It feels like every week I come across another article about a large organization falling victim to a cyberattack.

While those headlines grab a great deal of attention, what often goes unnoticed is how small businesses are just as vulnerable. They may not make the news, but small businesses are getting hit hard, too.

The reality is threat actors don't just target large enterprises anymore. In fact, small businesses might be more at risk today, says Spencer Hogan, Business Development Manager for Afidence. Afidence is a family-owned IT consultancy that augments enterprises with emotionally intelligent and technically versatile consultants in cybersecurity, cloud infrastructure, and software.

“Larger organizations typically have security roadmaps, tools, and professionals in place, while small businesses often invest little to no resources in security,” explains Spencer. With the recognition that cybersecurity is critical for remote and hybrid teams today, I interviewed Spencer to learn more about what small businesses can do to protect themselves. Keep reading to see some of the top takeaways from our conversation with Spencer.

Start With Acknowledging Your Risk

One place to start in this ongoing process is becoming more aware of your risk. After all, unfortunately, small businesses today also often underestimate their risk of a cyber-attack.

Spencer explained that there are affordable tools available, such as security applications from Microsoft and Google, which many small businesses already are paying for, and they just need to better leverage such tools.

Spencer’s strategy: the key is to think of security as a spectrum rather than a black-and-white concept. “Ask yourself, ‘How secure are we?’ and ‘What systems in our organization are most critical to safeguard?’ It's impossible to be 100% secure, but it is possible to reduce risk. As a small business leader, you must decide how much risk you're comfortable with,” he says.

For cyber threat actors, it's a numbers game. It may take little to no time to break into a company's accounting system if they aren't leveraging any tools to safeguard their assets.

Evaluate Your Critical Assets

Next, you’ll want to determine which assets in your organization are most critical to protect. “For example—one of the worst systems a threat actor can access is your accounting software and P&L. That gives them visibility to exactly how much money they can demand from you as well as block pay to employees or vendors. Build a cybersecurity plan around protecting critical assets such as that,” explains Spencer.

Knowing these risks and challenges (remote) leaders can have, Spencer explains there are some initial practices that can help teams stay more secure. Here are 5 of those Spencer shares that can help your team get started on this journey:

1.    Build a Security Roadmap: The best way to secure your remote workforce is to have a firm conduct a security audit (which is different from a Penetration Test) and provide recommendations for short-term and long-term changes, explains Spencer. “Remember, security is a spectrum. As your organization grows and you have more resources to invest in security, you can reduce more risk.”

2.    Educate Your Workforce: One of the biggest misconceptions about cybersecurity is that cyber-attacks are caused by insufficient technology. “This is not true. In fact, 90-95% of cyber attacks are caused by human error. People make mistakes all the time, and all it takes is clicking a link in a bad email or accidentally posting proprietary information into ChatGPT to expose your company to significant risk,” explains Spencer. Aim to create a culture where you seek to equip and educate your workforce on an ongoing basis.

3.    Stop Phishing Emails: Phishing emails are the most common way attackers break into companies, so make sure you’re taking steps to combat this issue. “There are various types of phishing emails, and there are affordable applications you can deploy in your organization to educate employees about phishing,” says Spencer. Again, this shows it comes down to team members being equipped to recognize these risks. For more information and up-to-date news related to this, you can visit cisa.gov.

4.    Implement MFA: The closest thing we have to a “silver bullet” in cybersecurity is MFA (multi-factor authentication), says Spencer. In a remote workforce, all employees should be required to complete MFA to sign in—and that’s at minimum now. “You want to also implement policies that require employees to reset their passwords on email and other critical applications regularly. I recommend doing this at least once a quarter, but some experts suggest doing it monthly, which might not be feasible for everyone,” adds Spencer.

5.    Cultivate a Security Culture: Last—but certainly not least—it comes down to short-term and long-term steps to create a culture that can uphold security. One of the biggest errors people make is not reporting security mistakes that are made, explains Spencer. This may speak to human nature, but ideally, you take the time to foster a culture where team members feel safe and vulnerable to speak up if they suspect something may be an issue. Strive to create a culture that doesn’t shame your employees for making mistakes, and instead, promotes a place where team members are encouraged to learn more about all the risks that are present today. “Encourage [team members] and provide a clear point of contact for them to report any potential security issues. The quicker your employees report issues, the less at risk your organization is to bad actors,” says Spencer.

More About Spencer Hogan

Spencer Hogan is the Business Development Manager for Afidence, a family-owned IT consultancy that augments enterprises with emotionally intelligent and technically versatile consultants in cybersecurity, cloud infrastructure, and software. Spencer is also a dedicated husband to wife Meredith and a proud father to his son, Wesley. As an avid fan of the Cleveland Cavaliers and the Cincinnati Bengals, Spencer brings the same passion and enthusiasm to his professional life.

Learn More About Afidence

One of the things Afidence does is help small businesses with these steps—and many more beyond these mentioned in this blog post. “We understand that it can be challenging to convince business leaders to invest in security, and we can help with that,” says Spencer. No matter the size of your small business, there are simple, cost-efficient tools you might already be paying for that you can roll out to reduce cyber risk at your organization. Learn more today at afidence.com.