If it seems like you’re hearing more news about digital security breaches these days, you aren’t imagining things: In 2017, the number of cyberattacks worldwide more than doubled, according to a cybersecurity report issued by the Online Trust Alliance. Even more alarming? The 2018 Verizon Data Breach Investigations Report indicates that 58% of cybercrime victims are small businesses.
And small business owners might not fully understand what they’re up against. In a survey by the Better Business Bureau (BBB), the average participant scored a mere 60% on a quiz about cybersecurity threats. That’s understandable, given the complexity of the topic—and if you feel totally lost about how to protect your small business from digital security threats, you’re not alone.
That’s where we come in. To put together a basic cybersecurity guide for small business owners, we consulted with two digital security professionals: Tyler L. Jones, an independent cybersecurity consultant and digital forensics analyst for business and law enforcement, and Aaron S. Birnbaum, the founder and CEO of Seron Security, a firm that specializes in data protection and online safety. Here’s everything you need to know right now about how to protect your business from attacks online.
Why Digital Security Matters
Many business owners think that they’re too small for a hacker to bother with them, but Jones says that’s simply not true. “Even the smallest businesses are eventually going to be targeted for one form of cybercrime or another,” he says. “In 2018, it’s not really a matter of if, it’s a matter of when.”
Hackers are just as likely to target small enterprises as large ones, but many entrepreneurs still wonder why they should bother with cybersecurity. As Jones points out, making your customers’ sensitive information vulnerable to attack can actually “open you up to lawsuits and fines”—not to mention “affect the overall reputation of your brand.”
And Birnbaum adds, “You are often legally required to make best reasonable efforts to protect your data and your client’s data. If you are breached and data is exfiltrated, most states require you to notify the people who had their data compromised.”
In fact, companies that store personal information are subject to certain regulations, like the Payment Card Industry Data Security Standard (PCI DSS), HIPAA, and the Gramm-Leach-Bliley Act (GLBA). Failure to comply with regulations may leave a company open to penalties, legal action, and even federal audits—not to mention the blow to your reputation and to customer confidence when a breach occurs. Other federal laws and state laws may apply to your company’s data storage, depending on the industry, so be sure to do your research.
But even if your enterprise is under no legal obligation to shore up its digital defenses, consider the overall havoc that a cyberattack could wreak on your small business: The BBB suggests that only 35% of businesses could remain profitable for more than three months if they permanently lost access to essential data.
This is why digital security is essential for every small business owner. As Birnbaum says, “Cybersecurity is like water. Everyone ignores it until they actually need it.” If your business is in need of a cybersecurity plan, take the following steps to ensure that your business is well-protected.
Step 1: Execute a Basic Digital Security Plan
The best security solutions can be costly. Luckily, there are some effective options for small enterprises on a budget.
Install Anti-Malware Software
Malware is a broad term for any program created with malicious intent (which explains the prefix), so Jones and Birnbaum both insist that installing anti-malware software is the bare minimum requirement for any small business.
Your best course of action is to choose an overall security protection software suite, which will protect against malware like:
- Viruses: Just as in humans, computer viruses enter the host and can lie dormant until someone executes their programming. Then, a virus replicates itself until your system becomes “ill” or nonfunctional.
- Data and identity theft: This one is pretty self-explanatory. Not only does an unsecured network make your personal information vulnerable, but it also puts you at risk of business identity theft.
- Ransomware: This code takes control of your computer until you pay the infiltrators a fee. These bad actors are holding your system hostage until you cough up the money, which is similar to the ransom that kidnappers demand.
- Spyware: Spyware is any type of software that is unauthorized to send information about your system back to a third party, but does so anyway—usually without your knowledge. An example would be a program that records all your keystrokes and reports them to a threat actor, who thereby gains access to your passwords and other sensitive information, like your bank accounts.
- Phishing sites: Phishing is when someone creates an email or a website that looks authentic, but is designed to capture your personal information. For example, you might receive an email that looks like it’s from your bank, which asks you to enter the username and password to your online account, but is actually from a hacker.
- Rootkits: A rootkit is a program that creates a hidden backdoor into your system, which allows a malicious actor continued access to your computer. Once again, the user is typically unaware of the existence of this program, so it is difficult to root out its existence—which explains the name.
As you can probably tell, installing anti-malware software is crucial. That’s especially true because many common security threats go undetected until they’ve done extensive (and potentially irreversible) damage to your data.
But these security suites are relatively inexpensive. As Birnbaum says, “For less than the cost of one latte per month, you can reduce your chances of being breached by nearly 90%.” That’s an excellent return on investment. In particular, Jones is a fan of products by Webroot, and Birnbaum likes Malwarebytes.
Secure Internet-Connected Devices
Jones and Birnbaum both warn of the dangers that devices like mobile phones and tablets bring to your business—if your employees use their personal devices for work, the threat grows, as you have little control over where that equipment has been and how often it has connected to unsecure networks. This makes the installation of anti-malware on mobile devices all the more crucial.
And it’s not just cell phones and tablets that are problematic; it’s all the connected devices you might not necessarily think about. According to Entrepreneur.com, “alarm systems, GPS, web cameras, HVAC or medical devices,” and other devices that “lack built-in security” are one of the three biggest cybersecurity threats that small businesses face today.
To address this issue, change the default password when you purchase any device that connects to the web, as threat actors often use the password created by the original seller to gain access to your network. This is especially important with the router for your wireless network. Change the default name of the network as well, or the SSID (Service Set Identifier), and don’t use any identifying characteristics in your new network name—like your last name or physical address.
Remember that virtual assistants like Amazon’s Alexa and Echo, as well as Google Home, connect to the web and can pose a threat, so consider whether they’re worth the risk. As Birnbaum reminds us, “Every internet device opens a hole in your network.”
Regularly Update All Your Software
You should be regularly updating every software program on every device you own—not just your anti-malware suite. That’s because, with each software update, developers include patches that are designed to plug newly discovered holes in the security of their product.
Although you can set each piece of software to update automatically, you can select a program that will automate the process for you. Birnbaum likes Heimdal Security’s Thor, which is free.
Encrypt Your Data
Encryption means that no one else can access the information you’ve stored on your computer or your device—should it get lost or stolen, for instance—without at least a password. Some programs will destroy your data when someone attempts to hack your system or upon your remote command. You can choose to encrypt only sensitive files, or an entire hard drive.
Take a look at VeraCrypt, a free encryption tool. Or, for a straightforward alternative (VeraCrypt can be bit complicated to use), consider one of these commercial solutions. However you choose to do it, encrypting your data is a simple step that can pay off in the long run.
Backup Your Data
Both cybersecurity experts (or any other expert you consult) are adamant about data backups, and that makes sense. If you’re the victim of a cybersecurity attack and your data is compromised, you can get back up and running fairly quickly if you have solid backups.
Jones recommends that you backup your entire system at least once a week—more often if your data changes rapidly—and that you keep your backups in three different locations. At least one of these locations should be offsite, in case the attack renders your headquarters nonfunctional. And Birnbaum suggests that you use three different modalities for your backups, so if one or more is corrupted, you have options for data recovery.
The first possibility is to save your work to the Cloud, which simply means that you transfer your company’s sensitive information to servers operated by another company via the internet, where your files are safely stored and you can access them as needed. Google Drive is a free Cloud provider, as is Dropbox.
Cloud computing is not without its own security flaws, but the benefits generally outweigh the risks. The Cloud not only provides free or low-cost storage, but also allows for easy file sharing and document collaboration among coworkers. Should your business becomes heavily Cloud-based, Jones advises that you add a Cloud security suite to your arsenal. Cisco and Fireye have some excellent offerings, but such an investment is necessary only for businesses that are rapidly expanding.
Your other options for data storage and backups can be as simple as an external hard drive, a USB thumb drive, or a DVD. Don’t forget to encrypt your backups, so your data is not accessible should your backup fall into the wrong hands.
Install a Firewall
A firewall is a piece of software or hardware that blocks connections from unauthorized and possibly malicious sources. Some products come with automatic firewalls, like certain modems. The later versions of both Mac and Windows operating systems have a basic, built-in firewall that requires you to approve all incoming connections to your computer.
But Birnbaum suggests that you add a further layer of protection, too. Comodo offers a free version of its firewall for Windows users. And if you’ve followed each step outlined here, you already have a comprehensive anti-malware suite installed, so it’s unlikely that you’ll need Comodo’s premium version. Murus offers a comparable no-cost product for Mac users.
Step 2: Engage in Digital Security Awareness Training
Cybersecurity training for employees focuses on how to prevent data breaches, especially through phishing. As the BBB points out, “Only one employee needs to click on a bad link in an email or open an infected attachment for an attack to get in the door of a business.” If you teach your employees how to recognize an online scheme, then they won’t be duped—and put your business’s data at risk.
Security consultants, like Birnbaum and Jones, typically conduct digital security awareness training. But if such services aren’t within your budget, look for free or low-cost offerings in your area by quasi-governmental organizations like the National Cyber Security Alliance or your state’s chapter of the national InfraGard. Both of these initiatives are partnerships between national law enforcement agencies and the private sector that seek to make the web safer.
4 Need-to-Know Lessons From a Cybersecurity Awareness Training Program
Your digital security awareness training will be comprehensive, but here are a few important lessons that you can put into practice today.
1. How to Determine If an Email Is Legit
Although there’s no surefire way to determine if an email is legitimate, there are a few red flags that might signal you’re being phished.
If an email asks you to click on a link, don’t trust that the link actually leads to the website it claims to represent. Instead, hover your mouse over the link. This should bring up a small window—either right next to the link or in the bottom corner of your screen—that shows the web address where that link will take you.
If an email is from your bank, for example, hover over any links to be sure they truly connect to your bank. Look for misspellings of your bank’s name in the URL of the link, and check the suffix. For instance, if you bank with Wells Fargo, a link should connect to https://www.WellsFargo.com, but a hacker might use an address like WellsFargo.net or WelsFargo.com.
To be on the safe side, Birnbaum suggests that you double check the proper URL for any website you’d like to visit, and type it into the browser yourself—rather than trust that a link is authentic. He also cautions against clicking links that don’t lead to a secure web connection, which is denoted by an “s” after the http in a web address.
Jones advises that you look for spelling or grammatical errors in an email, as such mistakes are glaring signs that the communication may be fake. “Most major brands have huge communication teams,” he says, “so they’re not going to make really obvious mistakes in their emails.”
2. Implement Password Policies
Passwords are a huge vulnerability for enterprises of any size.
Birnbaum’s rule of thumb is that any password should have at least 15 characters that combines upper and lowercase letters, numbers, and special characters. To check the security of your passwords, try a website like The Password Meter.
Jones suggests that you select not just a password but a whole phrase, perhaps a full sentence or paragraph complete with punctuation—if your software allows. Create a different password for every website you visit, every piece of software you use, and every device you own.
Many of us simply can’t remember that many passwords, and here’s where a password manager comes in handy. A password manager is a piece of software that allows you to create one password (make it a good one!), and the program generates and stores complex passwords to use everywhere else. Birnbaum likes SAASPASS, which is free for up to 10 users.
3. Outsmart Social Engineers
Social engineering is when a malicious actor manipulates you into giving them sensitive information, often by impersonating someone else. For example, an individual might call you and pretend to represent your internet service provider. They’ll tell you there is an issue with your account, and ask for your wireless password. Don’t be fooled!
“Don’t give out any sensitive information over the phone,” warns Jones. “If you feel that a threat actor is pumping you for information, he or she probably is.” Hang up immediately, and place a direct call to the organization that allegedly needed this information. They’ll know whether one of their representatives attempted to get in touch.
Some aggressors are gutsy enough to attempt these schemes in person. Jones says, “One attack vector is on the ground: Social engineer your way past a security guard, find an open workstation, drop your USB into it, and have it autoexecute the malware you brought with you.” Keep all workspaces and products physically secure. Don’t forget about your trash, which should either be locked up or properly shredded.
4. Secure Your Remote Connections
Our experts would rather that you never connect to public wireless networks, as they’re not at all secure. But if you absolutely need to use public WiFi, invest in a virtual private network (VPN). These programs create a protected channel through which to connect to the outside world.
Birnbaum suggests free or low-cost options like OpenVPN’s Private Tunnel, NordVPN, CyberGhost, Trust.Zone, or Proton VPN. VPNs are a small expense that could save you thousands of financial and logistical headaches in the future.
Step 3: Bring in the Digital Security Professionals
All this information can be a bit overwhelming, and it’s a lot for a small business owner to implement on their own. If you haven’t already brought in a consultant for digital security awareness training, consider hiring a professional to conduct a threat assessment for your business, and to help plug the security holes unique to your business and industry.
Jones also argues that many businesses wait far too long to develop an internal IT department, or to hire full-time cybersecurity staff. If you hire a dedicated cybersecurity professional early on, you can operate and grow your business safe in the knowledge that your data is secure.
But if you don’t have the funds to hire a professional when you’re first starting out, it’s okay to stick with the basics for now. As Birnbaum points out, “If people take minimum precautions, they can radically improve their chances of avoiding a breach.”
Don’t wait any longer. Follow the steps we’ve outlined here, and you’re well on your way to keeping your business safer—both on- and offline.