For small businesses, cyberattacks might sound like something they do not need to think about, because cyber criminals only go after big lucrative targets right? Why would they bother a small business? The unfortunate truth is those small businesses can make very tempting targets for malicious hackers and cyber criminals because they hold the same kinds of data that large businesses have, such as personal information, credit card details, passwords and more. But the nature of small businesses means that the information could be held less securely than it is within larger organisations, mainly if there isn’t a specialist information security employee on staff. Small businesses can also prove tempting to hackers looking to gain access to a bigger company as part of a supply chain attack – by compromising a small business that might be a supplier to a larger organisation, the attacker could use that access to help infiltrate the network of a larger business partner.
No matter what kind of cyberattack a small business falls victim to, whether phishing, ransomware, malware or any other kind of malicious activity where attackers can access and tamper with data, the results can potentially be devastating. In some cases, the cost of falling victim to a cyberattack has even forced organisations to close permanently. Fortunately, it is possible to help keep your business and employees secure online. Here are some basic cybersecurity pitfalls that you should try to avoid.
1. Do Not Use Weak Passwords to Secure Online Accounts
Cybercriminals do not need to be super-skilled to break into business email accounts and other applications. In many cases, they are able to get in because the account owner is using a weak or easy-to-guess password. The shift towards cloud-based office applications and remote working has also provided cyber criminals with additional opportunities for attacks. Remembering many different passwords can be difficult, which can lead to people using simple passwords across multiple accounts. This leaves accounts and businesses vulnerable to cyberattacks, particularly if cybercriminals can use brute-force attacks to quickly run through a list of commonly used or simple passwords.
You should also never base your passwords around easy-to-discover information, such as your favorite sports team or your pet’s name because clues on your public social media profiles could give this information away. A different password should be used to secure each account – a password manager can help users by removing the need to remember every password.
2. Do Not Ignore Multi-Factor Authentication
It cannot be ruled out that even a strong password can end up in the wrong hands. Cybercriminals can use tricks, such as phishing attacks, to steal login details from users. Multi-factor authentication (MFA) provides an additional barrier to account compromise, by requiring the user to respond to an alert often via a specially designed MFA application,to confirm that it is them attempting to log in to the account.
That extra layer means that even if a cyber criminal has the correct password, they can’t use the account without the account owner approving access. If a user gets an unexpected alert saying they have attempted to log in to their account, they should report it to their IT or security team and reset their password immediately, so cyber criminals cannot continue attempts to abuse a stolen password. Despite calls for the use of multi-factor authentication – also known as two-factor authentication (2FA), being among the most commonly issued cybersecurity advice, many businesses still are not using the technique.This is something that needs to change.
3. Do Not Put Off Applying Security Patches and Updates
One of the most common techniques cyber criminals use to breach and move around networks is taking advantage of cybersecurity vulnerabilities in applications and software. When these security vulnerabilities are disclosed, the vendors who make operating systems will usually release a security update to fix them. The security patch will fix the flaw, thus protecting the system from cyber criminals attempting to exploit it – but only if the update is applied. Unfortunately, many businesses are slow to roll out security patches and updates, leaving their networks and systems vulnerable to hackers.
Sometimes, these vulnerabilities can be left unpatched for years, putting the business and potentially their customers at risk from cyber incidents that could easily have been prevented. One of the key things a small business can do to improve cybersecurity is to set out a strategy for applying critical security updates as quickly as possible. This approach can be achieved by setting up the network so that software updates are applied automatically, or they can be dealt with on a case-by-case basis. However, what is vital to recognise is that critical security updates – often detailed by cybersecurity agencies like CISA – should be applied as soon as possible.
4. Do Not Forget About Antivirus Software or Firewalls
Antivirus software is there to help protect computers and people from cyber threats including malware and ransomware, but these tools cannot help anyone if they are not installed or active. To improve cybersecurity, small businesses should install antivirus software across all computers and laptops on the network. These days, antivirus software is often bundled for free within popular operating systems, but there is also the option of installing a product from a dedicated antivirus software vendor. However, you cannot just ignore antivirus software after installing it. As with other software, it is important to prevent antivirus tools from becoming obsolete against evolving cyber threats, so you will need to install updates and patches as required. Installing spam filters and firewalls can also help employees stay protected against cyberattacks. Like antivirus, it is important to have these tools turned on and kept updated for them to be effective.
5. Do Not Leave Employees Without Cybersecurity Training
Even if your small business only has a handful of employees, it is important to provide tools and training around cybersecurity awareness, because all it can take to provide malicious hackers with a way into the network is one person inadvertently making an error. For example, they could mistakenly click on a link in a phishing email and install malware on the network, or they could fall victim to a business email compromise scam and transfer a large sum of money to someone claiming to be a business partner or even their boss. Therefore, providing education and advice to employees on how to recognise phishing emails, suspicious links and other potential methods of attack is vital for helping to keep data, money, personnel and customers secure. It is also important that employees know to who they should report potential suspicious activity to, so suspected cybersecurity incidents can be prevented.
6. Do Not Ignore Backups
Even if there are only a handful of computers on your network, one of the key things you should be doing to make systems more resilient to cyberattacks is producing regular backups of your data. This strategy means that in the event of an incident encrypting, wiping or otherwise bringing the network down, there will be a recent copy of all of your data that can be restored and that means a relatively quick return to normal. The backups should be updated regularly so that the data stored within them is as recent as possible, and the backups should be stored offline, preventing any attackers who get into the network from accessing and wiping them.
7. Do Not Leave Your Network Unmonitored
Setting up the network with controls to help prevent cyberattacks is useful, but small businesses should not install tools and just ignore them and hope for the best. Someone in your business should have responsibility for monitoring activity on the network for potentially harmful behavior. This approach starts with knowing what computers and other internet-connected devices make up your network, because you cannot defend what you do not know about. Then, you will need to ensure these devices are protected with the right updates.
Identifying internet-connected devices on the network might sound like a simple task, but it can get complicated quickly. These devices do not just include computers…there are also IoT devices, point-of-sale machines, security cameras, and potentially much more. All these devices could potentially be exploited and abused by cyber criminals if they are not managed correctly. Taking the time to audit your network and fully understand what is on it is vital. It is also important to be aware of what consists of regular behavior on the network and what could count as suspicious or irregular. If your small business is suddenly seeing logins from the other side of the world for example, then that could be a sign that something is wrong and needs investigating.
8. Do Not End up Facing a Cybersecurity Incident Without a Plan
Even if you have a solid cybersecurity strategy, there is still a chance that cyber criminals could breach the network and use their access for nefarious means, whether that is installing ransomware, conducting espionage, stealing credit card information or focusing on countless other malicious attacks. If one of these events is happening, it is helpful to have a plan that can be put in place and it should be accessible even if the network ends up offline. Having a plan in place – around how the business will respond to a cyberattack, how it could continue operating and which cybersecurity agencies and investigators should be contacted,will help your business to deal with a stressful situation with some semblance of strategy and calm.
Note: If you are looking for more advice, the NSA and FBI have a list of 10 cybersecurity errors that could let hackers into your systems.