Stay Safe: Your Small-Business Cybersecurity Guide

Is Your Business Protected From Online Threats?

It might be comfortable to imagine that hackers overlook small businesses, but in reality, small companies are a hacker’s bread and butter. Although larger companies have bigger caches of data, they also invest more in cybersecurity. Meanwhile, small businesses are often ignorant of their cyber vulnerabilities, which makes them a prime target for online predators. 

In this cybersecurity planning guide, you’ll learn more about the kinds of threats you face, pitfalls to avoid, and appropriate measures to take to keep your company’s and clients’ information safe.

Security By the Numbers

Potential Threats

How to Stay Safe

Find Out More

Cybersecurity By the Numbers

*A hacker can test up to 1000 passwords per second. 

*40 percent of companies surveyed in Ponemon Institute’s report on cybersecurity in small medium size businesses discovered that an attack they experienced was due to a password being hacked.

*Cyber attacks on SMBs have increased from 61 percent of respondents in 2017 to 67 percent of respondents in 2018. The occurrence of data breaches involving customer and employee information over 12 months also increased from 54 percent of respondents to 58 percent of respondents.

In the aftermath of these incidents, the respondents’ companies spent an average of $1.43 million—a 33 percent increase from $1.03 million in 2017, because of the damage or theft of IT assets. 

*Mobile devices are the most vulnerable endpoints or entry points to networks and enterprise systems, according to 55 percent of respondents. Almost half (49 percent) of respondents say the use of mobile devices to access business-critical applications and IT infrastructure affects their companies’ security posture.

*More companies have experienced ransomware attacks (61 percent of respondents vs. 52 percent of respondents in 2017) and 70 percent of respondents in these companies report that the ransom was paid. The average payment in these cases was $1,466.

*Passwords are often compromised or stolen because employees use weak passwords. Forty percent of respondents say their companies experienced an attack involving the compromise of employees’ passwords; the average cost of each attack was $383,365.

 *Phishing/social engineering continues to be the number one attack SMBs experience (52 percent of respondents).

Potential Threats

It used to be that malicious coding only entered your system if you visited disreputable sites, but as users have become more cautious, hackers have gotten more creative. They now employ a range of tactics to gain entry to secure networks: 

Social Engineering Networks

Social engineering networks involves tailored attacks, targeting high-level executives. The hacker sets up false accounts on social media posing as someone the executive knows. Once the executive adds the hacker, they post things to the exec’s wall that, if clicked on, redirect them to a phishing site.

Phishing

With the phishing approach, hackers get users to volunteer their information without realizing it by redirecting the user to a malicious website disguised as a reputable company, like your bank or a government website, then requesting sensitive information.

Because phishing emails are easy to create with a significant payoff, they are one of the most common attacks that businesses face. This has become such a serious issue that 76% of businesses reported being a victim of a phishing attack in 2018.

Malware

Malware is intelligent programming that exploits holes in your security system in order to steal personal data. It is a broad term that describes any malicious code installed by a hacker. Below we’ll get into more detail about the types of malware that exist and the ways that they are embedded into websites and devices.

Ransomware

Ransomware is a type of malware that provides a more overt way for the hacker to cash-in. Once embedded in your device, ransomware locks you out of your hard drive, enabling the hacker to extort you for access to important documents. 

Trojans

Like phishing, a trojan is a broad term that encompasses a variety of different hacking tactics. While phishing aims at getting a user to click on a malicious link, a trojan horse attempts to trick the user into downloading a malicious program that is usually disguised to appear harmless, hence the name. Once downloaded it can create a backdoor to your system so the hacker has unauthorized access whenever they want.

SQL Injections

Structured Query Language (SQL) Injections are a way to bypass security on an SQL database. This type of attack gives the hackers access to login information, allowing them to pose as another user and gain unauthorized access to sensitive data and even get administrative capabilities.

Clickjacking

Clickjacking is one of the most dubious ways a hacker funnels traffic to their phishing site. Once they’ve set up a back door to a mainstream website, hackers alter the code to put a transparent box over an already-existing button on the webpage but superimpose their own link. 

When the user goes to click the button, they are transferred to the hacker’s webpage—one designed to look like the legitimate page—where the hacker can track any information you enter, or download malware to your device.

Public Wifi

Offering free Wifi encourages traffic, extended stays, and more purchases, but all of that can go away if you don’t take appropriate security measures. 

When you open up a network to the public, you open it not just to customers, but to potential hackers. Be sure the network is separate—with a different password—from the one you use to process payment and store proprietary information. Doing so will add a layer of protection between the most sensitive information and the potential hacker. 

Even if your business doesn’t offer public Wifi, it can still be threatened by remote workers using unsecured connections. When a network is compromised, hackers can embed their malware onto any connected device then transfer it to another, thereby potentially compromising your network. That’s not to say that you shouldn’t let people work remotely, just encourage them to subscribe to a VPN to mask their activity and discourage hacks. 

USB Keys

We’ve got cloud computing now so you might not think that malware transferred via USB devices is much of a threat, but you’d be surprised. USBs are an easy-to-use technology and can have malware embedded in them. If USBs are necessary to your business, educate your employees on potential dangers and invest in encrypted devices, as less tech-savvy people might not be as vigilant when working from home.

DDoS

How much traffic can your network handle? That’s something you’ll find out quickly if your company is hit with a distributed denial-of-service (DDoS) attack. With this type of malware, hackers gain control of a network of online devices, called a botnet, which they use to overload the target site with traffic and either drain the host company’s resources or shut the website down entirely. 

Start Safe, Stay Safe—You Can’t Undo a Hack

Passwords

Cracking a password is no longer a matter of knowing things about the person then making an educated guess. Nowadays, hackers obtain passwords by running programs that can check every word in the dictionary, adding symbols and numbers to make it more like a traditional password. 

To give you some perspective on how effective this is, malware can try 1000 passwords per second, according to Ohio State University’s cybersecurity resource. What’s more, if a hacker has a specific person in mind, they’re able to tailor their code to test words related to the person’s interests. 

To reduce the risk of your password being sussed out by a hacker, instead of using words, use acronyms for phrases and make them long. Take your favorite movie quote or song lyric and use the first letter of each word. Throw in a number and symbol of some kind and you’ve got yourself a nearly hack-proof password that is easy to remember.

Despite employee security trainings, we know a handful of employees will still use Password123 for all of their work accounts. That’s where multi-factor authentication becomes your best friend.

Rather than relying on a weak password for security, Multi-Factor Authentication requires an additional password—a randomly generated code—to ensure the person logging in is authorized. Since the code changes with each login, it’s much more difficult to hack and adds a fool-proof layer of protection to your system. 

Employee Training

Unfortunately, many precautionary measures are made moot by human error. A study of cybersecurity in small and medium businesses found that over 50 percent of participants had breach caused by a negligent employee or contractor in the last two years. To combat this vulnerability, educate employees. Hold regular training meetings with your team, secure data with a cybersecurity service, and share articles like this regularly with your employees so they know exactly what tactics are being used to scam them. 

Web Hosting

Some businesses can get by hosting their own website, but it can be dangerous if your in-house web security specialist is underqualified. For most companies, it’s more convenient and economical to enlist a third-party web host. A quality web host should help you with network monitoring, access restrictions, and malware detection. 

Data Access Restrictions

Labs that work with dangerous chemicals install failsafe doors to partition off a contaminated area when a leak is detected. This allows the labs to contain a threat and isolate the compromised portion so the chemical doesn’t infiltrate the rest of the building. 

Data access restrictions effectively do the same thing for a company’s information. Employ data access restrictions by creating tiered access to sensitive information. In this system, all employees have general access, but as their position becomes more specialized, they are added to a new tier of security. Like the lab doors, these tiers make it so that if one tier experiences a data breach, the others are insulated from the attack by multiple layers of security.

Antivirus & Firewalls

There are a myriad of tools a small business owner can incorporate into their cyber risk management. Antiviruses and firewalls are both security software that inhibit the download of malicious programming onto your device by scanning and blocking downloads with suspicious coding. 

Encryptions

Encryption is translating your data into a code that only authorized members of the company can decrypt. This is often password protected, so setting reliable passwords is still important, but it is a good way to protect data even if your network is compromised.

Cybersecurity Best Practices

At the end of a list of potential threats you might feel that effective cybersecurity is a pipe dream, however, the likelihood of a security breach and its potential impact greatly decreases if you take the right precautions:

• Hold regular trainings with your team to make sure they know about the most current cyber threats.
• Train employees to check the URL before ever entering any information into a website. But check closely. Oftentimes the difference in URLs is just a misspelled word.
• Install backup or rollback software so you can restore your system in the event of a hack or a patch that goes wrong.
• Secure your critical infrastructure with multi-layered security defense, which starts with minimal security access for support staff and grants greater access to corporate employees and top-level access to executives.
• Social media sites are breeding grounds for phishing scams that can compromise entire networks at once. Avoid exposure by simply restricting access to social media for devices on your network.
• Explore different cybersecurity solutions. Consider hiring a security engineer and setting up intrusion detection protocols.
• Require a multifactor authentication service for employees to login onto your databases
• Keep software up to date. In addition to fixing bugs, software updates often have built-in virus protection.

Frontier Business Solution

Frontier is a leader in providing internet and phone solutions to budding businesses. Find out more about the services we offer here. 

Find Out More

• Cybersecurity Trends in 2020
• Most Urgent Cyber Security Threats
• Biggest Cybersecurity Threats
• Nearly 70 Percent of SMBs Experience Cyber Attacks
• 7 Cybersecurity Layers Every Entrepreneur Needs to Understand
• FCC’s Guide to Cybersecurity for Small Businesses
• Cyber Security Statistics: Numbers Small Businesses Need to Know