As economies and supply-chains become ever more connected, businesses of all sizes are becoming even more vulnerable to cyber-attacks. It’s tempting to think only large businesses and governmental organisations attract hackers. Cyber security for small businesses is just as big of an issue however, expecially since unlike large companies who often employ full-time cyber defence teams, they find it a struggle to give security the right time and resource.
So if you are a small business owner, what should you look out for? Here’s some guidance on cyber security for small businesses…
Fake emails, known as phishing
Hackers will send you an email that looks like it’s from a legitimate organisation. It will direct you to a professional-looking (but fake) website. Log in, and hackers will grab your credentials and use them to access your bank-account, cloud store, or other sensitive information. With these details they can exploit your information to commit fraud and other crimes. If the email is unexpected, looks too good to be true, or just doesn’t look right, call the organisation in question to verify it. Don’t use any of the contact details on the suspicious email and only talk to sources you know and trust.
Once the hackers have your credentials, there’s no stopping them. Passwords and logins stolen from one website will be repeatedly applied by hackers to other websites until they get in, and soon your online security will resemble a chocolate tea-pot. That is why it’s so important to use different passwords for your different sites and portals.
Watch out for workplace hacking
Fake work emails are dangerous because they are difficult to identify. Hackers compromise an email account and intercept a legitimate email from a legitimate business requesting payment for legitimate goods or services. The hackers then alter the bank account number, redirecting the funds into their own pockets. According to a report by the Small Business Cyber Risk Report conducted by insurance firm Hiscox, 47 per cent of small businesses in the US, UK and Europe had suffered at least one cyber attack in the last 12 months.
A similar scam is ‘spear phishing/whaling’. The hacker impersonates an executive’s email account and sends an email with payment instructions to anyone who looks after your company’s finances. The business then pays into a fraudulent bank account. If you’re ever in doubt about an email from the boss, pick up the phone and ask, even better, talk to him or her face to face.
So, how can you thwart the cyber-crook?
Always use strong passwords
Your passwords should be a mixture of upper and lower-case letters and special characters and symbols and should be at least 10 characters. Avoid using personal information such as your name, date of birth, family names and even pet names as these can be found out via social media. Remember to use a different password for each site you register with. Password manager software such as LastPass can help you manage your multiple logins and make it easy to maintain good password practices.
Deploy two factor or multi-factor authentication
Two-factor or multi-factor authentication adds an extra layer of security to your accounts. These could include a password and a unique code generated by an app on your device or sent to you by text message. By using multi-factor authentication you’re making it harder for a hacker to break in, in just the same you may have two locks on your front door.
If an email or other electronic communication looks even slightly suspicious don’t open it. Don’t open any attachments, don’t click on any links or buttons. Get in touch with the sender to clarify its legitimacy, but even then, remain suspicious. Criminals will be expecting your call and can be extremely skillful at persuading you that you’re talking to a genuine organisation. Only talk to trusted, official sources that you’ve independently dealt with. Remember, banks and other reputable websites will never, ever, ask you for your login credentials. At Xero, we regularly update our security noticeboard and/or communications channels to warn of phishing and scams that could be exploiting the brand.
It’s easy to ignore software and app updates, but you shouldn’t. These updates aren’t just about adding new features, they’re also about fixing vulnerabilities that hackers can exploit to access your information. Up-to-date operating systems and apps ward off many viruses. Make sure that when an update an app or your OS pops up on any of your devices, install it immediately. You can also set your system preferences to install updates automatically. Check the permissions and settings on your apps too, to ensure they don’t have access to other features you’re not comfortable with, such as location sharing.
Think before you click
It’s easy to whip out your phone and share what you’re doing and thinking to the world on social media. But beware -- social media could be the hacker’s window into your life. Guard the information you share about yourself, your company and clients and think carefully about the information online-portals ask you for too, including password recovery questions. And make sure you’ve got privacy settings on your social media account so personal information about yourself can’t get out.
Sensitive information deduced from social media can be aggregated to create a picture of you which criminals will use to steal your identity. Keep your privacy settings high on social media, but keep in mind that high settings by themselves are not a defence. Social media is, by design, a viral platform and information you share with a trusted friend can be easily or unwittingly shared to an ever-increasing audience. Needless to say, if you don’t know someone, don’t add them as a friend, even if they know several of your friends.
With good practices such as these, you can help keep the hackers at bay.