We live in a time when major data breaches make news headlines on an almost daily basis.
We know that Yahoo, for example, agreed to a $50 million settlement in relation to a 2013 breach that impacted about 50 million users.
This works out to a measly $1 per user, but the lawsuits against the disgraced internet giant keep piling up. The more scandalous Marriott data breach, which was reported in late 2018, has already attracted estimates of $600 million in losses.
Even your small business is at risk online, but you can use the right cybersecurity precautions to safeguard your assets. Use these essential cybersecurity practices to get started and make your business safer now.
Small business security risks
Airbus and Equifax have also made recent headlines related to cyber attacks and data breaches, but what about small businesses? According to research conducted by the United States Cyber Security Alliance, an alliance between public private companies whose board members include executives from ADP, Comcast, Microsoft, and Google; small business owners have a lot more to lose when it comes to cyber attacks.
The CSA estimates that 60 percent of small business owners will have to call it quits less than a year after being hit with a cyber attack, and chances are that no headlines will be published about them.
The reality is, no business is safe from modern cyber risks and smaller companies really do have a lot more to lose for the following reasons:
Smaller targets are more enticing to certain cybercrime outfits because they are more likely to have inadequate protection.
Unfortunately, law enforcement agencies and prosecutors do not pay much attention to cyber attacks perpetrated against small businesses, even when they feature identity theft.
Pursuant to the above, smaller companies are more vulnerable to fines imposed by regulators should there be compliance issues arising from a data breach.
With all this in mind, information security should be a priority for small business owners who use the internet, especially if they handle customer data, at some point. One example would be ecommerce stores. Information security is complex, but paying attention to the basics can go a long way to make your small business safer.
Here are five essential recommendations:
1. Consulting IT security professionals
A combination of American optimism and early business success can result in overconfidence, and this can be detrimental to information security. A fashion boutique owner who easily gets into ecommerce through a platform such as Shopify may pay too much attention to other business matters, while ignoring potential cyber security risks.
Information security at the small business level is not as easy as launching an ecommerce website using a theme, installing plugins, and learning your way around a content management system (CMS). To this end, you should strongly consider a security audit from an IT security firm, especially if you’re the entire IT department.
For enterprise businesses, third party audits can be expensive – but not for small businesses. You can protect your website from attack using plugins like Wordfence, and monitor your audit log files using something like an activity log plugin. Tools such as these are “on guard” 24/7, monitoring your site and alerting you of anything that looks suspicious. Using tools is not quite the same as hiring a team of security analysts, but it’s a “good enough” solution for most small business owners.
2. Create a security plan and stick to it
A security audit invariably includes an evaluation of existing plans, or the formulation of a new one. Operating a small business without the benefit of a security plan is risky. At the very minimum, the company should identify what information is sensitive, where it is stored, how it should be protected, and what measures should be followed to secure it.
The plan should become company policy, which means that all employees are expected to follow it. Depending on the size of your company and its operations, you may also have to design training sessions to ensure that all staff members are on the same page.
3. Prevent data loss with a backup strategy
The intensity of ransomware attacks – hacks designed to block access to a computer system until a sum of money is paid, like holding a computer to ransom – has not subsided in 2019. In January, one of these attacks resulted in the delay of print editions of major newspapers such as the Baltimore Sun, Los Angeles Times and Chicago Tribune. Things could have been worse for the Tribune publishing empire: the company operates a solid data backup system that enabled it to recover without having to worry about making ransom payments.
Keep in mind that a data backup strategy is only as good as its recovery component, which means that you should test the integrity of the data replication and recovery processes from time to time.
4. Pay attention to endpoint security
What is endpoint security? Every time a client or customer remotely connects to a business network, it creates another path through which the network could be attacked.
Your website content sits in a data center, so it effectively becomes an “endpoint” just like the desktops, laptops, tablets, and smartphones you use to access your content management system (CMS). Any attacks that happen against the data center could compromise your website.
A CMS, such as WordPress, makes it easier to manage a website. With traditional web design and administration, you need to know a bit of coding – HTML and a bit of PHP – to make web pages look nice. With a CMS, anyone can change the website, add content, and upload pictures, all with the click of a button. Despite its popularity, WordPress has a long list of CMS vulnerabilities and more are discovered each month.
Therefore, you should prioritize secure hosting before looking into any other solutions. Your host is the foundation upon which all else rests. If it’s not secure, then it doesn’t matter what CMS nor plugins you use. Before downloading security plugins or hiring someone to audit your site, it’s important that you choose a hosting company that makes security a top priority.
When evaluating hosting services, take a good look at the default CMS of your hosting company. Platforms like Drupal are known for having great security teams, but Joomla less so. Don’t be shy about paying extra for additional endpoint security if your website directories contain sensitive information.
5. Insurance protection against cybercrime
The online platforms you use to operate and promote your company also serve as launching pads for hackers to ply their wicked trade. It’s virtually impossible to implement security strategies that are 100 percent foolproof.
Since there’s always a risk associated with online business operations, it makes sense for you to think about cyber insurance coverage. The idea is to transfer risk, and cover as much of the expenses arising from cybercrime as possible.
If you would not think of putting a vehicle to work on behalf of your company without a commercial auto insurance, the same line of thinking should be extended to your online operations.
Cyber insurance policies should be evaluated based on how business is conducted within your company. For example, an inbound call center is more vulnerable to social engineering attacks, which means you should prepare your staff adequately. Social engineering attacks are those that target the people who use or manage a system – the “gatekeepers” – rather than attacking the system directly.
Protect your small business against online threats
Small business owners should guard against complacency when it comes to security, lest they become part of the 60 percent who suffer a data breach that shuts down operations permanently.
The good news is that implementing good cybersecurity practices is not a Herculean task. You just have to decide to do it. Now would be a good time.