You secure your house when you leave home, your car when you go shopping and if you have a bricks and mortar shop you do the same, setting the alarm and locking up behind you when you leave. The steps you can take to secure a physical item are reasonably obvious, but what about the security of the digital side of your business?
Since 2015, cyber crime has cost UK businesses around £87 billion*, with up to 25% of UK companies falling victim to some form of cyber crime in 2019. It's not just big business who are being targeted either, with the amount of SME's being targeted almost doubling in the last year.
Setting up as an online business is seen by many as an easy way of expanding an existing business or getting a new business venture off the ground at pace without needing the capital to invest in a physical store. While the advantages are obvious, the risks may not jump to mind so easily as many seek to captialise quickly.
But what are the risks of failing to secure your businesses digital footprint properly and how can you mitigate them? We've taken a look at the common areas to help you stay safe.
Risks of ignoring your digital security
Possibly the biggest reason why small business owners fail to secure their digital business properly is that they simply don't understand the risks of failing to do so. What may be a hidden risk to some can have catastrophic impacts and this doesn't just apply to the company either, but also the employees and customers.
There are countless examples in news reports about business owners who have fallen foul of hackers in various different ways, including having ad accounts compromised with criminals spending tens of thousands of victims cash on fake and scam adverts.
Over and above the real world impact on individuals, there are also the financial risks which can be associated with a digital break in and these not only include payment being demanded by attackers but also the potential for fines to be handed out by the Information Comimssioners Office (ICO). While each case is judged on an individual scenario, it's worth bearing in mind that the ICO has the authority to hand out fines of up to €20 million or 4% of annual worldwide turnover, opting for the higher amount.
Of course beyond fines from the ICO, there's also the risk that those affected could also bring legal action.
So what digital security do you need to consider
From databases to websites and everything in between, if it's online then you need to think about how to prevent unauthorised people gaining access, here's a quick list of some things you may, or may not have considered:
- Social media platforms
- Business emails
- Website content management system (CMS)
- Website databases
- POS systems
- Wifi network
- IT equipment
- Third party services such as Google Ads, Analytics
Of course there are any number of online services, portals, apps and systems which businesses can use and we can't list them all here (well we could but the list would be really long), so it's simpler just to remember that if a system is accessible online then you need to consider how to protect it.
Start with the security basics
Large digital platforms (like Facebook and Google) have become a target for cyber crime over the years and these companies know they need to protect their audiences to stay in business. As a result, they have developed a range of ways to help individuals secure accounts on their platforms by providing built in security measures which are simple to activate, we've included a list of the common ones below:
- Two step login (password and sms)
- Authenticator app (confirm logins via phone app)
- Physical security key
- Code generator built in to app
- Backup codes
As a starting point it's worth checking with all your service providers what built in security features they offer and enabling them if you haven't already, yes it might be a hassle but it's better than your social media and other platforms being hacked and customers receiving a load of span content, or worse, having their data stolen.
Update and secure login details
Another basic element which will improve security across the whole of your business' digital footprint are login details, make sure your usernames and passwords aren't obvious or easy to guess and don't share them with anyone. There's loads of great articles about how to create strong passwords but some general rules are:
- make it longer than 14 characters
- use a mix of upper and lower case letters, numbers and symbols
- avoid obvious substitutions like "T" and "7"
- avoid using personal details
- avoid chains of numbers like "123" or "qwerty"
Using a series of unexpected words works well as they can be easy to remember and form long passwords, for example you could choose 4 things that remind you of your birth town or favourite place and don't use the same password for every different service.
You should also check if any of your accounts have had their details leaked in a previous data breach as these are more common than you might think. Security firm Avast have a "hack checker" which can tell you if your details have been leaked, just pop your email address in and they'll tell you for free whether your details have been compromised and for which platform so you can secure those accounts.
Separate user accounts
Your business may use third party services and many of these platforms will require you, or your staff to log in to use the service. Make sure you create separate user accounts for each staff member, not only does it make your account more secure but it also makes any errors identifiable as you'll be able to see which user has been using a system. Some service providers may charge for additional user accounts and of course there's the admin side but you need to consider this against the security of that platform.
Don't forget to remove or update any default user accounts too, this doesn't just apply to digital platforms either but physical devices such as wifi routers, printers, or any other tech that you use.
There are loads of different business services that use software, from the CMS that powers your website to the various third party apps which help make different functions work, such as payments. All of this software will, over time, become outdated with newer versions or updates being made available.
Newer versions of software bring a number of benefits such as new features and functionality, but more importantly they will also contain security updates, helping to prevent cyber criminals from taking advantage of known loopholes.
It's a good idea to review your software every quarter to ensure it's all updated to the latest version, some platforms make it easier than others and the best way to update software will depend on the platform you're using, if in doubt ask the people who made it and your website developer.
Make a copy
No matter how often this is said people still fail to back up their content regularly. From files to phones, making a backup of your data will save you a huge headache should you be the victim of a hack, website failure or other scenario which leaves you with missing data.
There are loads of ways to take copies too, some of which can even be automated so it happens without you thinking about it. Online content is a great example of this, hosting providers such as DigitalOcean allow you to schedule the backup of your complete website so that you can re-create everything in just a few moments should something break.
Frequency is important here too, if you run a small scale blog you may not need to back everything up so often as you may have copies of your content offline, if you run a business taking online orders on the other hand you may want to set up daily backups so that you retain order details and other information which is shared with you frequently.
Consider using a password manager
Password management software can take the headache out of remembering strong passwords. They work by storing your login details for all your accounts in an encrypted format and are themselves secured by a single username and password so you only have to remember one set of details. There are loads of different options on the market including some which integrate with your web browser and input account details for you on websites as you reach a login page.
This solution is great if you're a sole trader, but may be less ideal if you're running a small team.
Getting the simple things done quickly is a brilliant starting point, however there are some more advanced considerations which you should also look to address. Some of these may need the support of a developer to resolve, but that doesn't make them any less important than the things you can do yourself.
Website admin area
You should have already made sure that your website content management system (CMS) has strong passwords, but there's more than strong passwords to keeping your website safe.
Many websites are built on a content management system, Wordpress is a common example, however because so many websites are built on these platforms it can be easy to locate the login screen for the admin area. For an attacker this can mean getting straight down to trying to break into your website.
Many CMS' allow you to change the location of login pages from the default, meaning another hurdle for attackers in that they have to find your login screen.
If your website uses forms, they can present an opportunity for hackers to gain access to your data without you knowing using a technique called "injection attacks". This is where an attacker "injects" malicious code into a website through unsecured website forms. While there are steps you can take to see if this is an iss for your website, chance are you'll need a developer to help you resolve it.
As a starting point you can run a basic test for this kind of attack yourself by using this in a website form "‘ or 1=1;–". This simple piece of code makes sure the submitted form always returns a positive result, meaning that if your website is not safe, you will see unexpected results when submitting the form you test. It's worth checking that the form works normally before you do this test too, so you know what a "normal" result should look like.
Use an SSL certificate
SSL (secure socket layer) certificates are used to encrypt the information sent between your website and the computer (server) that it runs on. Using an SSL certificate can help to reduce the risk of third parties snooping on your website traffic to try and steal private information such as credit card details.
There are loads of SSL providers out there, however I'd recommend Cloudflare. Not only do they provide FREE SSL, but their platform also offers protection against a number of other threats and will even keep a copy of your website online should your actual website fail.
Digital security training is vital
Having the best tech to secure your digital presence is useless if your staff don't know how to use it, equally tech can't stop every risk. Phishing remains one of the most common threats to businesses large and small and educating your staff on how to spot the signs of a phishing email could be the difference between your business falling victim or staying safe.
Of course training is another cost but you should see this as an investment in your business, afterall the right training could save you thousands in lost time, revenue and fines by preventing you falling victim in the first place.
What ever you do though, make it engaging. Your team are far more likely to listen and learn if the content they are given catches their interest.