Cybersecurity Best Practices for Small Businesses
Television and movies would have people believe that cybercriminals are only interested in uncovering national secrets or cracking massive business source codes. Small businesses, however, are just as attractive to cybercriminals as their corporate counterparts, often more attractive. Small businesses are targeted so ruthlessly by cybercriminals often because they are easier targets with less stringent cybersecurity measures. It’s very easy to sleep on cyber security, but a U.S. Securities and Exchange Commission study found that 60% of businesses who suffer a cybersecurity breach close within six months.
The world of cybersecurity and cyberthreats is constantly evolving. It is imperative that small business owners treat cybersecurity with the same gravitas they would physical security; not taking proper cybersecurity measures is almost the same as leaving your business’s front door unlocked at night. Knowing the potential threats and the best precautions are the essential first steps to getting your business the security it deserves.
Types of Cyber Threats
Malware is a portmanteau of “malicious software” and accounts for any actual piece of software that means to do harm to your computer or network. There are several kinds of malware all of which can infect your computer and damage your devices in different ways.
Types of Malware
Ransomware is an exceedingly devious type of malware that encrypts the files on your computer. Once your files are encrypted, you will have no access to your computer beyond the start-up screen. The cybercriminals that created the malware will then threaten a variety of maladies from wiping your computer to stealing your sensitive information unless you pay them a ransom, often in hard-to-trace cryptocurrencies.
Those who know The Aeneid should be distinctly familiar with this kind of malware. Named after the greatest deception in Greek mythology, a Trojan Horse is malware disguised as normal, unassuming software. Once a file acting as a Trojan Horse is downloaded on your computer, there are several ways the cyber would-be Greek warriors can then create havoc for your device. Some of the most common Trojan Horse malware are:
- Fake Antivirus Trojans: These Trojans convince unsuspecting web users that they are downloading antivirus software which is actually a Trojan Horse virus. Unfortunately, the most common kind of Antivirus Trojans disguise themselves as free versions of genuine antivirus programs, making this malware especially “malicious.”
- Trojan IM: This type of Trojan lives in instant messengers like WhatsApp and Skype. The most common mode of deployment for this Trojan is through spoofed, or altered, links that appear to lead to real websites. Once on the webpage, cybercriminals can discreetly download their malware or may coax the user into clicking another download.
- Trojan Spies: This type of malware is intentionally stealthy. Once downloaded, these Trojans stay as invisible as possible in order to lift your key information like user IDs and passwords over time.
Emotet is an especially advanced type of Trojan Horse that has evolved into a whole new class of malware. The Department of Homeland Security said in 2018 that Emotet is “among the most costly and destructive malware.” Emotet usually begins as “malspam,” or email attachments that distribute malware. Emotet malware then, like Trojan-Spies, silently activates on your computer. What makes Emotet different is that modern types of the malware are disturbingly able to transform and leave traces in your machine. Emotet will then silently monitor your web activity and keystrokes with the goal of collecting your banking information and as many logins as possible.
Cyber-Scams and Threats
While not malicious software itself, phishing is still one of the most prevalent means for malware to contact computers. Phishing scams include all online tactics to get a person to unintentionally open themselves up to cyberattack. Two key types of phishing scams are:
- Webpages built to look like banking or email login pages: Once unsuspecting users type in their login info into these fake pages, the cybercriminals log the info for later use
- Instant Messages or Emails with suspicious links. Clicking an email or instant messaging attachment with malware is an example of a successful phishing scam. Depending on how complex the scam is, cybercriminals can use stolen login information to send malicious links from your trusted family or friends’ accounts.
Also known as DNS Spoofing, this type of cyberattack that hijacks websites and redirects would-be viewers to a place of the cybercriminal’s choosing. DNS (Domain Name System) refers to the actual “name” of a website, for example “Kapitus.com.” Behind that grouping of letters is an IP address which is the mechanism that allows us to travel between webpages. In the event of a DNS Poisoning, a visible web address will appear the same, but the actual IP address used to direct your computer is maliciously altered.
Prevention Best Practices
Virtual Private Networks & Network Security
Virtual Private Networks are quickly becoming an essential tool for both general consumers as well as businesses. VPNs encrypt your network activity with a variable IP address meaning that any attempt to decrypt your IP from an outside source is wholly impossible. Wi-Fi modems have become an increasingly juicy target for cyber-attacks, as a successful probe into a modem allows the attacker to monitor all devices on the network, that is unless devices are encrypted by a VPN.
In the era of remoting working, VPNs are no longer a choice, but a necessary step in any online work. VPNs connect to private servers in such a way that sensitive information, even when shared between devices, is wholly protected from outside would-be cybercriminals.
Choosing Effective Antivirus Software
When choosing the right antivirus software, consider the following:
How many devices does your business use?
An increasing number of antivirus programs have a limit as to how many devices you can register to one serial key. If you want to protect mobile devices and tablets as well, those may also count toward your device limit.
Does the Program Offer Real-Time Protection?
Real-Time protection is the best way to stop threats like DNS Poisonings. In the event you click on a web address with an altered, or poisoned, DNS, antivirus programs with Real-Time protection will intercept your connection before malicious programs have the chance to infiltrate your computer. Real-Time protection is traditionally included in most paid antivirus software.
How Much Does the Program Cost?
While there are several free antivirus programs that offer sufficient protection, paid programs often have several useful features like Real-Time protection, file shredding, or even a built-in VPN. Most antivirus software worth its salt have annual fees between $19.99 (Norton AntiVirus Plus) and $59.99 (Bitdefender Internet Security) for single-computer protection. If you intend to protect multiple devices, you can expect to pay anywhere between $79.99 (Webroot Internet Security with Antivirus Protection for 3 devices) and $129.99 (McAfee Total Protection for 10 devices). These prices are always subject to change so be sure to do your research and get an accurate price quote for your needs.
Is Your Built-In Operating System Protection Enough?
No. It is not. While Windows Defender on Windows 10 is generally quite good at finding malware, it is not nearly as good at malware prevention. Windows Defender has very few Real-Time protection features and PCMag found that Windows Defender’s SmartScreen antiscam filter only blocked 68% of phishing scams.
Poor cybersecurity is no longer a choice for businesses large or small. It only takes one phishing scam to sink your entire online or even offline business, meaning that programs that specialize in Real-Time protection should be used in addition to native software like Windows Defender.
Multifactor authentication is another essential tool in the business owner’s cybersecurity arsenal that takes relatively little effort and nets major results. Multifactor authentication means that in addition to entering login information, users must also confirm their identity on a second trusted device. This means that even if a device’s login information is lifted by cybercriminals, they won’t be able to access your private information unless they also have access to that second device.
Google, Microsoft Outlook, most online banking, and now most login-necessary software have as an option to enable multifactor authentication. If individual employees have their own company devices, have them set their personal cell phone as the trusted secondary device. If you have a central terminal at your place of business, consider setting up a second email address just for multifactor authentication.
Regular Data Backups
A recent data backup is an afterthought until it isn’t. Any business that has suffered a ransomware attack or related data breach knows the value of external hard drive or cloud backups. Cloud backups have become the method of choice for consumers and businesses alike for their convenience, ease of use, and price.
Unlike physical backups which regularly require manual updates to stored data, cloud services often work in the background and allow you to schedule backups. Depending on the amount of data you would like to store, cloud backup services can also be cost-effective. One the most well-known cloud backup services, IDrive, allows users to backup up to 5 gigabytes for free, which could comfortably account for near-endless Word documents. If your company is dealing with more complex files, paid plans from IDrive and competitors range from $79.50 to $99.50 annually. As always, prices are subject to change so be sure to do your research on pricing before making your final decision.
Having a full suite of antivirus and cloud backup services is only helpful if the people using the software understand how to use them properly. Set aside time in onboarding as well as regular check-ins with employees to make sure everyone is maintaining best practices. One of the most common ways for cybercriminals to infiltrate a system is by phishing just one employee, convincing them to give out login information where they shouldn’t. Beyond training employees how to use your software properly, be certain they know the potential of DNS Poisoning attacks and other crafty ways hackers convince unsuspecting victims to compromise a system.
Not a Problem Until it Is
Being that many cybersecurity solutions come with an annual price tag, it’s natural to want to put the decision off. But every day your systems run without Real-Time protection, a VPN, or recent backups, your computer is the ripest target for cybercriminals. Just as well, no one cybersecurity solution is the perfect fit for every business. Look at your own business’s size and technological footprint as a guide to determine your own cybersecurity needs.