Guide to Online Security for Small BusinessUpdated: May 15, 2019
Your small business isn't saved from attacks and from hackers, therefore you should do everything you can to create a proper level of protection - right from the beginning.
A small business means that you're either just starting it, or you're in the growing process. Either way, you need to have in place all the online security aspects so that you won't face problems later.
Later it will be harder and more complicated to resolve them.
It is true, we only hear about big companies and data breaches or hackers attacks, but this is only because of their size. The big companies are popular, and they are worth of news headlines. Smaller businesses face the exact opposite behavior - they are not popular, hence they are not quite worth of media attention.
Online security represents the whole set of actions taken to protect yourself online: antivirus, responsible behavior regarding suspicious links, using a VPN when using a public WiFi and so on.
According to Wikipedia, Cyber security "is the protection of computer systems from theft or damage to their hardware, software or electronic data, as well as from disruption or misdirection of the services they provide."
So I do believe that somehow, cyber security represents a part of the Online Security actions. You have to protect you computer (computers) from various cyber attacks, and you do this by installing various software or even just being responsible with what websites you're visiting.
The unfortunate aspect is that small businesses are often the ones targeted by hackers. Why? Because they are more vulnerable than others. Thinking that you have a small business, and no hacker will be interested in doing you harm, it's wrong and irresponsible.
Hackers know this, so why should you put your whole business at risk? Not to mention that let's say you'll make a great impact over the course of one year; the whole business thrives, and becomes bigger. Would you want to take stronger security measures only then? I tell you, it will be harder. And also, by the time you'll finish, some hacker might try to compromise your security.
It is best to start with strong security actions right from the start of your business. You'll be able to put in place some rules among your employees, rules that you'll be able to modify in case you see they don't work as you expect. The plus side on this is that you'll be able to quickly know what works and what doesn't, because you have few colleague.
If you start creating security rules when your business is bigger, it will be much more difficult to measure, to apply and to modify them. Think of this: 5 people vs 100 people - just think about the work you'd have to do with 100 colleagues, who've already been in your company for some years, and who got used to a other rules.
A breach is a rupture, a gap, a break. It means that something that should've been with no flaw now has offers a "opportunity" for various malicious "things". The "breach" term can be used in almost every aspect of our lives: dermatological, friendship, construction etc.
Of course, we are now referring to the breach that can happen in the IT department.
Data breaches can be either intentional, either unintentional. The intentional breaches are caused by an employee who releases secure and private data/information. To someone that can't be trusted, of course.
The unintentional data breaches can be cause by two factors:
- Hackers, but because of a weak password.
Hackers will try to get access to pieces of private information because they will be able to ask for money in exchange for the private data. As soon as they identify a business that "has potential", they will try to do everything in order to create a breach. Some of the methods they use will be described later.
There are situations when hackers create bots; they will send this bots so multiple businesses, and their job will be easier. The bots don't get tired, so they can constantly search for that weak password that's needed for a breach.
Even though most of the next situations are related to data breaches and data stealing, it's best to treat them separately, as they can have some different purposes.
I've mentioned phishing in some other article, where I made an analogy between fishing and... phishing.
Even though phishing starts with the hackers idea of trying to get some private data out of a business, it ultimately ends with the employees capability of discerning between a false email and a true one.
Most phishing methods use some ways of communication with the receiver. The receiver either gets and email, either gets a text message. It is confusing for the receiver because emails and text messages are quite personal. Not to mention that the emails and the text messages are quite convincing; they try to be as similar to the original as they can be. Let me explain.
Let's say you are used to receive text messages from your bank; they inform you about your account, your purchases and so on. But one day you receive something that seems to be from your bank, but it looks a bit odd - the link towards it sends you looks a bit different to those you normally receive, even the sender has a different number.
There are people that will click on the link in the message, getting to a page that's extremely similar to the banks website. At this point, they must think everything it's OK. Unfortunately, it's not. The replica website now starts to retrieve data, and if the receiver begins to input private data (bank accounts, passwords etc.), they are compromised.
This situations can be tricky for a small business, because the employee might to this at work - where he surfs on the company's network. Hackers might get to other private data, not just the personal data.
DDoS is actually an acronym for Distributed Denial of Service. I talked about this in the article where I was mentioning games.
A small business might not have such a powerful server. Even though these DDoS attacks can happen to anyone that doesn't have a proper protection.
Nonetheless, these attacks are targeted towards the servers - the attacker overloads the server with requests. The server doesn't have the capability to face to many requests, thus it shuts down.
For a small business, this can be a difficult situation. Let's say they are focusing on selling products online. Such an attack will shutdown their website, meaning that they will loose money. Not to mention that the whole network might be affected, and if there's a small building with a few offices, it means that everybody has to stop working. Until they figure out what can be done, and how they can repair the damage, they will loose precious time, and money.
Malware is just the general term for malicious software - under its umbrella you can find lots of different programs that their sole intention is to cause damage. For the whole set of details regarding each type of malware, head over to our article:
Getting infected with a malware is quite easy, because it can happen through multiple methods: emails, ads, links sent through Skype, software, USB etc.
Let's take this case: if an employee receives a link from a friend, through Skype (I am mentioning this platform because it's the one I've actually seen this case), and clicks it thinking "What did this friend sent to me?", he will immediately be infected with a type of malware. Now he will send links to its friends, without knowing, and the spreading of the malware increases. Links can also be sent to other platforms, such as LinkedIn.
The idea is that these malware can infect your computer, get access to your account and your personal data, and infect others in your list.
Let's not forget about the fact that we live in the Bitcoin era. So there's a new purpose for the account/computer infections: to use that computer for mining. As a result, your computer, even your server will become slow and hard to use. No a fun situation for a small business, that relies on every piece of resource it has.
You can get this "Bitcoin virus" as it's sometimes named not only by malware, but also by a server attack (hackers have bots that are specialized in finding opportunities in websites' codes, opportunities that help them run this mining virus).
Ransomware is a type of malware, of course. But it is one of the biggest, because it does a lot of damage. Not only it block your network, your computer, hence your whole business, it also asks for money in exchange of the release.
For a small business, this can be quite hard to cope with, as the ransom is quite expensive. The sad part is that you won't have the certainty that you'll get all of your assets back. Hackers might leave with the money, as well as what you've created.
This ransomware is spread through emails or through infected websites. Once you click on the link in the email or you visit the infected website, in case you don't have a proper protection, then the malicious software is installed on your computer.
I've come across this type of attack - nowadays I think that bots are usually set up to do this. They try to get access to a website, or to an account by constantly trying passwords. Of course, it's quite easy to notice this kind of attack, but you have to be vigilant. Don't rely on the fact that your password is strong - from your point of you it might be, but that bot can be really "smart".
For this you can and should install some kind of two-factor authentication wherever it's possible. In the front-end you can also use the Captcha method to make sure there's no bot that's trying to get access to your website.
Never let an employee leave your company on hard terms. That single employee might know a lot of passwords and he can immediately do your business harm.
It will be harder to detect him, as it will not set off an alarm like the one above - somebody trying various versions of a password. It's profile can be checked immediately, of course, but he can steal private information before you even notice.
What you can do is to immediately change all the passwords and retrieve the former employee's access.
As I said above, the best thing that you can do is to start with proper security measures right from the beginning. I''m sure you don't want to loose everything that you've built, just because of some hacker.
As you as a CEO might not have programming skills, you'd have to hire a person or two who will help you. You can also hire a company that specializes in this. Either way, I would suggest you to follow some easy online course about online security and all that it implies. In this way, you'l be able to better understand the risks and how can you cope with them.
There are quite a few free courses on Udemy, all about Network and Security. Of course, you can also buy ones, because they are super cheap.
Now here are some things that you should be aware of while thinking of the security of your small business.
Not a single version of a software is 100% secure - there might be breaches that developers don't know about. Hackers can identify them, and so you, as an end-user, will be targeted. That's why it's best to keep your software up to date - even if hackers find a way to crack the previous version, you'll be safe, because you're on the next one.
I said "software" as it refers to a whole range: your website's platform, your anti-virus software, your communication tools - every single tool that you're using in order to keep your business up and running.
This doesn't refer only to the software that your employees are using. It also refers to what type of software you're offering to your clients (in case you are selling such things). It's a matter of constant verification and updates, in order to keep away the sneaky hands of a hacker.
Take the example of fire drills - people are thought what to do in a fire situation, how to act and where to hide. It also reveals situations when a specific place is not as good as it was thought to be - in terms of a hiding place.
The idea is that it's easier to actually act, then to just think. It's easier because it reveals a lot more possible situations than what you're imagining. Run a drill among your employees, and let them know what should they do in case of a hacker attack.
Maybe most of them haven't had the chance to see how a cyber attack works, and what happens if there's a data breach, or a network malware infection. Exemplifying them is the easiest and safest way to make sure they'll remember what they have to do.
The new GDPR Regulation that's available in European Union, but it also stretches to other countries, states that in case of a data breach, you - as a company - have to inform your clients immediately. People should know that their data has been exposed, and of course, that you're doing everything you can to solve this.
Even without this regulation, informing your clients is the ethical way. Think of it like this: you have a small business, with a bunch of clients; if they find out from somewhere else that you've been hiding the data breach, they will instantly leave your business. They will not buy from you anymore, and they will inform others that you're a liar. Which is an extremely bad situation.
It's best to let them know before anyone else does (they can find unauthorized card transactions). You can also create a specific policy where you're stating exactly what happens in case of a data breach.
In this way, your customers will know right from the beginning how will you cope with this kind of situation, and what should they expect.
It is important to understand that most security risks and issues that can arise in a small business, or any online business for that matter are caused by ill prepared personal. Indeed, there are instances where the actual technology is failing: your server host goes down or a software vulnerability is exposed in some widely used program. However, these are isolated instances since most open source / paid popular software is greatly tasted by an entire community.
Furthermore, dedicated hosted solutions backed by power-hoses such as Amazon and Google have entire teams of security specialists that spend most of their working time on providing a safe and secure platform for your business.
If you don't have this kind of hosting, then your IT team should spend some time assessing all the risks that can exist, test them, and then repair them immediately. It's best if you'll be the one finding the risks, than if a hacker will do this before you. Testing your your business's security is one of the best ways of finding out potential weaknesses.
Think about it this way: you have an insurance for your phone, one for your house, even one for the headquarters of your business. Why not choose an insurance that can help you in cases of data breaches? It will be a safety net that can be considered useless until something bad happens - then it converts to a safety net that's life saving.
Not only the insurance company will save you, as a business, but it will also save your customers. If they will know that you put an effort and invested a bit more in their own good as well, they will definitely be impressed. Which ultimately translates into more sales, happy customers, more customers.
You might think that all of the browser are the same regarding the security level. You're a bit wrong, because each browser is different. There are browsers which are a bit (ones quite more) safer than the classic ones.
Epic browser is one of the safest browsers, and it also has something super interesting. It's safe because all the history is erase the minute you close the window, and uses encrypted proxy, which basically makes your data invisible for third-parties.
It's interesting because it has a feature that helps you see exactly who's tracking your online activity - yes, most websites have this trackers that spy on your activity.
Nonetheless, there are more safe browsers that you can consider. For this, I invite you to read our article about the most secure browsers:
Even though it's name refers to only a part of malware, this types of software evolved and are now protecting your computer from pretty much everything. Some of them even have a VPN built within.
For those cases when one of your employees doesn't know or doesn't pay attention and click on a suspicious link, this is the solution. It is a safety net to in case of an irresponsible behavior. This is why an antivirus is still useful.
Not to mention that some of them have extra features: they instantly scan each email (if you use Outlook), they protect you from ransomware and they warn you in case something wrong is happening.
Whether you'll create your own VPN, or you'll get a subscription for a VPN service, you'll get the same benefits. The most important of all is that you'll be safe online. Before we move any further, here's how VPNs work - you might know it already, you might not.
Now that you've understood the mechanism of a VPN, let's go further and see some of its benefits. First of all, your IP is basically changed, and your data is encrypted - this means that no one is able to trace you or to see your online activity,
With this in mind, DDoS attacks will be close to zero; whoever targets you, it actually targets the fake/virtual IP, so no request will get to you. This means that your server can't be blocked.
Moreover, VPNs were created, in fact, for small, remote teams. Even if you don't have employees that work from their home, maybe you'll sometimes need to connect to your server from your home (or from another country, because you're traveling). The safest way to do this is through a system that accesses the local network from anywhere. The data that's exchanged in this process can't be seen by others, and can't be stolen.
Let's not forget about the smartphone apps. I advise you to buy a VPN subscription because the free ones might come with a cost (DNS leak, log keeping and so one). Most VPN services also offer apps for smartphone, which come in handy for you and for your employees. Whenever they have to connect to an unknown network, an unsecured one or a public one, they'll be safe, because they will use the VPN app. It works exactly like the desktop version does.
With all this in mind, you should realize that your team is the main vulnerability when it comes to potential attacks. In general terms, there are two main branches of your business that can be exposed to attacks, each of them having a different set of rules they'll need to abide to.
The IT team
Even in a small business, you'll probably have a couple of tech guys that will handle your server maintenance or your website updates.
Generally speaking, these employees are well trained when it comes to technology and the possible threats that could occur in such a system.
However, the software security world is in a constant change, and there is a wide variety of new attacks and available solutions that pop up every year. Y
ou should take all the necessary precautions to make sure you have a well trained IT team which is up to date to all the imposed norms of the online security scene.
Furthermore, all new software added in the system should be scanned and analyzed in order to avoid possible vulnerabilities added either maliciously or simply by mistake.
Finally, external security audits can be employed for a relatively small cost. These audits will give you access to security professionals that can review your entire system and come up with a package of proposed solutions to improve your overall security.
The customer facing team
In most small businesses you'll have customer facing personal. Ranging from administrative duties, to order fulfillment, or to customer service, in the internet / technology era most of your employees will work in front of a monitor.
While they don't have access to the inner workings of your server or software, they are also less likely to be trained in anything software security related. Because of their lack of knowledge, they will be the target of most attacks.
Train them to always be cautious to the links and attachments sent via emails, since this is a very common practice in attacking potential victims.
Also, make sure they are always using secured connections when interacting with customers or handling sensitive information such as customer private data or credit card information.
Finally, enforce a system where any new software added on their work stations has to be screened and approved by your IT team.
For more information regarding VPNs, online security, malware and more, head over to our blog and embrace all the articles.