Whether you are a Fortune 500 company, a local bakery, or are self-employed and work from a home office; you share a common business goal—to maintain your operation and productivity. You also share a new challenge that ALL companies face…cybersecurity.
Traditionally, large companies and corporations have been popular targets and have threats that range from corporate espionage/sabotage to even other nation states. However, small businesses are not immune and, for some hackers, are actually the more desired target. The unfortunate truth is that many small businesses are “easy marks.” Large companies and corporations are spending a lot of money to protect themselves. Small businesses typically do not have sufficient, or any, security budgets and spend little to nothing to defend from security threats. Hackers know this and many have turned their attention to these easier targets. Relying on the “fly below the radar” strategy to provide a security blanket for a small business is no longer a valid.
For hackers testing their abilities, it is much safer and lower risk for them to practice on a small business that most likely has minimal defenses and technical ability. This may be a one-time thing from this attacker. Your website is unavailable for a while, you fix it, then forget about it, right? What are the chances this happens again? The problem is that there is a good chance your website will get labeled as an “easy mark” in the hacker community. A week or two later, you get attacked again, then again, then again.
Consider how this potential disruption affects your business? If your site is down, how can potential customers find your business, contact you, or learn about your products and services? Even worse is when you sell from your website. How much in sales do you lose for every hour or day your site is unavailable? This is the simplest case.
There are worse motivations for hackers to target small businesses. Site defacement or alteration can range from someone just trying to be funny, to obscene or agenda-driven modifications. One of the more extreme scenarios I have seen was a small business that continued to be hacked and their site defaced with potentially terrorist related rhetoric. What would your customers think if they go to your webpage and are presented with obscene or agenda-driven content? You could offend and even lose current or potential customers.
Other things hackers can do to small business websites is use them as decoys or hop off points for other attacks. In this scenario, once an attacker compromises your website, they don’t do anything visible to your website, but instead use it as a jump point to mask their attacks on other targets. Depending on the attack and the damage they do from your site, you could be forced to aid in a criminal investigation or could even be held liable for some or all of the damage. This may seems crazy, but if it can be proven that you blatantly did not put any effort to prevent the attack from happening, you may be held liable.
These days, many small businesses use their websites to store data like client or leads lists or maybe even personal information about customers, employees, and/or vendors. How big of an impact would it be to your small business if this information was stolen? The answers will vary from business to business, but if your site stores credit card data, you’re in big trouble. Of course, if your site does store credit card data you already know about this and are implementing your legal obligations for protection and assurance (If not, let us know, we can help).
So after talking about what could happen, let’s discuss what you can do to protect your business. First off you should run through the guidance I have provided in the past: Web Security 101: Making Your Website Safe(r) and 4 Ways to Protect Your Customers on Your Ecommerce Site. The first describes general guidance that everyone with a website and/or web presence SHOULD do. Some of these general concepts even apply to social media, which has risk factors, too. The second blog is more targeted to businesses that use their websites for ecommerce and is very closely related to preventing some of the more extreme and hazardous threats I described above.
The FCC also stresses the importance of cybersecurity awareness for small businesses. They provide tips and guidance for small business to follow to help protect themselves against ever-growing cybersecurity threats. They even provide the Small Biz Cyber Planner 2.0 tool to help businesses develop their company cyber and information assurance plans and policies. This is a great tool that lets you select individual topics based on your company’s specific internet and security needs. Now, the tool does not fix all your security issues or even tell you exactly how to fix them. What it does do is give you high-level guidance and a plan specific to your company that you could then research or security experts (like us) can guide you on how to implement.
There is no such thing as perfect security. Given the time, resources and motivation, there is not a tech system in the world that can’t be hacked or exploited in some way. The key to implementing a defensive security protection, is to reduce your threat risk by minimizing your attack potential. I am not trying to scare anyone. I just want you to be aware of the risks, threats and resources out there to help. It may seem overwhelming at first, but we here at aJuxt can help guide you through the ins and outs of protecting your business in a cost effective way.
Written by Seth Hellbusch — Site Security Specialist