As a Small Business owner, your security is probably not at the top of your to-do list. Even though we constantly see headlines of big breaches and corporations being targets of sophisticated attacks, small businesses that suffer from web-based attacks aren’t really prominent in the media. This might have you fall in a false sense of security. According to Inc., small businesses are the perfect target for the average hacker. Smaller companies are attractive because they are more likely to have weak security practices in place. So, if you are thinking you’re too small of a target to catch the attention of hackers, you might be mistaken. Since we don’t want you to pay the price, we came up with three fairly easy and affordable steps you can take towards upping your security game ASAP.
So, here are our top 3 web security tips for you, today’s small business owner:
1. Create and nurture a secure company culture.
This includes educating your employees and yourself about the various cyber-attacks that can happen and what can you do to prevent them from happening in your business. Get informed about attacks such as phishing, spear-phishing, Denial Of Service (DoS attacks), and Advanced Persistent Threats (APTs). Consider enabling two-Factor Authentication. And create and enforce a password policy for your employees.
This first step is very important, and luckily for you, not very costly. The first thing that might help you create a secure company culture is providing your workforce with security training. In your training sessions, you will want to get your employees familiar with the basics. Most importantly you will want to raise awareness about their vulnerabilities, and some of the most common attacks. You might even consider hiring a third-party service for this.
Phishing and Spear-Phishing
One of the most common, and dangerous attacks is phishing. Phishing is an attack that usually uses e-mail as a weapon. The goal is to trick the receiver of the e-mail/message into believing that the message and the sender are authentic and trustworthy. Once that is done, the message will ask the victim to provide some sensitive information such as bank details, password, etc. Sometimes, the email will even contain a malicious attachment that will download onto the computer and potentially extract this information. Phishing attacks are very common since they are fairly easy to execute and their success rate is high. So they are something to keep an eye out for. Spear-phishing is a more sophisticated method of phishing, where a specific person is targeted.
The best way to avoid phishing is to conduct phishing training and demonstrations. After the training, you can even do a simulation of a phishing attack internally to see how successful was it.
Two-factor authentication is a way to secure both your business and your customers. If you have a login feature on your website through which customers can access their accounts, it might be a good idea to enable two-factor authentication. Besides the use of a password, this practice will allow your users to use an additional authentication method, such as One Time Passwords (OTPs) generated by an authentication app, or a message to the user’s smartphone. Obviously, this will provide your users with an extra layer of security, and lower the chances of someone malicious compromising your customer’s sensitive data.
Passwords are a great deal when it comes to security. If you have a login feature, like the one mentioned above, you should ask your users to use strong, unique passwords (for example: minimum of 12 characters including numbers and letters). However, that’s not the only thing. You can also advise your employees to use password managers such as LastPass, 1Password, etc.
2. Use automated vulnerability scanning
If you have a website, then you will need to make sure that it can’t be used to harm your business by malicious hackers. In short, you need to make sure that your website doesn’t host any vulnerabilities. To do that, you will need to test the security of your website. There are 3 different approaches to that: Vulnerability Scanning, Pen-testing, and Bug Bounties. You can learn more about them here!
Automated vulnerability scanning is the least money and time-consuming web-security testing solution (compared to penetration testing and bug bounties). And as a small business owner, it’s probably the solution you are looking for. Web vulnerability scanners quickly scan your website for a huge number of web-vulnerabilities. Some of them will provide you with a report on the vulnerabilities found and how to fix them.
There are many free and paid vulnerability scanning solutions out there on the web. Different vulnerability scanners will have different features. I would recommend you to try Probely, mainly because we truly cater our service for small businesses (we have a paid and a free scanner too). I would also recommend you to start a free-trial on multiple vulnerability scanners, see which ones work best for you, and take it from there. If you can afford a paid solution I highly recommend one, since the money you spend on a vulnerability scanner ($50-$60) greatly outweighs the loss in case of an attack. Depending on your budget a basic free scanner might be a good start.
3. Spend your money wisely
Budget is important, and it’s hard to balance. But ending on the losing side of a security attack may be lethal for a small business, so it’s something to be avoided at all cost. Spending a bit more money, just to be secure is not a big deal (it’s actually recommended), but just throwing money at the problem isn’t the way to go either.
Throwing money into security, for sure will get you secure and will greatly decrease the chance of you getting hacked. However, it is often best to tailor your security policy to your budget, resources, company size, and how much you have at risk. If you store sensitive customer information then yes, spending a bit more money and hiring a third party training service or combining multiple solutions (pentesting and vulnerability scanning, for example) may save your business. But if you don’t have much to lose in a cyber-attack, a low-budget solution might be the best for your taking a cost-effective method into account.
Extra Tip: Backups!
The previous tips have been mainly focusing on prevention, but Backups are all about risk-control and harm-reduction. If your business relies on important information, emails or files you will want to back that data up frequently. Think of it this way: whatever data is necessary for you to provide a service to your clients should be backed up. If this data suddenly disappears and you don’t have backups, your business disappears with it.
You can use different media to store your backups: external hard drives, flash drives, or cloud-based solutions.
There’s a rule about backups that has stood the test of time. The 3–2–1 rule:
- keep three (3) copies of your data,
- store two (2) backup copies on different storage media,
- with one (1) of them located offsite