Cybersecurity for SMB: Fortifying Your Digital Perimeters
The Covid-19 pandemic thrust employees around the world into working from home. According to the 2021 American Community Survey by the US Census Bureau, the number of people working from home tripled from 5.7% to 17.9% between 2019 and 2021. Suddenly, people from all walks of life had access to company information and sensitive client data from the comfort of their own living rooms and IT security teams had to evolve to keep up with the threat landscape. It is no coincidence, then, that cybersecurity became a huge issue in 2021, with ransomware attacks increasing by a staggering 150%. Cybersecurity threats are more frequent, sophisticated, and costly. Almost overnight, cybercriminals could access a wealth of personal data on home computer systems without cracking company servers.
Company automation and a tendency toward cloud-based servers have fueled cyberattacks. In some cases, cloud-based infrastructures manage entire supply chain services, systems, tools, and machinery, leaving companies vulnerable to cyberattacks. For businesses, the financial cost of a cyberattack could be devastating. In fact, financial damage resulting from data breaches cost companies USD $4.35 million in 2022, up from USD $4.24 million the previous year. More than half of surveyed IT decision makers have experienced a cyberattack in the last year alone—for an average 6.7% revenue lost due to data loss , IP loss, productivity loss, compliance, regulatory expenses, and other losses, including IT staff time.
Who is at risk of a cyberattack?
Cyberattacks that expose personal user data are especially damaging as they impact consumer trust. Theft of sensitive information is growing among businesses, healthcare providers, and government offices. In February 2023, California’s largest healthcare provider Sharp HealthCare informed 62,777 patients that their social security numbers, health insurance information, and medical records had been exposed. In the telecoms world, data service provider T-Mobile fell victim to a data breach for a second time in early 2023, with the information of 37 million customers accessed by hackers. Although the issue was discovered in January 2023, reports suggest that cybercriminals have had access to the company’s systems since November 2022.
It is not just large companies that are at risk of cyberattacks. As more information is stored on cloud systems, small and midsize businesses (SMBs) have also seen a jump in cybercrime. Business security is more important than ever, especially as SMBs often forgo adequate security measures due to budget restraints or denial that criminals would target their company information. In fact, only 14% of SMBs have implemented a cybersecurity plan. As data breaches can cost small businesses an average of USD $2.98 million, SMBs must increase their security systems and find ways to protect themselves against cybercrime.
What is a threat model?
Cyber threats are circumstances or events that negatively impact organizational operations, including function and reputation, assets, or individuals. These threats are carried out via unauthorized access to company information systems, and include the destruction or modification of sensitive information. Luckily, there are ways to reduce the risk of cyber threats.
Every business is different. SMB owners should evaluate their unique security and privacy risks and create a structured mitigation plan. Threat modeling is a strategic process that aims to identify company security requirements, pinpoint and quantify threats and vulnerabilities, and implement remediation efforts. Companies use threat modeling to become more aware of potential security threats and make plans to protect themselves.
During threat modeling analysis, company workers may adopt the perspective of malicious cybercriminals to assess the amount of damage they could cause. Company experts should analyze software networks, their unique business context, and user documentation for potential vulnerabilities. This in-depth but crucial process gives workers an insight into company systems and brings awareness to external threats. It also encourages workers to think outside the box and consider non-conventional ways company data could be compromised while acknowledging current security flaws.
Without threat modeling, employees would be oblivious to the cause of cyber threats within their company. Threat modeling is often conducted during system design stages, but it can also be implemented when systems are modified or updated. Although security threats are unique to each company, threat modeling usually consists of four vital stages:
Stage 1: Objectives
Here, company experts should consider the type of networks they have in place and which data they want to protect. At this stage, SMB owners may also consider their budget allocation for security measures.
Stage 2: Threats
Consider potential security threats from a hacker’s perspective. What information would cybercriminals want to find, and how would they access it? Company experts should identify design flaws and network vulnerabilities at this stage. Although companies should research typical security threats for their specific industry, hackers generally wish to get their hands on client data, company credentials, and financial information
Stage 3: Mitigation
Once companies have identified potential data threats, they can work on eliminating them. In doing so, SMB owners should consider which security measures are currently in place and whether they need to change based on the findings from Stage 2.
Stage 4: Validation
The initial stages focus on identifying and mitigating potential threats. Once plans are in place, company experts should arrange regular inspections to ensure the measures are effective and regularly update their strategies.
How can users protect themselves?
The importance of cybersecurity for small companies is more important than ever before. As the number of cyberattacks continues to grow, SMBs should consider implementing digital security measures. Here are some ways workers can protect themselves from cyberattacks both within the workplace and at home.
1. Enhance password security and utilize multi-factor authentication
Passwords are the most commonly used cybersecurity tools. Unfortunately, passwords are gold dust for hackers looking to access personal data such as online banking, email accounts, and medical information. As the average person has 150 online accounts, there is the possibility of so-called password fatigue. Forgetting and resetting passwords is often time-consuming and troublesome, meaning many people resort to using the same password for multiple accounts.
The consequences of a stolen password can be severe, especially for businesses. Victims of password theft may lose money, intellectual property, or even their hard-earned reputation. As cybercriminals now use increasingly sophisticated methods to steal passwords, companies should educate their staff on the importance of strong passwords.
Enabling hybrid work starts with secure access. Companies wishing to increase security may introduce multifactor authentication, going beyond the traditional method of a username and password. Multifactor authentication systems request a password and one other piece of information unique to the user, such as a PIN, a fingerprint, or facial recognition. For added security, Windows Hello for Business uses two-factor authentication consisting of biometric data that never gets saved to external servers. The latest advanced security from Windows 11 Pro has resulted in businesses reporting 2.8X fewer instances of identity theft . Biometric data is only stored on the device, meaning that hackers cannot steal it from a collection point like a server.
2. Implement security training and restrict data access for employees
Along with threat modeling, company employees should receive regular cybersecurity awareness training in security principles to avoid data breaches and remain compliant with security policies. Educating workers on the risks of cyberattacks will encourage them to set strong passwords and be mindful of how they share company data.
Furthermore, just because employees are part of the team does not mean they should have access to all areas of company networks. SMB bosses should consider which employees require access to certain information and limit access accordingly. Moreover, the authority to install software on company devices should be at the discretion of IT staff for network security protection.
3. Block physical attacks
Physical attacks involve theft or tampering to gain unauthorized access to networks or servers. Companies can reduce the risk of physical attacks by using secure locks and safes, increasing access controls, and securing ports and cables. In addition, staff should regularly monitor devices for obvious break-ins or tampering attempts.
Creating unique user accounts for each employee can reduce the impact of physical attacks on companies. Instead of a one-size-fits-all password system, controlling physical access to devices restricts the destruction caused by criminals.
4. Integrate software security measures
Most companies probably use some form of antivirus software, but what if a single computer system could offer complete security for the hybrid workplace? Windows 11 Pro with built-in Windows Defender provides advanced protection when opening files and websites from untrusted sources. The unique cloud-first design enables integration with Microsoft 365 and Microsoft Defender for Endpoints, delivers streamlined modern security management across diverse locations, and extends security to the cloud. As a staggering 99.6% of applications are compatible with Windows 11, users can conduct daily tasks knowing their cybersecurity is in safe hands.
5. Deploy the right devices
Choosing a secure, business-ready device is an essential step to running a successful business and empowering your teams to do their best work from anywhere. However, 80% of security decision-makers feel that software alone is not enough to protect them from cyberattacks. A computer’s operating system alone cannot shield it from sophisticated cybercriminals — it needs protection from chip to the cloud.
Microsoft’s hardware root-of-trust safeguards computer systems as the hardware turns on, loads firmware, and launches the operating system. Hardware root-of-trust runs performance checks on startup to detect malware targeting boot code. It also has a dedicated secure area away from the operating system and applications for storing precious cryptographic keys, data, and code. Hardware root-of-trust must meet two main security goals: the Trusted Platform Module (TPM) and Pluton.
Modern devices with Windows 11 Pro protect your business (and your budget) from the chip to the cloud, with tightly integrated hardware and software that help stop threats and prevent disruptive, expensive data breaches. Devices must fulfill specific security criteria to be regarded as a secured-core PC. Integrated Windows hardware delivers protection that utilizes existing hardware capabilities, such as Baseline Windows Security, a collection of Microsoft-recommended settings based on feedback from Microsoft security engineers. Baseline Windows Security leverages Trusted Platform Module 2.0 (TPM), offering a root of trust and hardware-based security functions. TPM chips are secure crypto-processors that assist in generating, storing, and limiting the use of cryptographic keys, which transform text into random characters only decipherable with a specific key. The TPM prevents malicious software from tampering with its security functions.
Pluton hardware security from Microsoft offers exclusive protection against hardware-based cyberattacks, including harmful rootkits and malware. Pluton is a secure crypto-processor with security at its core, protecting credentials, identities, personal data, and encryption keys. The advanced security processor is an integrated chip-to-cloud security technology that combines a secure subsystem with Microsoft-authored software. Pluton makes it difficult for hackers to remove information from a device even if malware is installed, offering an additional layer of protection.
Recent reports show that over 80% of companies have fallen victim to at least one firmware attack over the past two years. Acer Secured-Core PCs with Windows 11 Pro have higher security levels than standard devices and guard against sophisticated data breaches, providing additional security by isolating computer operating systems from firmware and hardware-level attacks. This makes them suitable for handling sensitive financial data, medical records, and other personally identifiable information. Critical data is protected at the core, so hackers cannot compromise the operating system even if they gain access to firmware or hardware.
6. Use encrypted emails for communication
Gaining access to company emails is every hacker’s dream. When emails are compromised, cybercriminals can send invoices or payment requests to unsuspecting clients and suppliers. They can also access confidential product information and financial data. The only way emails are secure is through encryption, which is a type of scrambled cipher text that recipients with a private key can decipher. But often, standard encryption is not enough.
Microsoft Outlook supports two encryption options for maximum email security. The first, S/MIME encryption, requires senders and recipients to have a mail application such as Outlook that supports its function. The second, Microsoft 365 Message Encryption, requires senders to have a specific message encryption function. These security measures enable users to send encrypted emails to anyone, regardless of their email provider.
7. Establish secure connections
Password-protected Wi-Fi connections prevent unwanted users from accessing Wi-Fi networks and stealing personal information. Windows Wi-Fi conforms with industry-standardized authentication and encryption methods, ensuring internet safety even on public networks.
Windows 11 is equipped with a firewall for additional security. Microsoft Firewall prevents hackers or malicious software from creeping into computer systems through unsecured internet connections or networks.
Virtual Private Networks (VPN) encrypt an internet connection from one device to another, enhancing security and privacy online. Government organizations and businesses handling sensitive information use VPNs to protect against potential data interception. So-called business VPNs allow companies to connect their remote workers over a secure network where they can safely share company data and resources. In response to the amount of sensitive data distributed among coworkers daily, Windows 10 and 11 allow users to connect with VPNs via their PC, enabling a secure network wherever users choose to work.
With more and more companies embracing a hybrid work system, cybersecurity has never been so prevalent. In a recent survey, only 50% of company employees believed their company had the right tools to support hybrid working. SMBs should analyze their current network security and identify areas for improvement while equipping employees with adequate computer systems to do their job.
Microsoft Secured-Core PCs such as Acer TravelMate P2, P4, and P6 are preloaded with Windows 11 and offer outstanding out-of-the-box security to protect against data breaches and hardware-based cyberattacks. The savvy laptops also include a fingerprint reader and IR webcam to support secure Windows Hello logins. With help from Microsoft, TravelMate P-Series users have peace of mind to take business wherever they go.
With so much personal information readily available, computer systems are a breeding ground for malware and malicious software. Data breaches and cyberattacks are not just financially detrimental to businesses — they destroy hard-earned reputations, too. With this in mind, Windows 11 Pro offers users cutting-edge security through Pluton and Microsoft Secured-Core, protecting sensitive data at the root. In addition, companies should hire IT experts to ensure their security measures are updated and secure and conduct threat modeling to consider network safety from a hacker’s perspective. Educating employees on the importance of cyber safety is also beneficial to avoid potential data leaks while working from home. With Windows devices from Acer, we are committed to taking on hackers one computer system at a time.
 Windows 11 Survey Report. Techaisle, December 2022.
 Windows 11 Survey Report. Techaisle, February 2022.
Jeni is a translator and writer based in Taiwan. She is passionate about business development and loves helping companies enter international markets. She is fluent in English, German, and Mandarin Chinese, and combines these with her industry experience to provide practical market entry solutions.