For an entrepreneur, the topic of cybersecurity can seem overwhelmingly complex. When tied up with sales, day-to-day operations and countless priorities, some even consider it irrelevant. The truth is, a basic understanding of information security is vital for anyone starting a business in 2019, especially for those looking to build an online presence.
Most prospective entrepreneurs will have seen the figures by now: Nearly half of small businesses in the U.S. suffered a cyberattack in the past year. Of these, 44 percent experienced two, three or four attacks consecutively. Hackers are becoming bolder and threats are getting bigger – and new companies are the most vulnerable.
Without advanced systems and solid policies to rely on, startups are less likely to have the strategies in place to detect attacks early, ward them off and reduce the damage if the worst should happen. What’s more, they’re less likely to be capable of withstanding the financial and reputational impact of a breach.
Client trust, financial integrity, employee integrity, even the longevity of your business – all of these things hinge on the security decisions you make and the strategies you choose to implement early on. Small organizations must make digital security a leading priority and invest in the resources, technology and education necessary to ensure their protection.
Any new, prospective or growing business can take steps to counter the most pressing threats. These steps are not overly complex or costly and will save you significantly in the long-run. Here, we’ll cover various tactics hackers use when going after unsuspecting businesses, and the most common mistakes new business owners make in countering them.
How are startups and small businesses targeted?
The majority of incidents targeting startups aim to steal, destroy or ransom sensitive data. Phishing threats are the most common entry-point, and are typically launched though email, SMS or phone calls. These types of attacks are sent with the sole intention of gathering information or distributing malware.
Reputational attacks are also common; these seek to harm your brand value through the spread of misinformation on social media, websites and blog posts. Often, attackers will employ fake customers, vendors and comments to legitimize their false complaints.
Certain attack vectors are easier to neutralize than others. Social engineering attacks, for example, account for over 50 percent of all cybersecurity intrusions. Due to the inherent risk of human error, they’re much harder to combat. As a general rule, this includes any business attack orchestrated through social media, search engine results, email, voice and SMS phishing, or “link-bait.”
This tactic comes in many guises, and hackers are often informed by information mined from employees within the company. This helps attackers craft more effective phishing attempts or gives them just enough information to convince representatives to reveal passwords, account details and more.
What common mistakes do entrepreneurs make?
When a business is in its infancy, owners often underestimate the value of their information. Small organizations tend not to consider themselves as viable targets for hackers and other malicious actors. This couldn’t be further from the truth – if you’re trading at all, you’re a target. Cybercriminals want your personal data, your financial accounts and access to your network of contacts.
If you intend for your business to have any digital presence whatsoever (whether it’s a website, email address or cloud account) you’re at risk. Most attacks are now executed by automated malicious software and scripts, which seek out vulnerable machines and networks regardless of the size and nature of the organization they belong to. With limited cybersecurity experience and a lack of dedicated IT staff, smaller networks are inevitably at higher risk. Ultimately, the smaller you perceive the threat to be, the easier the target you are.
- Relying solely on endpoint security
You may have heard the term “layered security.” This is the recommended approach to building out your defense strategy. Unfortunately, many organizations don’t take this approach seriously, and choose instead to focus on protecting their devices with endpoint security only.
As the name suggests, layered security creates multiple levels of protection against hackers. This ensures that not only are your organization’s machines and networks secured, but every other potential attack vector that could be used to deliver a payload is also neutralized.
While effective endpoint security will protect you from malware in the majority of automated cases, hackers can still exploit human error to ensure their payloads are delivered. Implementing a layered security strategy to combat this could be as simple as introducing an email security product to work in conjunction with your endpoint solution. This would prevent malicious emails from ever reaching their intended recipient, avoiding the potential for error.
- Ignoring the people problem
The security of a new business is only as strong as the people working for it, even if there’s only one of you. We’ve covered social engineering, but there’s a number of other ways human error can let you down, as well.
Access control is an important issue here. As a startup, you might be unnecessarily handing out critical infrastructure access – to the freelancer you hired to build your website, the writer you paid to produce promotional content, or even your clients.
Most modern administration tools allow you to set user roles with differing levels of access, allowing you to control who has permissions for what on your system. If you’re planning to work with others, ensure they use strong passwords and you revoke the access of third-parties as soon as your working relationship has ended.
Similarly, if you plan to hire a team on a permanent or contractual basis, it’s typical to utilize shared networks and data suites that pool users and their data in one place. This ensures everyone (including those working remotely) can collaborate, communicate and share information. Whether you’re sharing data with employees or clients, these collective permissions increase the chances of sensitive data falling into the wrong hands. It’s sensible to routinely review these permissions that determine who has access to what.
As cybercrime becomes more rampant and attackers grow more sophisticated in their attempts to compromise information, education becomes key. It’s essential that your employers and network admins train their end users and educate themselves on proper protocols and current vulnerabilities. While this does require additional time and potentially a financial commitment, it’s a worthwhile investment.
Consider implementing objective policies that govern how you and any future employees can use your IT resources. For those looking to bolster their awareness, there are plenty of resources available offering guidance for startup companies. The SBA’s Office of Entrepreneurship Education has a free course on cybersecurity, while there are plenty of private companies offering training.
- Failing to fully invest in security
Most new businesses will be understandably averse to added expenses. Many are reluctant to face the prospect of investment in cybersecurity and regret this choice further down the line. Security doesn’t have to be expensive – there is a range of cost-effective anti-malware and security software that will offer protection for a reasonable price.
Consider implementing a Security-as-a-Service (SECaaS) solution. Rather than making heavy upfront investments on software, this will integrate a service provider’s security offering into your infrastructure on a subscription basis, providing a much more cost-effective solution than startups can typically provide themselves. The earlier you invest, the safer you’ll be. Remember: prevention is much cheaper than damage control.
- Device management
As a new business without a lot of equipment to secure, most organizations start by installing their protective software individually on each device. While this may work in the beginning, it can become an issue if you add more equipment and continue to protect it on a case-by-case basis. Attackers now have access to a wide range of tools, some of which can circumvent the protective software used on specific operating systems and machines. If they can access just one, your entire network is theirs to exploit.
To combat this, your approach must be integrated from the very beginning, protecting the whole network rather than specific devices. To achieve this, it’s worth considering investment in “unified threat-management platforms,” otherwise known as UTMs. This will replace the standard router that most consumers use to manage their networks. The UTM will combine a firewall, content filtering and antivirus protection into one piece of equipment with one set of controls. Compared to many alternatives, this is simple to sustain, quick to set up and cost-effective.
It’s equally important to be careful if you use your personal devices for business purposes. This means any sensitive data can walk out of the door with you or your business partners and will more than likely be stored in third-party applications. Depending on the volume and sensitivity of the data in question, this can raise issues in terms of accountability and data ownership.
It’s vital to create and implement a clear policy that lays out which devices (personal or otherwise) are permitted onto your network. It’s also sensible to use some simple security applications like two-factor authentication and virtual private network (VPN) software. This will secure and encrypt your traffic regardless of the security of your original network.
Regular backups are another easy way to prepare for certain forms of malware. Modern ransomware can permanently lock the files on shared networks and backup drives, so make sure to store your copies offline and in a secure location.
We never know what new cybersecurity challenges await us each year. The kinds of threats facing each industry are diverse and constantly evolving, as is the technology that must be secured.
It should not take a horror story to inspire you to invest the time, money and training to protect your new business. Strong cybersecurity is not only beneficial for you, but attractive in the eyes of investors, prospective partners and clients.
Use common sense and implement the basics; varied passwords, firewalls, two-factor authentication and encryption for both data storage and transmission. Learn what kind of cybersecurity you’ll need and how it should be implemented across your business. From here, form an action plan. Remember: small, early investments will go a long way in safeguarding the longevity of your venture.