Website Security for Small Business: Everything You Need to Know
Here's how to stop hackers and cybercriminals in their tracks.
There was a time when only large corporations and government agencies had to worry about hackers and cybercriminals. Not anymore. They now pose an ever-increasing threat to small businesses.
Depending on the source, statistics show that anywhere from nearly one-half to as many as two-thirds of all small business websites are targeted by cyberattacks. Why? Because they’re among the softest targets, making them easy pickings. That means it’s time to think about website security for small business.
“Every small business that has a website is a potential target” said Justin Reed, a software engineer specializing in web design, maintenance and security and founder of Beachcliff Technologies. “So, no one can afford to overlook the importance of cybersecurity.”
Numerous cases illustrate that point, including one entrepreneur’s e-commerce business that was infiltrated, allowing hackers to not only render their website inaccessible, but to hijack the site and hold it for ransom.
In another incident, a small business’s online servers were stripped of its customers’ personal and financial data.
And in a high-profile breach discovered in December 2020, hackers believed to be Russian intelligence operatives inserted code into network management software made by the Texas development firm SolarWinds, allowing them to gain access to as many as 250 online networks — including those used by the U.S. government, multinational corporations and small businesses.
For small business owners, the stakes are higher than many realize. Not having a website security action plan and response strategy in place can cause more than headaches. It can cost you time, money, customers and even your livelihood itself.
Fortunately, there are many steps that businesses owners can take to reduce their risk of falling victim to ruthless hackers and Internet criminals.
Here, small business cybersecurity expert Reed shares strategies on website security for small business and other cybersecurity tips gleaned from more than 20 years of experience.
Website Security for Small Business Strategy #1: Know the Dangers
The F.B.I. says the amount of cybercrime in the U.S. has quadrupled since COVID-19 hit. But despite web attacks posing an ever-increasing threat, only a small percentage of small businesses are prepared to defend themselves against high-tech villains.
The reasons are simple: Most small businesses have a false sense of security, believing there’s little chance they’ll be targeted by hackers and online criminals. They mistakenly believe that cyberattacks only happen to others, so they either have few digital defenses in place or no small business website security plan at all.
Adding fuel to the fire, many website security breaches go undetected for weeks or even months. And by time they are discovered, serious damage is done.
These facts underscore the need for increased awareness web security among small business, especially given most lack the time, financial resources and expertise to protect themselves.
Small business that lack adequate website security face potentially significant losses of revenue and customer trust, putting their very existence at risk.
You might ask: Why would anyone want to target my business? Here’s why:
• Your data. Small businesses have valuable and proprietary information and records that hackers can use to commit identity theft or sell for a tidy profit on the Dark Web black market.
• Your IT. Some cybercriminals only want access to small business computers to convert them into a virtual army of bots to artificially generate huge volumes of web traffic to disrupt other targets’ service.
• Your connections. In today’s interconnected world, your small business has direct and indirect digital links to some pretty big fish. Hackers could simply want to piggyback ride you to a larger company, as they did to infiltrate Target through its smaller partners.
• Your money. The profit motive is perhaps to biggest reason criminals target small businesses, who are easier game compared with well-protected big companies.
Here are a few high-profile cases in point:
Volunteer Voyages, a humanitarian travel business run by a solopreneur in Oregon, had its debit card information stolen from its web server and fraudulent charges racked up to the tune of $14,000.
Green Ford Sales, a Kansas car dealership, lost $23,000 to hackers who forced their way into the company’s network and transferred money to fake employees they placed on the payroll.
PATCO Construction, a Maine-based homebuilder, had its email hacked and banking information snatched and used to steal $588,000 from its account.
Wright Hotels, a hospitality property developer in Seattle, fell prey to cybercriminals, who pulled off a savvy heist, posing as the CEO and having over $1 million wired to China from the company’s bank account.
In each of the above cases, the small businesses admitted they didn’t give much thought to cybersecurity…until they became victims. And their banks refused to reimburse them.
Think it can’t happen to you? Think again. As the above examples show, underestimating the risks can be costly.
Website Security for Small Business Strategy #2 – Create a Cybersecurity Plan
A proactive small business cybersecurity plan is a vital tool for small businesses to protect their website, IT systems and sensitive information from security threats.
Creating a cybersecurity plan may sound complicated, but for starters all you really need is an easy-to-update shared document that provides insight into your small business website security and protective measures.
Once you have that set up, create a broad, holistic cybersecurity plan by filling that document with relevant information by taking a step-by-step approach to each of the following:
• Spell out who’s who. List every person who plays a part in your cybersecurity plan: your business owner or CEO, IT manager or outside web support provider. Include their names, roles and contact information as an immediately accessible resource, so the parties in question can be quickly contacted in the event of a website hack, data breach or other cybersecurity incident.
• Identify your potential targets. Protecting your website and IT infrastructure starts with knowing exactly what your security needs are. A good approach is to start with a complete list of all your digital assets: devices, servers, networks and data storage units. Afterwards, conduct a review of all your stored data, making note of where its housed (website hosting or email server, remote cloud or CRM). Pay particular attention to sensitive information like credit and debit card numbers, bank account details or customer and vendor information.
• Document your existing security. This section of your cybersecurity plan spells out the protection measures you already have in place. Here, it’s important to be as comprehensive as possible, leaving no stone unturned. Be sure to make note of everything from firewalls, anti-malware software and V.P.N. (virtual private networks) to cloud monitoring apps and data backups.
• Show how you’ll detect security threats. An important aspect of strong cyberdefense is a good offense. That means having a solid threat detection system in place to alert you to brute-force hacks, phishing attempts, denial-of-service attacks (DDoS), compromised login credentials and other dangers.
• Put systems and processes in place. While external threats like hackers are obvious, a significant percentage of cybersecurity breaches are caused by employees, who either accidentally or intentionally create vulnerabilities. Minimize damage from your team members by creating well-thought-out internal controls and best practices that keep your website, IT assets and information safe.
• Establish strict security response guidelines. Although prevention is crucial, no security measures are foolproof. Even with vigilance and strong security mechanisms, there’s no way to you can completely eliminate the risk of hacking, data breaches or malicious software. So, you need to establish firm guidelines for how to handle cybersecurity events. The process can be as simple as contacting your IT services provider for emergency response, or as complex as having data security teams and legal representation on call to provide assistance. The best approach is to create a strategy that takes into account the severity of the security incident and responds appropriately to it.
Remember to make sure that your cybersecurity plan shows any and all past actions. Never edit out or overwrite information; instead, archive all changes so they can be referenced later on if the need arises.
Website Security for Small Business Strategy #3: Understand Common Threats
To deal with ongoing and constantly-evolving challenges, small business owners need a solid understanding of the current cybersecurity threats, which include:
• Spam. Anything but harmless, not only does spam annoy visitors (potential customers), it can also cause real harm. Comment spam is fueled by bots that pepper the comments section of your website with links in an attempt to either build backlinks or plant phishing links with malware. An added downside is Google’s crawlers detect malicious URLs on your site, the search engine can penalize you, harming your SEO ranking.
• Brute-force hacks. These assaults involve using trial-and-error with as many username and password combinations possible to guess login credentials, encryption keys or find hidden web pages.
• Denial-of-service attacks (DDoS). Disrupting normal server operation or a networks by flooding them with web traffic, causing outages that can last for hours or days.
• Phishing. Usually taking the form of fake emails that appear to come from legitimate senders (banks, etc.) that contain deceptive URLs or email attachments containing a virus. Phishing attacks are used to infect your system and damage, disable or even take over your website and servers.
• Ransomware. Used to lock down computers and encrypt data, ransomware (trojan software) is one of the most common threats you’ll face. Once a business’s data is under a hacker’s control, digital assets are held hostage until a ransom is paid.
• Malvertising. Short for “malware advertising,” bogus ads disguised as the real thing to lure users into clicking and infecting their network with malware.
• Clickjacking. A twist on malvertising, this method hides hyperlinks to compromised webpages in legit website links, fooling users into revealing their personal and financial information, which is stolen and used for fraud.
• Drive-by-downloads. Often triggered by visits to compromised websites or malicious pop-up windows, this technique tricks users into downloading malware.
• Man-in-the-middle attacks. Fairly common in free public Wi-Fi hot spots, communications are secretly intercepted to steal login credentials or other account details — often by setting up phony Wi-Fi connections with names similar to nearby businesses.
• Other sneaky tricks. Hackers look for vulnerabilities that they can exploit in popular CMS platforms such as WordPress, software tools like Java and widely used file formats, including PDF (Acrobat Reader), HTML (Hypertext Markup Language) and CSVs (comma-separated values) to infect networks with malware.
Website Security for Small Business Strategy #4: Protect Yourself
To be prepared for cybersecurity threats, here are some things that should be included in any comprehensive approach to website security for small business:
• Start with a secured website. Whether or not you directly sell anything, make sure your website has an SSL (Secure Sockets Layer) certificate. These digital certificates use encryption technology to secure communications between a web server and a client browser or a mail server and a mail client — ensuring all information (from card numbers to contact form data) is protected. HTTPS (Secure Hypertext Transfer Protocol) as a URL prefix indicates that your website is secure.
• Cover the basics. Make daily backups and duplicate data and files for retrieval in case of the unfortunate event that your IT system is compromised or infected with ransomware. Install and regularly update anti-malware, anti-virus, firewall and encryption tools to ensure you’ll able to scan for and defend against threats, attacks and breaks-ins by information thieves.
• Keep your software updated. Believe it or not, most websites (whether a simple blog or full-blown e-commerce site) are inadvertently made vulnerable by not keeping software up to date. Outdated versions of WordPress, plugins and themes are easy targets for hackers and cybercriminals who use malicious robots to sniff out and take advantage of weaknesses.
• Use good password management and security practices. Weak, easy-to-guess passwords for admin login interfaces, FTP files transfers and control panel access are common reasons many websites are compromised. Use strong, unique passwords and multi-factor authentication (which requires multiple checks and approvals) to make brute-force hacks next to impossible.
• Provide employees with proper training and support. Since many data breaches and ransomware attacks can be traced back to unassuming employees. With this in mind, team members should be required to undergo regular cybersecurity training. These sessions can offer a refresher on company user best practices, all while teaching employees how to detect and report suspicious behavior, emails, phone calls and websites. Provide team members with this training at least every 3 months to guard against the latest threats and changing trends.
• Regularly update your cybersecurity plan. Web and other IT threats evolve constantly, with digital crooks and troublemakers working day and night to find ways to tap into your digital infrastructure. That means your plan has to be regularly updated to change with the latest hacking techniques and other emerging security threats.
• Make cybersecurity audits and website maintenance routine. Even the most well-conceived website and IT security plans can have gaps, which is why your small business should conduct regular vulnerability risk assessments and cybersecurity audits to detect new vulnerabilities. It’s also a good idea to have a contingency plan with specific instructions on how to quickly isolate and remove potentially exposed data if there’s a security breach.
7 Bonus Expert Tips for Small Business Cybersecurity
Since there’s more to consider than your website, here are other ways to help you safeguard your business:
• Make a habit of monitoring and scanning anything connected to your computer or IT network (printers, smart speakers, routers, networked devices, control system components).
• Educate employees about the dangers of visiting unprotected websites, clicking links in unsolicited emails and downloading attachments in questionable communications.
• Conduct real-world cybersecurity drills and exercises based on common scenarios to test your readiness to deal with cyberattacks, digital crime and scams.
• Limit employee access to only the files, folders and applications they require to perform their specific work-related duties.
• Ask your IT specialist about AI-driven analytical tools capable of learning the usual patterns of behavior in networks, user accounts and apps, then auto-detecting and isolating suspicious activities before they cause any problems.
• Insist that your employees establish user permissions and access levels to protect any sensitive data. And encourage all team members to always use best practices for IT security — saving documents to the cloud, using V.P.N. to remotely log in, prohibiting the use of removable media (like USB drives) and instructing staff to report any suspicious activity they discover.
• Consider purchasing cybersecurity insurance. With website security and data breaches now an all-too-common reality, cyberinsurance can protect you from financial loss that could result from a catastrophic online attack that could put you out of business. These specialized policies are offered by dozens of insurance carriers, including household names like the Progressive, Nationwide and Chubb. The problem with getting the coverage you need is determining how to quantify intangible losses from cyberattacks, such as a decline in sales or damage to your business’s reputation and brand.
Final Thoughts on Website Security for Small Business
With hackers and cybercriminals targeting a typical website or network dozens or even hundreds of times a day, small business website security can no longer be treated as an afterthought or unnecessary annoyance.
You don’t have to have a Fortune 500 budget or sophisticated security operation to protect your digital assets. But you do have to make a real effort with careful planning and concrete steps to be prepared for the possibility of disaster.
The question is, given all the uncertainty in today’s world and stepped up cyberattacks on small businesses of every kind, can you afford not to?
ABOUT THE AUTHOR
Shannon Roxborough is a freelance business and financial writer, journalist and content marketing, who during a more than 30-year career has had his writing, commentary and research featured in dozens of leading publications and websites, including Yahoo Finance, Barron’s and The New York Times. Previously, he was a Money magazine correspondent, a columnist at The Record newspaper and a senior contributor with Business Financial Publishing, a number two-ranked media company on the Inc. 5000 List of fastest-growing small businesses.
This article was originally published at Beachcliff Technologies and has been republished with permission.