Cybersecurity is a massive deal for small businesses. Every 39 seconds, there’s a cyberattack somewhere, and small businesses are often prime targets. Why? Because hackers assume smaller companies won’t have top-notch security. But don’t worry—there’s plenty you can do to protect your business. Let’s dive into actionable tips to keep your business safe in 2025.

Introduction: The Cybersecurity Triad

Cybersecurity revolves around three main principles: Confidentiality, Integrity, and Availability. In simple terms, this means keeping data private, making sure it’s accurate, and ensuring it’s accessible only when needed. Nail these, and you’re on your way to a secure business.

Most Common Cybersecurity Threats.

Email Spoffing

What Are DMARC, DKIM, and SPF?

DMARC, DKIM, and SPF are email authentication protocols designed to protect your domain from email spoofing and phishing attacks. They ensure that only authorized servers can send emails on your behalf and that recipients can verify the legitimacy of the emails they receive. By implementing these protocols, businesses can secure their email communication, reduce the risk of fraud, and boost the deliverability of their messages.

How to Filter Corporate Emails: DMARC, DKIM, and SPF

One of the most effective ways to filter and secure corporate emails is by implementing DMARC, DKIM, and SPF. These email authentication protocols work together to protect your domain from being used in phishing or spoofing attacks.

• DMARC (Domain-based Message Authentication, Reporting, and Conformance): Ensures that emails are properly authenticated and gives you control over how to handle unauthorized emails (e.g., reject, quarantine, or allow). It provides reports that help you monitor and improve email security.
• DKIM (DomainKeys Identified Mail): Adds a digital signature to your email headers, verifying that the message hasn’t been tampered with during transit. This boosts your email’s legitimacy and prevents spoofing.
• SPF (Sender Policy Framework): Allows domain owners to specify which mail servers are authorized to send emails on their behalf. This stops spammers from sending fake emails using your domain.

Why You Should Have These Active

• Prevent Email Spoofing: Hackers won’t be able to send fraudulent emails using your company’s domain.
• Increase Deliverability: Authenticated emails are less likely to be marked as spam, ensuring your emails reach the intended recipients.
• Strengthen Brand Trust: Customers and partners will trust that emails from your domain are legitimate.

How to Check If You Have DMARC, DKIM, and SPF Configured

• Use tools like MXToolBox's Email Tools to verify your domain’s authentication setup.
• Simply enter your domain name, and the tool will analyze your DMARC, DKIM, and SPF records, showing whether they are active and correctly configured.

By enabling and regularly auditing these protocols, you can significantly enhance your business’s email security and protect your domain from being exploited.

Outdated Software

Old software is like an open door for hackers. Updates patch vulnerabilities, so skipping them can leave your systems exposed.

Outdated software is a significant security risk for small businesses. In November 2024, Microsoft's Patch Tuesday addressed 91 vulnerabilities, including four zero-day vulnerabilities—two of which were actively exploited.

Managing Patching for Your Business:

Automate Patch Management: Utilize automated tools to ensure timely updates across all systems, reducing the risk of human error.

Effective patch management is crucial for maintaining the security and functionality of your business's IT infrastructure.Several reputable companies offer comprehensive patch management solutions to help businesses automate and streamline this process.Here are three notable providers:

NinjaOne: NinjaOne offers a cloud-based patch management solution that automates the deployment of patches across Windows, macOS, and Linux systems.It supports over 135 different software packages, providing a centralized platform for managing updates and ensuring systems remain secure and up-to-date.

ManageEngine Patch Manager Plus: This tool provides automated patch management for Windows, macOS, and Linux operating systems, as well as over 850 third-party applications.It offers features like automatic patch deployment, compliance management, and detailed reporting to help businesses maintain robust security postures.

Heimdal Patch & Asset Management: Heimdal's solution focuses on automating the patching process for both Microsoft and third-party applications.It provides real-time visibility into software vulnerabilities and allows for seamless deployment of patches, helping businesses reduce the risk of exploitation.

Implementing a reliable patch management solution from providers like these can significantly enhance your organization's cybersecurity defenses by ensuring that all systems and applications are promptly updated with the latest security patches.

1. Prioritize Critical Updates: Focus on applying patches for vulnerabilities that are actively exploited or have high severity ratings.
2. Test Patches Before Deployment: Implement patches in a controlled environment to identify potential issues before a full rollout.
3. Maintain an Inventory of Assets: Keep an up-to-date list of all hardware and software to ensure no system is overlooked during updates.
4. Educate Employees: Train staff on the importance of updates and establish protocols for reporting issues related to patching.

By proactively managing software updates, small businesses can significantly reduce their exposure to cyber threats.

Weak or Reused Passwords

Using "123456" as your password? Bad idea. Hackers love weak or reused passwords—they’re an open invitation to breach your accounts.
Weak or reused passwords are a significant vulnerability for small businesses. According to NordPass's 2023 report, the top five most common passwords globally still are:

1. 123456

2. password

3. 123456789

4. guest

5. qwerty

These simple and predictable passwords can be cracked in less than a second, leaving your business exposed to cyber threats.

Strategies for Creating Strong Passwords:

Use a Password Manager: Password managers generate and store complex, unique passwords for each of your accounts, reducing the risk of password reuse and simplifying password management.

Creating strong, secure passwords doesn't have to be complicated. One simple yet effective strategy is the Three Random Words Method combined with special characters, numbers, and capitalization. Here's how you can create a robust password using this technique:

The Three Random Words Method

1. Choose Three Random Words:
   Select three unrelated words that are easy for you to remember but difficult for others to guess. For example:
   • Tree
   • Rocket
   • Cookie
2. Add Complexity:
   • Insert special characters (e.g., !, @, #) between the words: Tree@Rocket#Cookie.
   • Use numbers for additional security: Tr33@R0ck3t#C00kie.
   • Add capitalization for randomness: Tr33@r0Ck3T#c00kIe.
3. Make it Unique:
   Avoid using words or patterns related to your name, birthdate, or commonly known details.

Why This Works

• Length: Passwords with 12+ characters are significantly harder to crack.
• Unpredictability: Random words combined with numbers and symbols make it difficult for attackers using dictionary or brute-force attacks.
• Memorability: Three words are easier for humans to remember than a string of random characters but still strong enough to resist attacks.

By combining a logical approach like the three-word method with tools like password managers, you can create and maintain secure passwords without unnecessary complexity. Periodically changing passwords and avoiding the reuse of old ones can help protect against potential breaches.

Implementing these practices can significantly enhance your business's cybersecurity posture, safeguarding sensitive information and maintaining the trust of your clients..

Weak Data Disposal: How to Dispose of Data Securely

Improper data disposal can lead to unauthorized access, data breaches, and compliance violations. Here are three effective ways to ensure secure data disposal for your business:

1. Data Wiping

• What It Is: Completely erasing data from devices so it cannot be recovered.
• How to Do It:
  • Use specialized software like DBAN (Darik's Boot and Nuke) or Blancco to overwrite the storage device multiple times.
  • For individual files, tools like Eraser or Secure Delete can securely wipe them from your system.
• Why It’s Secure: Proper wiping ensures that deleted data is permanently unrecoverable, even with advanced recovery tools.

2. Physical Destruction

• What It Is: Physically destroying storage devices to render them unusable.
• How to Do It:
  • Shred hard drives, CDs, or USB drives using industrial shredders designed for electronics.
  • Drill holes through the storage platters of hard drives or use specialized degaussers to demagnetize and destroy data on the device.
• Why It’s Secure: Physical destruction leaves no chance for data recovery, making it ideal for high-sensitivity data.

3. Certified Disposal Services

• What It Is: Outsourcing data disposal to professional vendors who specialize in secure destruction.
• How to Do It:
  • Partner with a certified e-waste or data disposal company compliant with standards like ISO 27001 or NIST 800-88.
  • Request a Certificate of Destruction for accountability and proof of compliance.
• Why It’s Secure: These services follow strict protocols to securely dispose of devices and ensure compliance with data protection regulations.

By adopting these methods, your business can minimize the risk of data leaks and maintain compliance with regulations like GDPR or HIPAA.

Lack of Training

Employees can unintentionally be your weakest link. If they don’t know how to spot phishing emails or handle sensitive data, they’re putting your business at risk.

No Response Plan

Thinking “it won’t happen to us” isn’t enough. Every business needs a plan for when—not if—a cyber incident occurs.

Not having a response plan is like driving without a seatbelt—you hope nothing goes wrong, but when it does, the consequences can be catastrophic. A well-documented incident response plan is critical for minimizing the impact of cyberattacks. It should outline clear steps for identifying, containing, and recovering from incidents like ransomware, malware, or data breaches. Without a plan, businesses risk prolonged downtime, financial loss, and reputational damage. Regularly testing and updating the plan ensures your team is prepared to respond swiftly and effectively when an attack occurs. Don’t wait for disaster—prepare for it.

Cybersecurity Checklist

What Is Your Password Policy?

Are You Using Strong Passwords, Password Managers, and Biometrics?

Encourage strong passwords with uppercase, lowercase, numbers, and special characters. Use a password manager to keep things secure and convenient. Add biometrics like fingerprints for an extra layer of security.

Are You Enforcing MFA on All Applications?

Multi-Factor Authentication (MFA) ensures that even if a password is compromised, hackers can’t access your accounts without a second verification step.

Not Everyone Needs Admin Permissions

Have a Standard Account and an Admin Account for Users Who Need It

Limit admin rights. Employees should only have access to what they need to do their job. Create separate admin accounts for higher-level tasks.

Is Your Software Up to Date?

How Are You Managing Updates and Enforcing Them?

Automate updates where possible. Don’t let employees delay installing them.

Are You Installing Optional Updates?

Optional updates often include important security patches. Don’t ignore them.

Need to Update Firmware on All Devices, Not Just Computers

Routers, printers, and IoT devices also need firmware updates to stay secure.

What Antivirus Are You Using?

Is Free Antivirus as Good as Paid?

Free antivirus might cover the basics, but paid options provide better protection and advanced features like ransomware prevention.

Are You Using Email Filtering?

How Are You Filtering Emails to Your End Users?

Use spam filters and tools to block malicious emails before they reach inboxes.

Do You Have an Incident Response Plan?

Don’t Have the “It Will Be Grand” Mentality

Prepare for worst-case scenarios. Hope is not a strategy.

Backups: 3, 2, 1 Rule with Immutable Backup and Shadow Copies

Keep three copies of your data on two different media types, with one stored off-site. Use immutable backups to prevent tampering.

Create a Response Plan

• Ransomware: Decide in advance whether you’ll pay (hint: try not to).
• Malware: Isolate infected devices immediately.
• Recovery: Test your backups regularly to ensure you can restore data when needed.

Invest in Upgrades, Avoid Technical Debt

Outdated systems are a liability. Plan and budget for upgrades to avoid running end-of-life software exposed to the internet.

Training, Training, Training

What training are you providing to staff? Regularly educate employees on phishing, social engineering, and best practices for data security.

Networking

Avoid Using Public Wi-Fi

Public Wi-Fi can be a hacker’s playground. Use a VPN if you must connect.

Disable Bluetooth When Not in Use

Bluetooth connections can be exploited if left open. Turn it off when unnecessary.

Pen Testing

Are you testing your public-facing services? Tools like PenTest Tools can simulate attacks to find vulnerabilities.

Access Controls

Firewall Rules: Review, Update, and Maintain

Make sure your firewall policies are up-to-date and effective against modern threats.

Group Policies

Implement the least privilege principle. Regularly review and update group policies to ensure users only have access to what they need.

Cybersecurity Tips for Small Business

• Use MFA for all critical systems.
• Regularly back up data using the 3-2-1 rule.
• Train employees to recognize cyber threats.
• Update all software, including firmware on non-computer devices.
• Implement email filtering and strong password policies.
• Invest in regular penetration testing for public-facing systems.

FAQs About Cybersecurity for Small Business

Q: What’s the best way to manage passwords?
A: Use a password manager to generate and store complex, unique passwords securely.

Q: Should I use free antivirus software?
A: Free antivirus is better than nothing, but paid options provide stronger and more comprehensive protection.

Q: How often should I back up my data?
A: Follow the 3-2-1 rule and back up critical data at least daily.

FAQs About JimGogarty.com

Q: What topics does Jim Gogarty cover?
A: Jim Gogarty specializes in cybersecurity, technical support, and IT infrastructure for small and medium businesses.

Q: How can I stay updated on Jim’s cybersecurity tips?
A: Visit jimgogarty.com for blog updates or follow Jim on LinkedIn.

Cybersecurity doesn’t have to be overwhelming. By implementing these practical tips, you’ll safeguard your small business against the ever-evolving cyber threats of 2025. Remember, a little prevention goes a long way!