Small businesses face unprecedented pressures during the COVID-19 pandemic. There’s the need to potentially shift business models, lay off staff and move employees to remote working setups. Besides the health and human safety risks during the pandemic, there’s also an increased risk of cybersecurity issues.
Enterprise firms that experience security breaches from cybersecurity risks can often weather the storm, even if it happens during turbulent times. They have more robust IT departments that can prevent attacks from occurring, although the size of these companies also means more attack entry points. Big firms also have larger capital reserves, so they can withstand the branding hit that might come from an attack or ride out an interruption in business activities.
Smaller companies do not have that luxury. A PR fiasco early in a company’s lifecycle might prove fatal, as would an extended period without revenue. Add such an event to the stressors of the current economic climate, and it’s unlikely a small business would survive. A startup’s vulnerability to security risks means these businesses need to be prepared for the inevitable security breach.
StartupNation exclusive discounts and savings on Dell products and accessories: Learn more here
Here are three of the most persistent and damaging COVID-19 driven security threats for small business, along with some tips for mitigating the risks
As its name implies, hackers try out phishing schemes the same way an angler might throw a hook in a lake. They’re trying to get someone to bite.
In this case, the “bait” is an email from a hacker that’s designed to look like a bank email or one from the Social Security Administration. Lately, we’ve seen phishing attacks purporting to offer health screenings, scams claiming people’s electricity would be shut off during quarantine if they don’t pay, and fake COVID-19 testing kits on sale. Some messages are mimicking CDC communications or other official-looking organizations, and entrepreneurs should understand how to spot these emails.
There are often clues to identify these emails, such as the design will look amateurish, the language may sound unprofessional or the sender’s URL will be off by a letter.
Additionally, recipients should hover over any links in their emails (without clicking them) to see if the URLs or senders email address match the actual company/organization the email is referring to or representing. This is because the links in phishing emails have executable cookies, which will allow the hacker to get into the computer and network, giving them access to data and other valuable information. These groups can then steal personal and/or company information and even take over their websites and hold them for ransom, which will severely disrupt the company’s ability to function.
Employees should broaden their understanding about what types of emails they are likely to receive during and after the pandemic, and how to determine if they are fake or “phishing.”
For example, the CDC won’t contact people directly with a “cure” or other “breakthrough.” Deleting these types of emails as a matter of habit is the best way to reduce phishing.
Related: How Work Will Change Due to COVID-19
Malware attacks come through either email or websites and are designed to infect computers and networks. Sometimes these intrusions are “scareware,” which are designed to trick users into thinking they’re downloading legitimate software.
Caution your employees to never download unapproved software, such as PDF viewers from an unknown source, or other similar programs. The COVID-19 outbreak provides hackers with new entry points, such as hiding malware on live maps of the outbreak.
There are ways to mitigate malware attacks, including the use of firewalls and anti-malware solutions that must be set to automatic updates for maximum protection. Another way to manage malware is for staff to use a secure search engine that limits malware and stops users from reaching inappropriate and dangerous sites that serve as malware entry points.
You and your staff should look at URLs and use sites that have a padlock next to the URL, which shows that the information is encrypted. These URLs will start with “HTTPS” instead of “HTTP.” Employees should be especially careful if they research information about the pandemic and stick to established news and health organization sites.
Lastly, a good practice is to utilize stronger passwords or an encrypted password manager to reduce your risks.
BYOD, or “Bring Your Own Device,” is a workplace trend that does require consistent management. And with social distancing rules in place throughout the country, working from home is now the rule instead of the exception.
When employees use their phones or laptops for both work and business, they’re often engaging in riskier behaviors in terms of accessibility and cybersecurity. Employers should develop strong BYOD plans that determine a range of parameters, such as where BYOD data is stored and how much data access is allowed through personal devices.
Will employees use their personal laptops and save data to onsite servers or the cloud? Are these laptops already infected? Will phones be partitioned so that work-related apps are separated from personal apps?
Companies need to balance employee’s privacy with protecting the company. Make sure every phone and laptop are free from infections. Talk with staff about the need to restrict certain activities. What if the employee leaves the business? Is there a way to then remove his or her access to company data and processes?
An alternative to BYOD is to of course provide company phones and laptops to all staff. This may be difficult due to a limited budget, but it does provide your company with much broader control over content and activities.
A compromise is to allow BYOD but to have IT implement mobile device management software that enables automatic security updates, control over some settings and virus alerts.
As the owner of your startup, you should transparently discuss BYOD and any policies with your staff to be sure everyone’s on the same page regarding control, privacy and security. This openness should extend to all potential security threats, so employees can understand how their actions impact the fortunes of the company and their own jobs.
It can be difficult to avoid a security threat as a small business, especially during times of such economic and health-related turmoil. However, educating yourself and your employees on potential threats and how to avoid them can help to significantly improve your company’s ability to function during and after the health crisis.