (20 percent).7 Threat actors have figured out that people are the weak link—85 percent of breaches now involve a human element—and are ramping up the frequency and sophistication of their attacks.8 However, most phishing emails still rely on recognizable “hooks” that we can all learn to spot, such as:
- Request for user credentials or payment Information. Never click the link. Instead, type the business’ URL into your browser and go to your account directly.
- An unfamiliar tone or greeting. Phishing emails are often created offshore, so look for irregular syntax or tone that’s too formal, too familiar, or an odd mix of both.
- Grammar and spelling errors. Legitimate businesses take time to proofread their emails before sending them.
- Inconsistent email address or a “lookalike” domain name. A phishing email address or domain will usually be slightly off (for example, microsotf.com instead of microsoft.com).
- Threats or a sense of urgency. Scammers often try to scare you into clicking the link with headlines like: “Update your account information now or lose access!” If in doubt, type the URL in your browser and go to the site directly.
- Unrequested attachments. If you weren’t expecting an email from this sender, don’t click the attachment. Instead, open a new email (don’t respond) and inquire if the email and attachment are genuine.
When you receive a phishing email (we all do), remember to report it. In Microsoft Outlook for business, just select the suspicious message and choose Report from the top ribbon, then select Phishing. This will remove the message from your inbox and help us block more suspicious emails. Both Defender for Business and Microsoft Defender for Office 365 Plan 1 provide protection against advanced phishing, malware, spam, and business email compromise.9 Both come with built-in policies to get you up and running quickly, including simplified wizard-based onboarding for your Windows devices, servers, and apps.10
5. Stay informed about how to prevent break-ins
Local police and neighborhood watch groups often work together to educate residents about break-ins and how they can better protect their homes. No matter the size of your business, there are cybersecurity resources available to you as well.11 The SBA offers best practices for preventing cyberattacks,12 including a cybersecurity planning tool13 and ongoing virtual and in-person cybersecurity events14 for your area. Even if your only employee is yourself, cybersecurity training shouldn’t be looked upon as a one-and-done task. Threat actors are constantly learning and updating their skills, and so should we.
Microsoft virtual security training for SMBs and the Microsoft Small Business Resource Center help SMBs arm themselves with the knowledge to prevent phishing attacks, safeguard remote devices, and protect against identity theft. Our SMB security trainings also present strategies for how to stay safe when working on-site and from home, including how to collaborate with colleagues more securely. As Brad Smith put it during his talk with Administrator Guzman, “At the end of the day, [cybersecurity] becomes a little bit like a seatbelt: we know it saves lives, but you do have to put it on.”
Microsoft is here for you
The underlying theme of Brad Smith’s talk for SMBs can be summed up in a few words—Microsoft has your back. Small businesses represent more than 99 percent of the United States economy, so we’re all in this together.15 Be sure to take advantage of Microsoft’s free security consultation, which includes actionable, data-driven insights into the security vulnerabilities in your environment.
To learn more about cost-effective, easy-to-use security solutions, visit Security for your small or medium-sized business and find out how a Microsoft 365 Business Premium subscription can provide comprehensive security that’s optimized for SMBs (up to 300 users), or get Microsoft Defender for Business as a standalone device security solution. Both solutions integrate with Microsoft 365 Lighthouse; that way, Microsoft Cloud Solution Provider (CSP) partners can easily view security incidents across tenants in a unified portal. Whatever your budget and wherever your vision leads, we’re here to help you move forward—fearlessly.
To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.
1Why small businesses are vulnerable to cyberattacks, Linda Comerford, May 25, 2022.
2Cyber Signals: Defend against the new ransomware landscape, Microsoft. August 22, 2022.
3DHS secretary warns ransomware attacks on the rise, targets include small businesses, Luke Barr. May 6, 2021.
4Ransomware as a service: Understanding the cybercrime gig economy and how to protect yourself, Microsoft. May 9, 2022.
5These are the 20 most common passwords leaked on the dark web—make sure none of them are yours, Tom Huddleston Jr. February 27, 2022.
6Protecting your organization against password spray attacks, Microsoft. April 23, 2020.
750 Phishing Stats You Should Know In 2022, Caitlin Jones. September 7, 2022.
8Alarming Cyber Statistics For Mid-Year 2022 That You Need To Know, Chuck Brooks. June 3, 2022.
9Microsoft launches Defender for Business to help protect small and medium businesses, Microsoft. May 2, 2022.
10Server security made simple for small businesses, Jon Maunder. November 8, 2022.
11Shields Up guidance for all organizations, CISA.
12Strengthen your cybersecurity, SBA.
14Find cybersecurity events, SBA.
15How Small Businesses Drive The American Economy, Martin Rowinski. March 25, 2022.