It takes years to build up your reputation but just one small cyber-attack can bring this crashing down in just a few minutes. The most common type of attack are Ransomware attacks.
Ransomware attacks and user data breaches are the most common threats facing any small business connected to the Internet. They belong to the class of indiscriminate attacks where your network is target among millions of others because you just might have something generically valuable. These include:
- Credit card numbers that can be sold on the black market.
- Banking information that can unlock your business’s deposits or be used in a social engineering attack.
- Business-critical infrastructure and data that can be held hostage.
- Computing resources that can be harnessed for building a botnet or mining cryptocurrency.
When you complete a threat assessment for your business, look closely at the possible motivations for more specifically targeted attacks. These may include:
- Stealing your specific business secrets in order to gain a competitive advantage.
- Affecting availability in order to spread doubt among customers
- Infiltrating or subverting communications channels to damage reputation
- Revenge, as by aggrieved current or former employees
Key areas to secure
Login management should rank near the top of any security checklist. Especially now that so many websites and merchants store customers’ card details for easy use on their next visit. These ‘credentialed transactions’ are now covering all aspects of day-to-day business affairs especially in the e-commerce world.
This has brought systems like Two-Factor Authentication (2FA) into play, with many businesses now offering it as part of their login process. 2FA comes in different forms, such as U2F (Universal 2nd Factor) service, TOTP (Time-based One-Time Password), and OneTouch (SMS). But they all essentially offer customers an extra sign-in step on top of their normal username and password.
If your business holds payment card details or sensitive information, you may want to enable a form of 2FA. There are providers who can now offer simpler ways to set it up, and we are likely to see more emphasis on it in the future. It’s worth checking if your e-commerce system and payment merchants support this already. It may be as simple as ticking a box to enable!
If you are handling more than a couple of dozen users in a house, or offering services to a larger public, without already having at least one full time IT person on staff, you will need to start looking around. A qualified professional can help you implement security policies and ACLs, manage nameservers and SSL certificates, and meet regulatory requirements.
If you are a small team or solopreneur that just wants to stay safe without sacrificing the convenience of having your tablets, phones, and laptops constantly logged in to certain apps, social media accounts, and vendors’ websites, then you’re in luck. The latest breed of password managers from providers like Dashlane,1Password, and LastPass take a real stab at this problem and are really simple to use.
Choose a hosting solution that fits your needs and your budget, but also look at what they offer in terms of security-related features. All hosts will apply operating-system security patches to their servers promptly, which is a big burden off your back. But beyond that, you should see if they offer easy-to-understand options for:
- Virus Protection
- DDoS Protection
- Spam Filtering
- SSL Certificates
Domain Name System (DNS)
You also don’t want to risk attacks coming through your DNS, which is essentially the Internet’s phonebook. It’s the system that actually connects people to the websites they’re looking for. But it can also be a minefield of security risks, including Denial of Service (DoS) attacks and Cache Poisoning — when visitors are sent to a fraudulent version of your website.
The company through which you register your domain should implement DNSSEC extensions to make it harder to divert your incoming traffic or leave you open to attacks. All good domain providers should offer a DNS with security features. It might also be worth investing in a more state-of-the-art DNS service if you think your website is particularly at risk. To really amp up your security.
Public Wi-Fi & VPN’s
As a small business owner, you may often work remotely, or have remote employees and contractors who need to work on the go. This can mean using public WiFi, which can easily be hacked. It’s possible you’ve logged in to a fake public WiFi (with a similar name to the
legitimate network) once or twice already. So let’s talk VPN’s.
VPN stands for Virtual Private Network. It allows you to connect your computer to a private network, creating an encrypted connection that masks your IP address to securely share data and surf the web — protecting your identity online. Using a VPN can be an inexpensive and secure method to access the internet from anywhere: your home office, a cafe, the airport, etc. It provides secure communication between you and your employees, customers, and banks.
Sending private emails and presentations will remain out of the hands of hackers and eavesdroppers. A VPN ensures your data, and that of your customers remains private.
Connecting via a VPN protects your data as it travels from your laptop, tablet or cellphone. The data is encrypted through a ‘VPN tunnel,’ and your ISP can no longer eavesdrop on your history or data either. They can’t see your activity online since it’s routed through the VPN servers.
Anyone else trying to snoop through a hacked WiFi will only see you’re connecting through a VPN, not your ISP, and cannot read your data. If they are able to get any of the data, it will look like gibberish.
We recommend Nord VPN.
Backups & Data Recovery
Backups are essential to rebuilding your network if the worst should happen. All manner of important customer or financial data can be lost, such as mailing lists and other vital information. If a virus has attacked you, and you can’t restore everything cleanly, your website or database could be out of action for days. The effect on a small business could be catastrophic.
Just one hack, malware attack, or even an instance of simple data corruption can leave you vulnerable. So it’s vital that you keep backup copies of important information, and back data up regularly — failover servers sometimes fail too! Ask yourself, can I be back up and running in less than a day? Or in less than an hour?
If you’d really just rather be getting on with growing your business, rather than looking over your shoulder for the next attack, there are professional backup services you can use. Cost will obviously be a big factor here. But also be sure to check providers for backup speed, overall reputation, customer service, and make sure the service can integrate easily into your current hosting or website systems.
Some hosting providers even include automatic backup with their services. So backups simply happen automatically if anything goes wrong. Your website just goes back in time to the point before the breach happened. Many also offer maintenance so your site is pro-active updates and scanned for virus & malware.
In extreme cases, and if your business is applicable, there is a public-relations aspect to the response. This is not an IT function, which means the damage non-technical staff can do by themselves is at its greatest here.
Prepare as much of this response in advance. Work out a communication plan that feeds relevant information gleaned during forensics and recovery to the appropriate parties, including mandatory regulatory disclosures and voluntary reports to the relevant authorities — if applicable.
The worst-case scenario of all is customers leaving immediately due to bad communication and ensuing distrust, especially for small businesses operating in fickle environments. So you need to do all you can to limit this damage.
When customer data is wiped out, or account data is compromised, how do you break that news? What is the proper balance to strike between common courtesy and legal selfprotection? The ideal would be documented procedures covering the most important imaginable cases, verified by lawyers.
Final Sanity Check
That may all seem quite overwhelming. So here’s a checklist of the main things you can do to ensure your basic IT hygiene is complete:
- Change default passwords to secure password that are not repeated
- Enable email encryption
- Educate yourself and staff on common dangers
- Keep your website and application up to date by regular patching
- Run only what’s necessary. Disable unused services and accounts
- Ensure home and office Wi-Fi is running WPA2 encryption.
- Shut down any ports that are not required
- Keep a regular set of backups stored off your network
- Ensure you can still communicate if servers are unavailable.
Thank you to Namecheap for helping with the information for this article.