Published April 27, 2021
Do you leave the doors of your business unlocked when you close for the evening? Of course not. But what about your digital doors?
Rapid digitization during the pandemic has been a good thing for small businesses looking to diversify and add more sustainable revenue channels—but it also comes with potential risks. Thankfully, there are simple, powerful strategies that businesses can use to achieve peace of mind in the digital era.
Since the digital side of your business runs 24/7, applying simple cybersecurity strategies to your small business’s online activity is the digital equivalent to locking up shop. Cybercriminals are opportunistic, so as long as you don’t “leave the door open” for them, you’ve vastly reduced any risks from the get-go.
Whether you’re a growing retailer delving into e-commerce for the first time, a small restaurant ramping up online delivery, or something else entirely, the internet can potentially open doors for wrongdoers looking to capitalize on vulnerable small businesses. Don’t be alarmed. Digital transformation makes cybersecurity for small businesses a priority, and there are fool-proof ways to make sure your business stays safe.
Cybersecurity can be an intimidating topic for the uninitiated, but getting the basics down is imperative, whether you’re “just using email and maintaining a website” or something more complex like cloud computing. The first steps are understanding the common threats and the negative impacts they can have, then working to prevent them.
Related: Guarding your digital doorstep: Data security tools and fraud prevention
The most common types of cyberattacks play on openings to find a way into unwitting businesses. The “in” in this case means access to an internal network—think of it as trespassing on a physical business property but online. And unfortunately, small businesses can lack expertise or awareness of what’s at stake and how they can be compromised. The most common types of cyberattacks play on these openings to take advantage of unwitting businesses.
The first, known as “phishing,” has been around as long as email has and is more prevalent now than ever before. This scam doesn’t involve sophisticated hacking; instead, it relies on old-fashioned trickery to get a user to perform a specific action—usually something as innocuous as clicking a link. Phishing scams typically present themselves in the form of emails, with the actions taken granting the perpetrator confidential information that will them give access to private systems.
An example of a (obvious) phishing email attempt.
Be on the lookout for these typical phishing email characteristics:
The next common type of cyberattack comes in the form of malware—“malicious software” intended to cause data breaches and expose system weaknesses. Malware infections are commonly referred to as “viruses,” but this isn’t exactly correct in that “virus” only applies to the most severe autonomous malware infections. This makes viruses particularly difficult to clean up—but thankfully, more common malware is easier to detect and remove using over-the-counter cybersecurity software.
A business is at risk when files containing malware are downloaded, unbeknownst to the user, that then disrupt internal systems. Extensive malware infections have been widely publicized in the past few decades, with the most recent and notorious being “CovidLock,” which installs itself through files that promise to provide useful information related to the pandemic.
An attempt to play on COVID fears to initiate the download of malware.
Commonly known types of malware are:
The final common type of cyberattack is one that’s a sad reality for upstanding businesses—an insider attack. As the name suggests, it involves someone on the inside causing exposure to sensitive information and data.
Insider attacks affect cybersecurity for small businesses and large corporations alike—Tesla, for example, fell victim to an attack in 2018 where an insider caused, as CEO Elon Musk put it, “quite extensive and damaging sabotage ... direct code changes to the Tesla Manufacturing Operating System ... and exporting large amounts of highly sensitive Tesla data to unknown third parties.”
Insider attacks are best prevented through employee training initiatives and airtight security protocols. More on this later.
We’ve listed some of the most well-known cyber threats, but it’s still worth doing your own research on advanced persistent threats, password attacks, man-in-the-middle attacks, and more to give you more confidence in securing your small business.
There is a lot at stake when it comes to cybersecurity for small businesses. So, understanding the consequences of cyberattacks is equally important as being knowledgeable about the threats themselves.
No small business deserves to have their hard work sabotaged—you want to make sure security is in check, so you can focus on growth. Rest assured, taking action against cyber threats will allow you to avoid these potential negative effects:
There are a few absolute necessities to get you started on securing your small business from cyber threats.
Secure your networks.
Wi-Fi is everywhere nowadays, and it’s the first place to look when ensuring your business is cyber secure: “Network security strategies are all about preventing unauthorized use and misuse of your computer network—in other words, the devices and data controlled by your network administrator.”
Make sure to use strong passwords to keep your networks private, and use separate networks for important business activities and other uses (IoT, public access, etc.). In 2017, hackers managed to funnel 10 gigabytes of sensitive data out of an American casino by accessing a network-connected smart fish tank control device. This is a cautionary tale for keeping a lock on private networks and being aware of any devices that could be compromised.
Back up your data constantly.
Data backups are fundamental to cybersecurity for small businesses. Not only will they safeguard your business from malicious demands from ransomware, but you will also be protected in the case of force majeure or events like data corruption or physical damage.
Keeping multiple backups is ideal. Cloud storage is seamless and convenient but still liable to be breached by cybercriminals. Make sure you’re regularly backing up important data physically—on a separate, offline hard drive—to be 100 percent certain you have that information on hand if something goes wrong.
Keep everything up to date.
Software patches prioritize security improvements, as developers recognize that cyber threats are continuously evolving. Just as biological viruses can mutate and cause problematic infections among humans beings, outdated software won’t have the “immunities” needed to protect from new malicious software or hackers.
Keeping all software up to date is important not only to protect from cyber threats but also to avoid service interruptions and bugs and to keep your business running smoothly.
Properly training your employees on cyber threats and how to prevent them is one of the most important steps you can take to protect your small business. Cybercriminals look to exploit openings, and more often than not, those vulnerabilities come from human mistakes—accounting for an astonishing 95 percent of cyber breaches, according to a study by IBM.
Human errors as they relate to cybersecurity typically stem from a lack of awareness, proper training or a distracting work environment. According to Micke Ahola with usecure, there are two types of human error that contribute to cyber breaches:
Now that you’ve built up a good foundation of cybersecurity knowledge, it’s time to share that knowledge with your team and minimize threats to your small business.
Developing and maintaining a security-first company culture is the greatest defense against cyberattacks. The best way to begin fostering a security-first culture is by teaching employees the same cybersecurity basics you learned: how to recognize the most common types of cyberattacks, what’s at risk for the business, and what the absolute essentials are.
Once everyone is on the same page with the basics, try elevating cybersecurity efforts through:
Putting too much pressure on your employees to maintain cybersecurity can lead to anxiousness. As Martin Jones writes for Cox BLUE, “many people look at the news of a massive data breach and conclude that it’s all the fault of some hapless employee who clicked on the wrong thing.” Nobody wants to be in a position to receive the blame for a cyber breach, and the added pressure can actually increase the likelihood of human error.
Instead, your business should focus on laying the groundwork and continuously supporting staff on cybersecurity best practices. Once habits are formed, the extrinsic pressure won’t be so significant.
Strong passwords are the cornerstone of cybersecurity. There are running jokes of businesses and decision makers using “password” or “123456” to secure important accounts. Jokes aside, the sad thing is that these examples still actually happen today. Businesses need to go the extra mile and make sure their entire teams are exercising password best practices.
Simple passwords are completely outdated, and it takes more than a slightly crafty misspelling to throw off hackers looking to bypass the logins of vulnerable businesses. Remember that ill-fated time a CNN “technology analyst” suggested using “pa$$word”?
Ensuring that employees understand how vital it is to use strong passwords goes a long way toward keeping your business protected. It doesn’t have to be difficult, either. Make sure that employees:
Here’s a visualization of (roughly) how long it would take a skilled hacker to “brute-force” passwords of different complexities:
The time it takes hackers to bypass passwords increases exponentially the more complex the password is.
One of the best tools in your small business’s cybersecurity arsenal is the use of a password manager. These programs store complex, computer-generated passwords for all separate business accounts in a virtual “vault” and can be used company-wide. Check out 1Password or Bitwarden for paid and free password management options, respectively.
The final step in defending your small business against cyber threats is to use the right technology stack and strategy. When cybercriminals are faced with resistance, they’ll typically move on to an easier target, so a little can go a long way when it comes to cybersecurity software.
This is fundamental. Modern antivirus software is designed to do the heavy lifting in detecting and removing cyber threats. Antivirus software isn’t just single-use protection; it’s “a package of evolving defense mechanisms designed to protect your computer against the constant barrage of known, unknown, and ever-shifting malicious threats devised by hackers, trolls, and cybercriminals,” according to Stewart Wolpin with U.S. News.
Antivirus software is capable of scanning thousands of files in seconds, then removing any threats it finds. As developers of antivirus software and hackers constantly try to one-up each other, you shouldn’t expect it to protect against every new threat, though, and it’s best used in coordination with proper training and a security-first culture.
To best protect your small business, use antivirus software from a well-known brand that’s optimized for businesses. Also, look for advanced security features—VPN, password management and file backup, to name a few—and regular updates to address evolving cyber threats.
Firewalls monitor traffic in and out of a private network and decide to either allow it or block it based on pre-defined security rules. Obtaining access to a private network is exactly how most cyberattacks take place, so the value of a firewall is self-evident.
Firewalls aren’t only for preventing nefarious access from outside a network, but they can also control internal traffic. An article by Forcepoint used a house as an excellent analogy for how firewalls protect private networks:
“Think of IP addresses as houses, and port numbers as rooms within the house. Only trusted people (source addresses) are allowed to enter the house ([IP] address)—then it’s further filtered so that people within the house are only allowed to access certain rooms (destination ports) ... The owner is allowed into any room (any port), while children and guests are allowed into a certain set of rooms (specific ports).”
There’s a lot for small business owners to learn, sure, but rest assured that educating yourself and your team and using the right tools goes a long way toward eliminating threats before they become dangerous. If you’re implementing a cybersecurity strategy for the first time, also keep in mind that it’s an ongoing process. Cybercriminals are always looking for new ways to cause trouble, so business owners have to remain vigilant.
While monitoring and protecting your business’s network and computers using antivirus and firewall technology are great foundations for a full-scale cybersecurity strategy, remember that continuous learning and training in tandem with software are key to creating the best defense. Stay safe!