Cybercriminals consider small businesses a "target of choice," and a vast number of owners may be leaving their websites and companies unnecessarily vulnerable to attack, a new report suggests. Training employees on sound cybersecurity practices is an integral part of protecting a business, experts note.
In a recent survey of 250 website owners, cloud-based security firm SiteLock found that 59 percent are responsible for their own website upkeep but only 41 percent update website applications at least once a month. Experts consider software updates vital to protecting computer systems.
Among other survey findings: Of owners who had experienced a security incident, 24 percent reported that it damaged their business reputation while more than 35 percent reported that it endangered their bottom line.
"This may leave businesses with websites vulnerable to a variety of cyberattacks. It also begs the question, what other cybersecurity vulnerabilities are being left exposed? All too often, one of the weak links in the cybersecurity chain for corporations is employee awareness," said SiteLock product marketing specialist Jessica Ortega.
[SHRM members-only online discussion platform: SHRM Connect]
Even though Millennials represent one-third of small-business owners, that generation's digital nimbleness doesn't make their websites more secure, according to SiteLock.
Ortega and other experts offered suggestions for making employees more aware and companies more cybersecure:
- Make sure remote workers use a virtual private network, or VPN, rather than public Wi-Fi. "Many employees and contractors work from coffee shops and libraries as needed, to make use of their public Wi-Fi. However, public Wi-Fi can put internal company data at higher risk," Ortega said. A VPN connection ensures that communications are encrypted, preventing cybercriminals from intercepting them.
- Require strong passwords and good password habits. "A strong password is your first line of defense against attackers attempting to gain unauthorized access to your data," Ortega said. Passwords should be at least eight to 12 characters long, include letters and numbers, and should not contain commonly used words such as "admin" or your username, she said. She also recommended using a password manager to store randomly generated passwords, never reusing a password and choosing a unique password for each account to prevent hackers from using one password to breach more than one account.
- Urge caution before clicking. Most data breaches arise from social engineering and phishing malware attacks, Ortega noted. Phishing files disguised as shopping or banking apps, deployed to steal login or credit card credentials, represented 11 percent of malicious files cleaned from infected sites in the first quarter of 2018, according to SiteLock, which studied more than 10 million websites. "When entering your password for an account, always verify in your browser that the website you're visiting is indeed the site you intended to enter this information on," Ortega said, noting that experts also warn against clicking links in e-mails to authenticate any account. Instead, enter the URL for the company that holds your account directly into your browser, she advised. National Cyber Security Alliance Executive Director Russ Schrader similarly said workers should be trained to recognize spam and taught that opening links from unsafe sites can expose the whole company to a virus. Make sure e-mails can't be used for sending spam and consider blacklisting and whitelisting websites, Schrader said. "There are third-party providers who can help companies implement these security measures."
- Warn employees about the dangers of oversharing. SiteLock cautions against sharing too much information through social media, steering clear of surveys that ask for "seemingly innocuous" information, like a pet's name or a first concert, that cybercriminals can use to access accounts.
- Limit employee access to company data. "It starts with access—knowing who can have access to which of the company's data, e-mail, websites, et cetera," Schrader said. "When onboarding, HR should collect the profile of an employee, including what that person's job description is and what they will have access to. You need to ensure that your systems are safe and secure and that an employee who is not authorized to access the company's financial data can't take that data and send it elsewhere."
- Track all devices. HR needs to log each device that every employee has and be able to map each one to a person, Schrader said. "It should also be clear who in management can log in remotely to turn off any device they think is being misused."
- Limit personal use of work devices. Workers must know that a work device is meant for work and that they shouldn't store personal passwords or photos on the devices, as that information can be viewed by an employer or lost if the device goes missing, Schrader said.
- Encourage employees to quickly report their cybermistakes. "Thank an employee who admits she clicked a bad link or opened an attachment she shouldn't have. IT needs to know about these things as soon as possible," said employment attorney and HR consultant Kate Bischoff, SHRM-SCP, of tHRive Law & Consulting LLC. "If you punish her, no employee is going to come forward when they do the same thing. This allows the issue to grow and possibly affect the whole organization."
- Require two-factor authentication to log in to company systems.
- Train employees regularly. Training should be part of onboarding and should take place annually or semiannually, Schrader said. Guidelines should be readily accessible on the company's internal website, he said.
- Make cybersecurity part of offboarding. "If you're going to do a layoff or a planned termination, have the tech people lined up and ready to go immediately after termination should a disgruntled employee try to retaliate through a cyberbreach," Schrader advised.
- Use artificial intelligence-based security monitoring to find irregularities. "These systems can identify weaknesses, even down to unusual activity of a single employee," Bischoff said.
- Consider cyberinsurance. Small businesses should have it, but even if they don't, many policy applications have a checklist of what you need to do to secure data, Schrader said.
The National Cyber Security Alliance's CyberSecure My Business program includes resources to help small businesses better protect data.
Dinah Wisenberg Brin is a freelance writer in Philadelphia, covering workplace issues, entrepreneurship and small business, health care, logistics, and personal finance.