Cybersecurity is Economic Security

Safeguard the Future

The 2025 Massachusetts Cybersecurity Awareness Month theme, “Cybersecurity is Economic Security”, emphasizes the critical connection between strong cybersecurity practices and the economic health of Massachusetts businesses and communities.  
 
In today’s digital economy, cybersecurity is more than a technical safeguard—it’s a strategic economic imperative. Cyberattacks can destabilize industries, disrupt supply chains, and drain billions from economies. 
 
Protecting against these threats requires not just advanced technology, but a skilled and resilient workforce. Investing in cybersecurity education, training, and career pathways builds a talent pipeline that strengthens state security, supports innovation, and fuels economic growth. A secure digital environment—and the workforce behind it—is the foundation for long-term prosperity.  

Minimum Baseline of Cybersecurity for Small Business

Cyber incidents can disrupt operations, damage reputations, and lead to financial losses. By investing in cybersecurity best practices, small businesses can safeguard not only their data, but also their long-term economic stability.

The Minimum Baseline of Cybersecurity for Small Business was developed by the MassCyberCenter and the Cyber Resilient Massachusetts Working Group to provide practical, achievable steps connected to NIST controls that organizations can implement to reduce risk and empowers small businesses to protect their data, customers, and operations. By making cybersecurity more accessible, we’re helping build a safer digital ecosystem where businesses of all sizes can thrive.

 Best Practices for Cyber Defense

Whether you're managing operations from the office or working remotely, cybersecurity should be at the core of your daily practices. Small businesses and organizations are increasingly targeted by cyber threats, making it essential to protect sensitive data, customer information, and financial assets. Follow the best practices below to strengthen your defenses and keep your business secure. 

Multi-Factor Authentication (MFA) 
Multi-factor Authentication (MFA) is an authentication method that requires users to provide two or more verification factors to gain access to a resource.  Factors include: a) something you know (e.g., password/personal identification number [PIN]); b) something you have (e.g., ATM card, cell phone, token); or c) something you are (e.g., biometrics).

  • Implement MFA for access to both personal and work accounts
  • Consider using a reputable authenticator application instead of an email or cellphone text-based authentication factor method
  • If you have MFA in place, review requests for verification carefully to avoid a hacker stealing your login session
    • Business owners should consider implementing number matching and adding login context to “push” notifications from authenticator applications
    • Examples of both are available here

Use strong Passwords or Passphrases
An 8-character password can be hacked in mere minutes.  Use these tips to make your password stronger and more secure, and never use the same password more than once.  

  • Create a strong Password or Passphrase
    • Something you can remember
    • CoffEE-awake-Tea-Y@!
  • Use a Password Manager
    • You can use biometrics to access it
    • You don’t need to memorize 15-20 character passwords
    • You don’t re-use passwords  

Software Patching
Technology companies update software and release patches to fix security issues on a regular basis. 

  • Keep mobile devices and personal computers up-to-date with the latest software and patches
  • If your computer prompts you to install a software update, don’t delay unnecessarily
  • Ask your company’s IT team about their patching policy and restart or update your computer as required

SLAM Phishing
Phishing is type of attack that tricks you into clicking in links, opening attachments, or logging into an account so that attackers can gain access and install malware on your devices or steal your credentials for financial gain.  Use the SLAM acronym (Sender, Links, Attachment, Message) to identify a phishing attempt. 

  • Sender – Check the true sender of an email
    • “Hover” your mouse over the sender’s name to reveal the true email of the sender  
    • Check email addresses carefully to look for misspellings or out of place characters
    • Look for the company name in the domain address  
  • Links – Do not go to a link unless it is legitimate
    • “Hover” your mouse over a link to reveal where the link will take you
    • Consider visiting the company website directly, instead of clicking the link
    • Do not provide login credentials to view a document or link from a third party (especially someone you don’t know)
  • Attachment – Recognize when an email attachment may not be legitimate
    • It is unlikely that a business would send an email attachment without prompting.
    • Don’t open an attachment from an unsolicited email
  • Message – Check the content of the message carefully, even if it is coming from someone you know
    • Call the person to ask if they sent it before clicking on links or opening attachments
    • Review the message—would the person you know say this or ask you to take action?  

Discovered a phishing email? 
Steps to take if you discover a phishing email: 

  • Mark the email as spam – there is usually a way to do that in your email application: find out how
  • Do not forward the email to anyone
  • Report the email to your IT department or MSP or internet provider so that they can:
    • Blacklist the sender’s domain address
    • Alert other employees  

USBs / “Flash Drives” 
Hackers try to take advantage of human curiosity or altruism to penetrate networks.  Examples of this include:

  • Dropping USBs / “flash drives” in parking lots
  • Sending USBs / “flash drives” in the mail

If you find or receive one:

  • Do not plug it in to your home or work devices, especially if you aren’t sure where it came from
  • Give it to your security or IT staff

Backup your Data
When you lose access to your data through a cyberattack or ransomware or for any reason, it’s important to have a plan. 

  • Identify your important data (contacts, financial information, pictures, etc.) and back it up
    • Consider a cloud-based vendor or use an offline, external hard drive
  • Create a plan for how to access that data in case of attack or emergency
  • Ask your work IT staff about your company’s backup plan: make sure you store data where it can be recovered if your company has a cyberattack 

WiFI
Public wireless networks are not secure, and data can be seen and stolen. 

  • Be vigilant when using public wireless networks
    • If you are in a restaurant, ask an employee about the correct wireless network name (also known as an SSID) –  (e.g. ‘MBTA-wifi’ vs ‘guest-wifi’)
    • Utilize a Virtual Private Network (VPN), which creates an encrypted tunnel between your device and internet locations
    • Minimize using personal logins and passwords over public networks