*This post may contain Affiliate Links which means we may earn from qualifying purchases you make via our website. Check out our Affiliate policy and what this means here.
How confident are you in cybersecurity for your business? Have you done everything that’s necessary to keep your business and all the data you work with safe from intentional attacks and unintentional leaks?
Most small business owners operate under the false assumption that they are not the target for attackers. And this kind of thinking is what makes them the perfect target for cyber attacks.
When you think you are too small of a fish, it’s exactly what makes you such an easy prey.
The newest Verizon Business Data Breach Investigations report backs this up. As of 2020, 28% of all data breaches involved small businesses. Owners need to be more proactive with their safety.
You may ask yourself, “How can I protect my business from cyber threats?”
In this guide, you’ll find all you need to set up proper cybersecurity for your business and learn how to avoid the most common types of attacks.
Phishing attacks are elaborate socially engineered attacks. The aim of a phishing attack is to trick the user to freely give away their credentials.
The vector of attack is usually an email created to mimic an organisation you trust (your bank, for example). It will contain a link that leads to a malicious website or an attachment that executes and steals all data it can.
Phishing can be avoided by:
- Updating security on all your devices to have the latest security protocols
- Using firewalls to block the majority of phishing emails
- Knowing how to detect a phishing attempt – emails will have a sense of urgency, often saying your account is locked, suspended, or that there was suspicious activity, and requesting sensitive information like your password or ID. Legitimate businesses will never ask for this kind of information.
- Avoiding websites that don’t have HTTPS since they lack security and all your interactions with them can be intercepted
- Avoiding opening emails from senders you don’t know
- Checking the actual sender address by hovering over the name
- Checking the actual address of any links in the email
- Checking the website address
- Using a full security suite that has phishing protection
- Installing a VPN that protects all online communication
Data leaks are the most common form of gaps in cybersecurity for your small business. They can be intentional and unintentional.
The latter would be an email sent to the wrong recipient, for example. If there were any attachments containing sensitive data that went to the wrong address, the information could have been seen by someone who never should have had access in the first place.
Intentional data leaks happen when someone from your company transfers classified or sensitive information to a recipient outside of the organisation.
You can avoid these by:
- Installing endpoint protection that gives you overview over who used which of your company devices.
- Setting user permissions and giving access to information on an “as needed” basis only to lower the risk of someone accidentally leaking data.
- Having a permission setup on all outbound communication channels so that if any information is sent to the wrong recipient, they can’t see the contents.
- BYOD guidelines on responsible use of personal devices that are brought to work.
- Using a monitoring service that can reveal unusual usage patterns, which helps uncover malicious scripts trying to access data from a compromised user account.
Small business cyber security is rarely ready for a ransomware attack. Such an attack renders you powerless and blocks you from accessing your system unless you pay a ransom to the attackers, usually in cryptocurrency. Often, you will have a time limit to comply, and if you don’t, all data will be erased (or leaked).
You can lower risk by:
- Having a backup of all your data – even if you get locked out of your device, you’ll have everything secure in another location.
- Educating staff on phishing attacks and how to spot them.
- Keeping all systems up to date so that all known vulnerabilities are patched and can’t be exploited by attackers for access to your network.
And if you fall prey, DO NOT pay the ransom.
There is no guarantee whatsoever that you’ll get access, and if you pay, you are giving a clear signal to your attackers that you are willing to do as they ask of you, making you a promising target for future attacks. In terms of cybersecurity for your business, it’s much better to ignore the ransom.
Hacking is often used for any type of incident where a business is a victim of cybercrime, but hacking actually refers to the use of stolen credits (like usernames and passwords) to get access to otherwise unavailable assets.
To protect business from hacking, do the following:
- Use strong passwords and never write them down on paper or even a notepad on the desktop.
- Have multi-factor authentication so nobody can log in with password only.
- Use VPN whenever you connect to public WiFi networks.
- Never log in to public computers that might be infected with malware that can record your passwords.
- Ideally avoid public WiFi altogether and use your own network (tether from mobile, for example).
- Avoid mixing personal and business devices and do business on business devices only.
A data breach is classified as any instance where data or information was taken from your business without your knowledge or consent. Attackers are most commonly after sensitive information such as customer data, credit card numbers, or trade secrets.
Vectors of attack include phishing attacks, insider help, exploiting misconfigurations of security setups, and third-party vendors.
Improve cybersecurity for your business by:
- Implementing network monitoring software that alerts you to unusual data access
- Sharing data access on a “need to know” basis
- Revoking access to users as soon as it’s not required anymore
- Working with third-party vendors who have good cybersecurity policies and regulation compliance
- Hiring professionals to set up your security system if you are unsure on how to do it yourself
Secure internet banking
Getting access to your business banking accounts is the ultimate goal for most cyberattacks. It’s important to be up to date on the best practices for business cybersecurity, especially if you use online banking services and accept online payments.
While avoiding internet banking entirely seems like the best solution, it’s not feasible in this day and age.
You will improve cybersecurity for your business by:
- Not saving business credit card information in any browsers
- Not using personal computers and other devices to conduct business transactions
- Using internet banking only on business devices with all the required security installed (firewalls, VPN, antimalware software)
- Not clicking on any links that prompt you to confirm your identity through credentials with your bank, or to send an ID – that’s a phishing attempt
- Keeping operating systems up to date
- Having the bank’s website bookmarked and avoid any type of direct navigation
Document your security processes
Have business cybersecurity policies in place. You need them, no matter how small you are. They outline what you and your staff must do in different cyber attack scenarios. Have all protocols well-documented and test them on a regular basis.
For remote work, have additional security solutions and processes to reduce risk of a cyberattack. Make sure that:
- All employees install a VPN for secure remote access to the business’ internal network
- You know where you store all data, which applications use data, and who has access to it and how they access it
- Conduct regular vulnerability scans
- Have incident response plans include remote work scenarios to ensure everyone knows protocols in case of breaches on home networks or lost devices
Have specific security processes for online payments
If you’re handling credit card data from your clients and accepting online payments, you are a prime target for attacks. To make sure transactions and all data is safe, you must:
- Be PCI-DSS compliant – The Payment Card Industry has set standards on processing, storing, and transmitting payment data, and helps stop fraud
- Have password protection and automatic locks after a period of inactivity on all devices handing payments and processing
- Avoid storing payment or credit card data from your customers longer than needed
- Encrypt all data so it’s unusable in case of a breach
- Report any suspicious activity immediately
Check password security
A weak password is the fastest way to fall victim to a cyber attack. Too simple a password can be hacked in mere seconds, so make sure that all passwords are long and complex enough. Current trends in organisations, particularly when dealing with lots of sensitive data, go for passwords that have 12 or even 17 characters.
Such passwords are much safer from so-called “brute force” attacks where the attackers try out many different passwords until eventually getting one right.
Aside from the character count, a secure password must have upper and lowercase characters, numbers, and special characters, ideally in no particular order that would make sense.
This makes it almost impossible to remember, but your business accounts will have maximum security.
Use multi-factor authentication
In the event that your password is somehow recorded and gets out (which can be done with a keylogger), you can still keep your account safe with two-factor authentication.
Aside from typing in your password, you will have to provide another way to authenticate yourself, usually by typing in a code that was sent to your phone (or alternatively email).
Cybersecurity is a fast-paced area of business where things change on a daily basis. To keep cybersecurity for your business on a healthy level, make sure you follow the best practices outlined above, be diligent and informed about threats happening in your industry, and educate everyone in your organisation on staying safe while conducting business online.
Smiley Geeks is a trading name of TowerWatch Solutions Ltd