Many small business owners feel they’re not an attractive target for cybercriminals. Or that simply having anti-virus installed provides all the protection they need. Often they only see large companies being hacked in the news headlines so think it’s never small businesses in the firing line.
Unfortunately big company cyber-attacks are more interesting so are the ones reported with around 40% of cyber-attacks targeting small business you never hear about. So, the issue of cybersecurity affects companies of all sizes: small, medium and large.
And with data privacy laws, it’s the type of data you store, not just your business size which determines your legal compliance obligations to protect customer data. This means many small businesses are legally obligated to protect the data they handle and are exposed to govt fines up to $10M for major data breaches.
So we’ve provided the below web security checklist to help small businesses audit their current cybersecurity stance to see how they stack up.
Practice Regular Website Maintenance
If you have a website that stores or handles customer data then regular security patching and plugin updates are critical. Many small business owners run their websites on popular content management systems such as WordPress which are excellent and have good security – if they are properly maintained.
Most business owners pay someone to build their website then “set and forget” thinking regular maintenance isn’t required or important. But think of it like patching your Windows computer (or servicing your car). If you never service or maintain your equipment it will become exposed to cyber-attacks very quickly.
In addition, frequent patching and updates of your website will keep it running smoothly and efficiently which helps in other areas (eg; SEO, Google rankings, CX, etc)
Enable Multi Factor Authentication (MFA)
One of the most valuable cybersecurity tools you can implement is multi-factor authentication (MFA). Essentially, it’s a “2 step login” whereby you need a password and code sent to your phone (eg; SMS text message) to login. This adds a second layer of security to your logins and makes it much harder for hackers to defeat.
If your business stores data protected by privacy laws it’s high important all your logins (cloud services like Office365, etc) use multi factor authentication as an additional layer of protection. Most of the common cyber-attacks occur when passwords are stolen (or guessed) and there is no second layer of protection. Setting up this 2 step login is like adding additional locks to your front door.
Using MFA forms part of your mobile security checklist as you need good phone security if deciding to setup MFA and have these codes sent to your phone. It’s not much use if the extra layer of protection (the code) is intercepted by hackers who have your password in hand.
Tighten Your Network Firewall
You may already have a firewall but not understand much about them. Traditionally they’re hardware boxes sitting in your office controlling all the traffic going to and from the office server, eg; when staff login remotely from home.
More often nowadays, firewalls are software based and so less visible. And many wireless routers come with this security feature built-in. All firewalls allow you to set rules around what traffic can enter (and exit) your network so understand the options you have and tighten the rules where possible.
For preventing internet-based attacks, firewalls provide a great first line of defense. They can also prevent unwanted and malicious traffic from leaving your network too should they infiltrate the network other ways (eg; email viruses, software based malware, etc).
Buy Password Management Software
Good password management software should be at the top of any web security checklist. Most small businesses use a spreadsheet to store all their passwords, or even worse use the same or similar password for all their logins.
Password manager software like LastPass, 1Password or Bitwarden not only avoid these issues but also make super strong passwords easier to create. Here are some basic tips for creating strong passwords:
- Make it a combination of 2-3-odd words.
- Include a number, special characters, and symbols.
- Require both upper and lower cases.
- Do not use common and related names.
- Do not use pet names.
- Do not use birthdays or anniversaries.
- Do not use default passwords.
Eg; password123, jennydecember12, brownie1214
Your cybersecurity policies should include a rule for password management that your employees understand and adhere to at all times. In addition, it’s important all employees understand the hazards and increased risk of the business being hacked that comes with using weak passwords (or the same password repeatedly).
Avoid Phishing Emails & Dodgy Links
A tight firewall and modern business grade anti-virus software makes a great start however doesn’t always defend your business from phishing (fake) emails and malicious website links. This is where cyber-awareness training of your employees comes into play. Forewarned is forearm with your cybersecurity so employees must be savvy and aware of what they’re clicking on and the websites they visit.
Phishing is a well known cybercrime due to its easy implementation and usefulness. Hackers don’t need to find vulnerabilities in your systems or website – they simply email your employees something that looks legitimate and have them click on a link or attachment. This cyber-awareness training should be on your mobile security checklist too as many employees access their work email and files form their phones at all hours.
Run Regular Vulnerability Checks
Things change over time and so do your systems and the devices and people accessing them. Being proactive by running regular (ie; monthly) vulnerability checks means you’re alerted to any unauthorised changes to your network, and the people and devices accessing.
A network vulnerability scan can perform these checks. This scan is particularly useful in detecting missing software patches and updates, along with any network changes (eg; ports opened) or new devices connected to the network (eg; smart TV of employee working from home).
Control & Reduce Data Collection Methods
In the first instance, if you don’t collect the data you cannot lose it or have it stolen by hackers.
So step 1 is completing an audit of your data collection processes to determine which are really necessary – what data are you collecting that isn’t really needed. Step 2 is determining whether the data needs to be stored, or can simply be used one time and discarded. Step 3 is determining how long you need to keep data that is being stored (eg; only 7 years for tax purposes).
By controlling (and limiting) the data you gather, you will also limit your customers exposure in the event of a data breach. In addition, informing your customers how you collect and protect their data is a great way to build trust.
You may also want to restrict what information employees have access to, ie; limiting data access based on roles such as financial data only accessible by finance staff. Many companies only give their employees the data they need to do their job. This helps keep them from posing a danger to the business whether inadvertently or maliciously (eg; disgruntled ex-employee with access sensitive data, or leaving to work for a competitor).
Enable Data Encryption
Data encryption is often “out of sight, out of mind” yet provides excellent privacy protection against data theft. If an employee laptop is lost or stolen it’s of little consequence if the data on the hard drive is encrypted. Same with employee phones and tablets should they be lost or stolen.
Lost and stolen mobile devices (laptops, phones, tablets) are highly common in businesses and can be catastrophic should the data fall into the wrong hands, eg; hackers, competitors, etc.
Regardless of how strong your cybersecurity is, it cannot protect you from lost or stolen devices with no data encryption enabled. Encrypting your data should be on both your mobile and web security checklists as it’s simple and easy, and protects you where firewalls and anti-virus cannot.
These 8 checklist tips are not everything however they make a good start. Many businesses have only a few of these tips implemented so just added some of them will make a huge difference to your protection.
In addition, privacy laws now mandate that you protect customer data making it in your financial interests (ie; avoiding govt fines) to ensure your cybersecurity is up to standards.
Failing to protect customer data can also mean lost sales through reputation damage or having your systems hacked and taken offline. The costs to repair your business from a cyber-attack can also be substantial with the recovery process long and painful (especially without cyber insurance to cover these costs).