For small businesses, cyberattacks might sound like something they don't need to think about. Because cyber criminals only go after big, lucrative targets, right? Why would they target a small business?
The unfortunate truth is that small businesses can make very tempting targets for malicious hackers and cyber criminals because they hold the same kinds of data that large businesses have, such as personal information, credit card details, passwords, and more.
But the nature of small business means that the information could be held less securely than it is within a large organisation, particularly if there isn't a specialist information security employee on staff.
Small businesses can also prove tempting to hackers looking to gain access to a bigger company as part of a supply chain attack – by compromising a small business that might be a supplier to a larger organisation, the attacker could use that access to help infiltrate the network of a larger business partner.
No matter what kind of cyberattack a small business falls victim to, whether that's phishing, ransomware, malware or any other kind of malicious activity where attackers can access and tamper with data, the results can potentially be devastating. In some cases, the cost of falling victim to a cyberattack has even forced organisations to close permanently.
Fortunately, it's possible to help keep your business and employees secure online. Here are some basic cybersecurity pitfalls that you should try to avoid.
Cyber criminals don't need to be super-skilled to break into business email accounts and other applications. In many cases, they're able to get in because the account owner is using a weak or easy-to-guess password.
The shift towards cloud-based office applications and remote working has also provided cyber criminals with additional opportunities for attacks.
Remembering many different passwords can be difficult, which can lead to people using simple passwords across multiple accounts. This leaves accounts and businesses vulnerable to cyberattacks, particularly if cyber criminals can use brute-force attacks to quickly run through a list of commonly used or simple passwords.
You should also never base your passwords around easy-to-discover information, such as your favourite sports team or your pet's name, because clues on your public social media profiles could give this information away.
The National Cyber Security Centre (NCSC) suggests using a password made up of three random words, a tactic that should make passwords difficult to guess.
A different password should be used to secure each account – a password manager can help users by removing the need to remember every password.
It's not impossible that even a strong password can end up in the wrong hands. Cyber criminals can use tricks, such as phishing attacks, to steal login details from users.
Multi-factor authentication (MFA) provides an additional barrier to account compromise, by requiring the user to respond to an alert – often via a specially designed MFA application – to confirm that it really is them attempting to log in to the account.
That extra layer means that, even if a cyber criminal has the correct password, they can't use the account without the account owner approving access. If a user gets an unexpected alert saying they've attempted to log in to their account, they should report it to their IT or security team and reset their password immediately, so cyber criminals can't continue attempts to abuse a stolen password.
Despite calls for the use of multi-factor authentication – also known as two-factor authentication (2FA) – being among the most commonly issued cybersecurity advice, many businesses still aren't using the technique – and that's something that needs to change.
One of the most common techniques cyber criminals use to breach and move around networks is taking advantage of cybersecurity vulnerabilities in applications and software. When these security vulnerabilities are disclosed, the vendors who make operating systems will usually release a security update to fix them.
The security patch will fix the flaw, thus protecting the system from cyber criminals attempting to exploit it – but only if the update is applied.
Unfortunately, many businesses are slow to roll out security patches and updates, leaving their networks and systems vulnerable to hackers. Sometimes, these vulnerabilities can be left unpatched for years, putting the business – and potentially their customers – at risk from cyber incidents that could easily have been prevented.
Therefore, one of the key things a small business can do to improve cybersecurity is to set out a strategy for applying critical security updates as quickly as possible.
This approach can be achieved by setting up the network so that software updates are applied automatically, or they can be dealt with on a case-by-case basis. However, what's vital to recognise is that critical security updates – often detailed by cybersecurity agencies like CISA – should be applied as soon as possible.
Antivirus software is there to help protect computers – and people – from cyber threats including malware and ransomware, but these tools can't help anyone if they're not installed or active. To improve cybersecurity, small businesses should install antivirus software across all computers and laptops on the network.
Nowadays, antivirus software is often bundled for free within popular operating systems, but there's also the option of installing a product from a dedicated antivirus software vendor.
However, you can't just ignore antivirus software after installing it. As with other software, it's important to prevent antivirus tools from becoming obsolete against evolving cyber threats, so you'll need to install updates and patches as required.
Installing spam filters and firewalls can also help employees stay protected against cyberattacks – and like antivirus, it's important to have these tools turned on and kept updated in order for them to be effective.
Even if your small business only has a handful of employees, it's important to provide tools and training around cybersecurity awareness, because all it can take to provide malicious hackers with a way into the network is one person inadvertently making an error.
For example, they could mistakenly click on a link in a phishing email and install malware on the network, or they could fall victim to a business email compromise scam and transfer a large sum of money to someone claiming to be a business partner – or even their boss.
Therefore, providing education and advice to employees on how to recognise phishing emails, suspicious links and other potential methods of attack is vital for helping to keep data, money, personnel and customers secure. It's also important that employees know who they should report potential suspicious activity to, so suspected cybersecurity incidents can be prevented.
Even if there's only a handful of computers on your network, one of the key things you should be doing to make systems more resilient to cyberattacks is producing regular backups of your data.
This strategy means that in the event of an incident encrypting, wiping or otherwise bringing the network down, there will be a recent copy of all of your data that can be restored – and that means a relatively quick return to normal.
The backups should be updated regularly, so that the data stored within them is as recent as possible, and the backups should be stored offline, preventing any attackers who get in the network from accessing and wiping them.
Setting up the network with controls to help prevent cyberattacks is useful, but small businesses shouldn't install tools and then just ignore them and hope for the best. Someone in your business should have responsibility for monitoring activity on the network for potential harmful behaviour.
This approach starts with knowing what computers and other internet-connected devices actually make up your network – because you can't defend what you don't know about. Then, you'll need to ensure these devices are protected with the right updates.
Identifying internet-connected devices on the network might sound like a simple task, but it can get complicated quickly. These devices don't just include computers: there's also IoT devices, point-of-sale machines, security cameras, and potentially much more. All these devices could potentially be exploited and abused by cyber criminals if they are not managed correctly.
Therefore, taking the time to audit your network and fully understand what's on it is vital. It's also important to be aware of what consists of regular behaviour on the network and what could count as suspicious or irregular. If your small business is suddenly seeing logins from the other side of the world, for example, then that could be a sign that something is wrong and needs investigating.
Even if you have a solid cybersecurity strategy, there's still a chance that cyber criminals could breach the network and use their access for nefarious means, whether that's installing ransomware, conducting espionage, stealing credit card information or focusing on countless other malicious attacks.
In the event of one of these events happening, it's helpful to have a plan that can be put in place – and it should be accessible even if the network ends up offline.
Having a plan in place – around how the business will respond to a cyberattack, how it could continue operating and which cybersecurity agencies and investigators should be contacted – will help your business to deal with a stressful situation with some semblance of strategy and calm.
If you are looking for more advice, the NSA and FBI has a list of 10 cybersecurity errors that let hackers into your systems.