Small businesses and self-employed people are big targets for hackers, and the financial implications can be crippling. Gone are the days of thinking “It’ll never happen to us”. A total of 61% of all data breaches this year occurred in businesses with fewer than 1,000 employees, according to the Verizon Data Breach Investigations Report.
But where do you begin? Many small businesses feel that being as secure as a big business is impossible. Corporations have large budgets, chief security officers and entire teams dedicated to cybersecurity. This perception stems from the impression that hacks are vastly complicated, and rely on a tireless horde of highly skilled attackers. Most hacks aren’t like that. The majority depend on poor passwords and a lack of awareness of what a hacker actually needs to compromise systems – a simple phishing email or a leaked password and they’re in. It’s that simple.
Educating yourself and your staff is the only solution. Hackers always look for soft targets, so start with these basics.
Get a strong password
A total of 80% of hacking-related breaches use either stolen passwords and/or weak or guessable passwords. Getting a strong password is the bare minimum. What’s more, it’s easier than you think. A lot of people don’t know that you can use spaces in your passwords, for example: “horse mug table” is much a much better password than “horse1234”. Test out how long yours would currently take for your password to be hacked here: https://howsecureismypassword.net/
Make your password unique
Having a single strong password doesn’t count for much if that password then gets leaked. We’ve seen massive, trusted companies like LinkedIn and Yahoo leak millions of passwords over the last few years, which opens the door to wide-ranging cyber attacks. Password managers like LastPass and OnePassword help you generate and keep track of unique and strong passwords.
Know what to look out for with phishing
Hackers are constantly sending “phishing” emails, trying to get you to click on their website so that they can install malware or convince you to give them your password. Understanding what a hacker is trying to do and what to look out for is key. Poor syntax, incorrect spelling, or email addresses and links that include a lot of full stops are all key warning signs to look out for.
Understand the information you’re already giving away
Phishing attacks rely on the amount of information we share about ourselves online. Famously the hackers behind the celebrity iCloud leak in 2014 used information they’d gained from public posts to guess the answers to user’s secret questions. If your secret question is “The city I was born in” and you post that information on Facebook, then hackers have an easy way into your account.
Pay attention to web page URLs
When you see HTTP in a web page URL that means your communication with that page is not encrypted. Any communication could be easily read by a hacker waiting on that page; HTTP is a warning sign to look out for if you ever think you might have stumbled onto a phishing or generally suspect website. If you’re ever entering sensitive information like credit card numbers or personal details, make sure the website has HTTPS in the website URL. That way you’re more secure.
Update your software
Software is updated for a reason. Usually companies like Microsoft or Apple will discover a vulnerability that might let hackers in, fix it, then offer an update. Always take them up on it. We saw with the WannaCry attack earlier this year what happens when organizations don’t install patches and security updates. Non-patched vulnerabilities offer gaps into your systems that hackers use to install malware and ransomware, or to just gain control of your systems.
Should a breach happen, you want to make sure whatever information hackers get their hands on is, at the very least, difficult for them to understand. Encrypting your hard drives and databases with a modern algorithm like AES256 is a key defensive tool to protect your data in the event of a breach. It’s quick and easy to do.
Knowledge is the key to cybersecurity, but it’s important to think about the underlying structure of your business and the way it handles data more broadly. Organization-wide controls and data-protection policies help define sound technological defense, and ensure you know how to respond in the event of a breach. Just remember that industry standards like an ISO27001 certification and SOCII are beneficial, but only when combined with education and good end user behavior.