For small businesses, cyberattacks may sound like something not to think about. Because cybercriminals only pursue big, lucrative goals, right? Why should they target a small business?
The unfortunate truth is that small businesses can be very tempting targets for malicious hackers and cybercriminals because they hold the same types of data as large businesses, such as B. personal information, credit card details, passwords and more.
But the nature of small businesses means that information may be less securely held than within a large organization, particularly where there is no dedicated information security staff.
Small businesses can also be tempting for hackers looking to gain access to a larger organization in a supply chain attack – by compromising a small business that might be a supplier to a larger organization, the attacker could leverage that access to infiltrate the network of a larger business partner.
No matter what type of cyberattack a small business falls victim to, whether it’s phishing, ransomware, malware, or any other malicious activity that allows attackers to access and manipulate data, the results can be potentially devastating. In some cases, the cost of becoming a victim of a cyberattack has even forced organizations to shut down permanently.
Fortunately, it is possible to protect your business and employees online. Here are some basic cybersecurity pitfalls to avoid.
1. Don’t use weak passwords to secure online accounts
Cyber criminals don’t need to be particularly skilled to break into business email accounts and other applications. In many cases, they can gain access because the account holder uses a weak or easily guessed password.
The shift to cloud-based office applications and teleworking has also provided cybercriminals with additional avenues of attack.
It can be difficult to remember many different passwords, which can result in users using simple passwords across multiple accounts. This makes accounts and businesses vulnerable to cyberattacks, especially when cybercriminals can use brute force attacks to quickly iterate through a list of common or simple passwords.
You should also never base your passwords on easily discoverable information, such as B. your favorite sports team or the name of your pet, as notices on your public social media profiles could give away this information.
The National Cyber Security Center (NCSC) suggests using a password made up of three random words, a tactic that should make passwords harder to guess.
A different password should be used to secure each account – a password manager can help users by eliminating the need to remember each password.
2. Don’t ignore multi-factor authentication
It cannot be ruled out that even a strong password can fall into the wrong hands. Cyber criminals can use tricks like phishing attacks to steal user credentials.
Multi-factor authentication (MFA) provides an additional barrier to account compromise by requiring the user to respond to an alert – often via a purpose-built MFA application – to confirm that it really is them , trying to log in to the account.
This extra layer means that even if a cybercriminal has the correct password, they cannot use the account without the account owner authorizing access. If a user receives an unexpected alert that they attempted to log into their account, they should report it to their IT or security team and reset their password immediately to prevent cybercriminals from continuing attempts to misuse a stolen password.
Although calls to use multi-factor authentication — also known as two-factor authentication (2FA) — are among the most widely floated pieces of cybersecurity advice, many companies are still not adopting the technique — and it’s something that’s growing must change.
3. Don’t put off installing security patches and updates
One of the most common techniques cybercriminals use to infiltrate and move within networks is by exploiting cybersecurity vulnerabilities in applications and software. When these vulnerabilities become known, operating system manufacturers usually release a security update to fix them.
The security patch fixes the bug, thus protecting the system from cyber criminals trying to exploit it – but only if the update is applied.
Unfortunately, many organizations are slow to roll out security patches and updates, leaving their networks and systems vulnerable to hackers. Sometimes these vulnerabilities go unpatched for years, leaving the company – and potentially its customers – at risk from cyber incidents that could easily have been prevented.
Therefore, one of the most important things a small business can do to improve cybersecurity is establish a strategy for applying critical security updates as soon as possible.
This approach can be achieved by setting up the network to automatically apply software updates, or they can be handled on a case-by-case basis. However, it’s important to realize that critical security updates – often detailed by cybersecurity agencies like CISA – should be applied as soon as possible.
4. Don’t forget antivirus software or firewalls
Antivirus software is designed to help protect computers — and people — from cyberthreats like malware and ransomware, but these tools can’t help anyone unless they’re installed or running. To improve cybersecurity, small businesses should install antivirus software on all computers and laptops on the network.
Today, antivirus software is often bundled for free with major operating systems, but there is also an option to install a product from a dedicated antivirus software vendor.
However, you cannot just ignore antivirus software once you have installed it. As with other software, it is important to prevent antivirus tools from becoming obsolete due to evolving cyber threats, so you need to install updates and patches as needed.
Installing spam filters and firewalls can also help employees stay protected from cyberattacks – and as with antivirus programs, it’s important that these tools are enabled and kept up to date to be effective.
5. Don’t leave employees without cybersecurity training
Even if your small business only has a handful of employees, it’s important to provide cybersecurity awareness tools and training because all it takes for malicious hackers to gain access to the network is one person accidentally making a mistake .
For example, they could accidentally click a link in a phishing email and install malware on the network, or they could be the victim of a business email compromise scam and transfer a large sum of money to someone posing as a business partner—or even you Boss.
Therefore, providing employees with training and advice on how to spot phishing emails, suspicious links, and other potential attack vectors is vital to help protect data, money, staff, and customers. It’s also important that employees know who to report potentially suspicious activity to so that suspected cybersecurity incidents can be prevented.
6. Don’t ignore backups
Even if you only have a handful of computers on your network, you should back up your data regularly to make your systems more resilient to cyberattacks.
This strategy means that in the event of an incident that encrypts, wipes, or otherwise shuts down the network, there’s a current copy of all your data that can be recovered – and that means a relatively quick return to normal.
The backups should be updated regularly so that the data stored in them is as current as possible, and the backups should be stored offline to prevent attackers who get into the network from accessing and deleting them.
7. Don’t leave your network unattended
Setting up the network with controls to prevent cyberattacks is useful, but small businesses shouldn’t install tools and then just ignore them and hope for the best. Someone in your organization should be responsible for monitoring network activity for potentially malicious behavior.
This approach starts with knowing what computers and other Internet-connected devices actually make up your network—because you can’t defend anything you don’t know about. Then you need to make sure those devices are protected with the right updates.
Identifying Internet-connected devices on the network may sound like a simple task, but it can quickly become complicated. These devices don’t just include computers: there are also IoT devices, vending machines, security cameras, and potentially much more. All of these devices could potentially be exploited and misused by cyber criminals if not properly managed.
Therefore, it’s crucial to take the time to examine your network and fully understand what’s on it. It’s also important to know what regular behavior on the network is, and what might be considered suspicious or irregular. For example, if your small business is suddenly seeing logins from across the world, it could be a sign that something is wrong and needs to be investigated.
8. Don’t face a cybersecurity incident without a plan
Even if you have a solid cybersecurity strategy in place, there is still a chance for cyber criminals to break into the network and use your access for nefarious purposes, be it installing ransomware, conducting spying, stealing credit card information, or focusing on countless other malicious attacks.
In the event that one of these events occurs, it helps to have a plan that can be implemented—and that should be accessible even if the network goes offline.
Having a plan – how the company will respond to a cyber attack, how it might proceed, and which cyber security agencies and investigators should be contacted – will help your company deal with a stressful situation with an air of strategy and calm.
If you’re looking for more advice, the NSA and FBI have a list of 10 cybersecurity mistakes that let hackers into your systems.