Running an online business can sometimes feel like having a permanent target on your back. When you think about the vastness of the Internet (and now the Internet of Things) and the ever evolving threat environment, the security of your website is certainly one thing that can keep you up at night.
Identity thieves, scammers and hackers are usually opportunistic. They don’t always target the businesses where they could get the biggest payoff (such as a bank). They instead look at small poorly protected websites where it won’t take them much time or effort to get what they want. As the owner of a small or medium sized online business, the risks can feel overwhelming.
Fortunately, there are measures you can take to keep your site safe and secure.
The biggest mistake a small or medium sized online business can make is not to see itself as a target of a cyberattack. Complacency dramatically increases the risk of succumbing to cybercriminals. Hackers are familiar with this mindset among small corporations and that’s why they spend a substantial amount of their time scanning random websites.
No business is too small to be attacked. Even if there’s no direct financial benefit from hacking your site, the information the hacker gathers about you, your business and customers can give them the ammunition they need to launch a more substantial attack later or elsewhere.
The first step to preventing a cyberattack is understanding that there’s a person or malware out there that wants to break into your site. It’s on this premise that you’ll take all other steps needed to keep your online business secure.
The older the technology you are using, the more vulnerable you are to an attack. Systems that have been around for a while are already well known to hackers. Their vulnerabilities are public knowledge and it’s easy for someone to simply search the Internet to get an extensive list of all security issues associated with a specific release.
Make a point of updating your software as soon as is realistically possible. Updates and new releases are not only meant to improve functionality but they also seek to close any security gaps identified since the last update. Most systems will allow you enable automatic updates which is a great way to ensure that no patches inadvertently fall through the cracks.
Always backup your data. Data is the lifeblood of the modern enterprise and especially the online business. Losing data can cripple your operations and decimate your reputation. Certain types of malware such as ransomware will seek to do nothing else other than corrupt your data or otherwise render it inaccessible.
Having a backup ensures that your business won’t be hamstrung if something or someone destroys your production system. Backups work best when they are automated. Prioritize backups based on the sensitivity of data. Highly confidential data should be backed up at least daily but preferable in real time, while lower priority data can be backed up weekly.
No entrepreneur or manager would intentionally endanger their organization by knowingly hiring a shady character. However, most crime is opportunistic (or at least starts off as opportunistic). An otherwise honest and well-meaning employee who’s facing deep personal financial problems is more likely to exploit a glaring gap in the system that allows them to steal money (or in this case, steal data and sell to an interested third party).
So as much as you strive to hire the best talent, you have to keep an eye on your staff and pick up wayward behavior before it’s too late. For that reason, you should apply the least privilege principle when granting access rights to each worker. That means giving the employee access to only as much information as they need to do their job.
Someone working in marketing doesn’t need access to the payroll system. Similarly, a person in customer support doesn’t require access to the business’ financial statements (unless it’s a public company). Use Active Directory management software to monitor suspicious activity.
Some breaches are not intentional. A phishing email or other social engineering technique could see a staff member unknowingly disclosing sensitive information to an unauthorized third party. Preventing unintentional breaches depends on making sure your technical controls are robust but more importantly, training staff on security issues they have to be aware of.
Emphasize the need for strong passwords, why they shouldn’t use personal email for business communication or why they shouldn’t download or open email attachments from unfamiliar senders.
Just two decades ago, all that the average office worker needed was a landline and a desktop computer to do their job. Security wise, this was a much easier environment to manage when compared to the more complex setup of offices today. The modern workplace not only has desktops but also laptops, smartphones, tablets and USB drives.
The mobility of this new class of devices introduces security problems that were hitherto largely unheard of. Worse still, these portable and mobile devices are gradually gaining on desktops in terms of their storage capacity. The loss of a laptop or smartphone that contains company information can deal a major blow to your data security.
To prevent this from happening, develop a robust policy that emphasizes the separation of personal devices from work devices. This is especially important for small online businesses where the line between business and personal equipment can be blurred.
Note that malware is most likely to infect a device from websites the individual visits in their private time compared to the sites they use during working hours. Using the same device for personal and business browsing therefore leaves your network and website vulnerable to infection or attack.
All devices used for business must be password protected. Make the most of remote data-wipe apps and full disk encryption that renders the data on the device useless in the event that it falls in the wrong hands.
The proliferation of online businesses is deeply intertwined with the rise of the remote worker. The fact that you can access and run your online business from almost anywhere you are is evidence that your business will have some degree of telecommuting.
Remote work is also a low cost way for small businesses to boost employee morale (which is important because they often cannot outbid larger and more established players when competing for the most talented people).
But telecommuting can be problematic especially in the context of security. Remote workers often rely on their personal devices and not business-issued ones. Also, they may connect to the company’s network using free public WiFi. If they work in a public place, someone behind them may be able to read sensitive company information or decipher their passwords by watching their keyboard actions.
To minimize these risks, online businesses should make sure any employee who signs into the network remotely has a strong firewall installed. They should use a virtual private network (VPN) app that will encrypt data traffic thus preventing eavesdropping when using public WiFi. Their desktops, laptops and smartphones must have a reputable antivirus installed and be patched with the latest system updates.
Even with these controls, warn all remote employees to avoid performing financial transactions or submitting sensitive information when on public WiFi. To guard against eavesdropping, telecommuting employees should work from a controlled location such as their home and not public high traffic venues such as restaurants, railway stations and airports.
Google, Amazon, Facebook and Salesforce.com have been profoundly successful internet-based businesses and have annual profits in the billions of dollars. In the world of online business, only a miniscule minority can ever hope to reach such scale. The overwhelming majority of web-based businesses are small and cash-strapped. Every expense requires careful thought to confirm that it’s worth it and won’t needlessly curtail cash flows.
In this regard, cloud services have been a godsend for small online enterprises. Setting up the technology infrastructure onsite that’s needed to run an internet business can be prohibitively expensive. Cloud services allow you to pay for exactly what you need. This is important not just in terms of scalable capacity but also the reduced cost of maintaining security.
You no longer need to permanently or temporarily hire highly skilled staff to install and run complex security systems. Leading cloud service providers like Amazon Web Services and Microsoft Azure naturally attract the best security talent in the world. As a cloud service user, the high cost of hiring these experts is passed to you but is negligible because you share it with millions of other subscribers.
Of course, moving your systems to the cloud isn’t a license for complacency. Protecting your data and systems still remains your responsibility first.
In 2017, Yahoo admitted that a data breach had compromised the information of 3 billion users of the service — the largest ever data breach. It was a stunning announcement that sparked worries of just who and what is safe on the worldwide web. A look at a list of the biggest data breaches in history shows that established names still struggle with keeping customer data safe.
The lesson for smaller online businesses is that despite your best efforts, you could still experience a data breach. While the breach itself is a regrettable event, what you do after it happens is crucial. Speed is of the essence. How fast you act can determine how well you can contain any damage.
Quarantine any equipment you suspect has been infected then clean it before it can be reintroduced to the network. Notify law enforcement, relevant regulators, business partners, vendors, employees and customers. Contract a cybercrime forensic investigator to help you get to the bottom of the problem.
When a security incident happens, it’s tempting to want to cover it up and hope no one notices. However, this can do far greater damage to your reputation and makes it harder for you to regain the confidence of all stakeholders.
These tips are vital but certainly not exhaustive. Perform an IT risk assessment on your business at least once a year. This will help you identify any emerging gaps so you can make the necessary changes to your security controls.
Before you go, subscribe to get latest technology articles right in your mailbox!.