Throughout the world, countless small businesses owners avoid investment in online security. This is to be expected given that 84% of them don’t think they’re at any risk. They often believe in security through obscurity: why bother implementing advanced safeguards if you’re flying under the radar? If you can let big brands take the heat, you can proceed with confidence.
Unfortunately for those owners, it isn’t true that small businesses are safe from attacks. In truth, many cyber attacks are aimed at small businesses: the percentage fluctuates, but 2019 figures found that 43% of attacked companies fell into the small business category. And with the average attack costing the victim hundreds of thousands of dollars, it isn’t a trivial threat.
Due to this, cybersecurity should be viewed as a high-priority investment at all levels of business. Here are five convenient tips for keeping a small business safe online:
Ensure that website software stays fully updated
No software system is perfect, and cybersecurity attackers put a lot of time into searching for vulnerabilities to exploit. The longer you go without updating your systems, the more likely it will be that attackers will know how to bypass their security blocks.
Updating your software on a regular basis (often using automatic updates) will protect you from most of these exploits. If you use a self-hosted system like WordPress, consider installing a plugin to force automatic updates where you wouldn’t otherwise be able to use them. And don’t worry about continuity: it’s very rare for an official software update to cause problems.
Train employees on common cybersecurity attacks
Phishing is the process of posing as a trusted person or brand in an effort to convince the recipient to do something. The goal may be to get them to send some files, provide system access, or even transfer some money. And while it often sounds easy to dismiss, it can be extremely convincing, particularly for professionals under pressure.
The average small business has several employees with high-level system access, and any of them could cause serious damage if they fell victim to a phishing attack. You need to make time to train your employees on how to spot phishing attacks so they can work safely. You should also be extremely clear about how you’ll communicate with them: there should never be any confusion about the legitimacy of the messages you send.
If you want more information, you can find various useful pieces about phishing at WhatIsMyIPAddress.com. And if you want your employees to have even more detail, consider outsourcing the training to a company with the resources to cover all the bases.
Shield key accounts with complex passwords and 2FA
If someone wants to interfere with your business online, the first thing they’ll do is look for password vulnerabilities. Using a weak password for a vital system (your CMS login, for instance) will make it possible for an attacker to crack it through a brute-force attack, giving them broad system access that you may not even notice until much later.
Worse still, when a password gets cracked, the attacker will try that password for all known associated accounts. If you’ve made the mistake of reusing your passwords, you may end up with most of your online accounts being compromised.
Consider that you don’t need to remember many unique passwords. Using a password manager will do most of the work for you, allowing you to generate a secure password whenever you need one. You’ll need the password manager login to be strong, so you’ll have to remember one top-strength password, but that isn’t too difficult overall.
And by using a convenient two-factor authentication (2FA) option, you can prevent attackers from exploiting password-recovery processes. Link your accounts to your phone number and social engineering will lose whatever’s left of its ability to threaten you.
Run penetration tests and follow the recommendations
No matter how secure you think your website is, you won’t know until you have it tested. Penetration testing tasks experts with attempting to gain access to your systems. They’ll do everything that real attackers would, only they’ll tell you about the weaknesses they find instead of exploiting them. Importantly, they’ll also tell you what to do about them.
After a round or two of penetration testing, you’ll have a good idea of your website’s strengths and weaknesses. Note that it doesn’t have to solely concern your website. You can also have the rest of your online operation probed (social profiles, software logins, etc.).
Schedule regular backups and occasional full backups
Suppose for a second that all your security efforts fail and your website is attacked. You’ll never have flawless security, so it’s a scenario you need to consider. What’s your plan for that situation? Your first goal should be to get your website back to normal, but that’s tough when you don’t know exactly what’s been done.
The smart move after an attack is to go back to an older version of the site, using a backup that was created before any changes were made. It’s resource-intensive to create full backups on a recent basis, so aim to mix the occasional full backup (perhaps once per month) with smaller but more frequent backups.
This gives you options. If an attack doesn’t cause much damage, you can use one of the most recent backups. If necessary, you can go all the way back to your last complete backup.
About Chris Parker, founder of WhatIsMyIPAddress.com:
Chris Parker is the Founder of WhatIsMyIPAddress.com and an authoritative voice on topics including privacy, security and online safety. With more than 20+ years of experience in the field, Chris is an expert on internet security and has contributed his insights to several major industry publications. He is also the host of the Easy Prey podcast, which aims to help listeners learn how to avoid being an easy target for scammers and fraudsters online and in the real world.