The most pervasive security myth is the one that has business owners sticking their heads in the sand, ostrich-style. "It won't happen to me," small business owners say when they hear about targeted attacks, phishing scams, and sophisticated malware. "I'm too small for the criminals to bother with," they think, when they hear about data breaches, network intrusions, and website attacks.
If that was ever true, it's wishful thinking today. It's increasingly clear that cyber-criminals don't look at the size of the company when launching their attacks. Data is data, and even the smallest organisation has valuable data the criminals can steal and sell. The days of "I'm too small for them to find me" are long gone. In many cases, the small business may just be a stepping stone in a chain of attacks, with the criminals targeting the smaller and weaker networks as part of a comprehensive campaign against larger partners.
Both the volume and sophistication of attacks are growing, making it difficult for SMBs to keep up their defences. In honour of “National SMB Week” over in the US, the Certificate Authority Security Council has detailed a few simple steps SMBs can follow to secure their online presence. With these tips, business owners can make sure their site visitors can safely visit, search, enter personal information, and complete a transaction.
Passwords are essential
The first suggestion is to “create unbreakable passwords” for accounts related to your online presence, such as the domain registrar, hosting account, SSL provider, social media, and PayPal, among others, said Rick Andrews, technical director of Symantec, on the behalf of CASC. While there is a lot of discussion about the need for better authentication schemes, passwords are still the main way to protect online accounts, making strong passwords essential.
Criminals can easily set up computers to cycle through random combinations to brute-force attacks. If the password is weak, this process takes very little time. We recommend using a password manager to randomly generate strong passwords and to store them securely. If the service offers two-factor authentication, you should really take advantage of the extra layer of protection.
Scan your sites
Websites can be infected with malware, just like your PC. Regularly scan your site for vulnerabilities and malware. Attackers can take advantage of vulnerabilities to infect the site with malware or inject malicious code to redirect visitors somewhere else. Infected sites may load slowly, display unwanted advertisements, and infect user computers with malware. Look for a site scanner – something like StopTheHacker – that will monitor your site for problems and alert you when necessary.
Update and patch
Is your web server regularly being updated and patched? It's not just the server, though – your website also needs to be regularly patched. If you used a popular content management system (CMS) such as WordPress or e-commerce platform such as Zen Cart, then you need to make sure you are updating the software regularly. Attackers frequently target plugins in WordPress, so installing patches regularly is a must. Check with your hosting provider or site maintainer to find out if all the software is being updated on a regular basis.
"Updates must be installed on your website, just like installing the latest Windows Updates on your PC," Andrews said.
Consumers need to trust that you are a legitimate business, and SSL certificates help verify your identity. No site should attempt to collect personal information or e-commerce without a trustworthy SSL certificate to assure users their information is safe.
Don't lose control
No matter who you hire to work on your site, the business should always retain control of the domain name, SSL certificate, and actual website. It's all too common for business owners to hire someone to build their website, and when that person leaves, there goes the only person with access to the SSL, domain name, and hosting account. It's harder to add people to the account or transfer ownership when the original account holder is not around. If building and maintaining the website is outsourced to a third party, make sure someone within the organisation is also on the accounts to retain control. If the employee leaving is the one who had access to the accounts, be sure to add a new person to the account beforehand. This way you’ll still be able to manage your certificate, domain name, and hosting account.