Your business is not immune to attack

Cyberattacks usually make headlines when they impact large businesses or government, just because of the sheer scale of such breaches. Rarely do you hear about the small business that went under because opportunistic hackers breached their data, but it does happen; and too often, these businesses do not have the technical or financial resources to fight back.

Many entrepreneurs start or run their businesses using shared public Wi-Fi connections, without considering either that hackers might target their activities or that a cyber breach could seriously harm their business. Entrepreneurs may believe they are safe from cyberattacks because they outsource their website hosting to a managed service provider; use cloud-based business applications like QuickBooks Online or Method CRM; use an Apple MacBook or Linux desktop; or do not use a business server or networking equipment. Although many of these strategies can help mitigate the risk of an online attack, they don’t completely remove it.

Five common types of cyberattacks targeting small business

Startups and small businesses are particularly vulnerable to attack because they’re not always as savvy as larger businesses about security. Protect your investment in your business by avoiding these five common types of cyberattacks:

1. Malware attacks occur when a user unknowingly downloads a virus (also known as a worm, spyware, etc) by clicking on a link or opening an attachment in an email or SMS. These emails may seem to come from someone they know through a spoofed email address or phone number. Malware can spread from one user to their contacts, and may then in turn be shared amongst multiple users. Such attacks may destroy or steal information, which could be fatal to a new or small business.
2. Ransomware attacks spread through email or are contracted through unfamiliar or infected websites, leading to infected devices. Infected devices become locked and hackers often demand large payments, usually payable through cryptocurrency or credit card, to unlock them again.
3. Website redirects, SQL injections and other breaches, including redirect attacks, may divert or harm your visitors; having a third-party hosting provider manage your website doesn’t necessarily make your site immune. Redirects usually occur when protections like firewalls and intrusion prevention systems are not in place. A redirect attack may involve a small piece of malicious code placed on your website; this code may sends users to another page which says their system is infected; perpetrators generally demand payment before reversing the redirect.
4. Distributed Denial of Service (DDoS) attacks occur when a hacker takes control of a large number of computers from unwitting owners. The hacker forces these computers to visit a specific server IP address, website or application repeatedly to overwhelm the app or web service with traffic, ultimately crashing the site.
5. Data loss from insiders is the most common cyber security breach. These most often occur when an employee leaves a business, but can also happen if employees leave devices unattended, don’t use Virtual Private Network (VPN) apps when using public internet and Wi-Fi hotspots, set weak passwords or use unauthorized apps or websites. All these things can make devices—and therefore company data—vulnerable to hackers, thieves and viruses.

How to protect your business

Security breaches and attacks can be costly, time-consuming and destructive to startups and small businesses. The good news is, every entrepreneur and business owner can take immediate steps to reduce the risks of data breaches and attacks. Consider these steps to create a more secure business that protects both you and your customers:

Multi-factor authentication. Use business applications which require multi-factor authentication, such as passwords and device-based authentication like SMS codes.

Security policies around use and payments. Create, follow and enforce security policies, such as terms of use for Internet, company devices and applications. Once you create the policies, take time to educate employees and contractors on security standards; regular reminders and testing are good ideas, as well.

Policies may include keeping private information locked away; not storing store credit information online or any other accessible location; limiting or banning the use of USB drives and using secure payment processing devices, like Square or Moneris swipe machines and pin-pads, instead.

Vulnerability scanning and penetration testing. Business owners can purchase vulnerability scanning services for the perimeter of their network. These services provide and support antivirus, encryption and strong passwords which protect endpoint devices and Wi-Fi routers.

Anti-virus support and firewalls. Enforce the use of Anti-Virus, Anti-Malware, Firewall and VPN apps on all corporate devices, but especially on portable ones like smartphones, tablets and laptops. Do your research on whether or not to allow employees to bring their own device to use with company data.

Engage your providers. Ensure the managed technology services providers you use for web hosting, e-commerce, email hosting and online accounting use and offer SSL certificates and high levels of security. Contracting with service providers certified against standards like SOC 1, SOC 2, PCI and ISO 27017 is a safe practice.

Physical monitoring. Implement physical security monitoring to protect your property, your information and your employees. Engage with respected service providers that can ensure your business is adequately protected and monitored 24/7 by an expert security team.

Get informed. Read and share the Government of Canada’s Get Cyber Safe guide for small business.

Educate yourself and your employees, as well as adopt tools and policies to protect your investment against cyberattacks and data breaches—from day one. This way, you can work on building your business for a long time to come.