According to a recent report, small business victims were involved in 43 percent of data breaches over the course of a year.
Read for 9 min
It was March 2nd, 2016 and Melissa Marchand's day on Cape Cod started like any other. She drove to her job at Hyannis Whale Watcher Cruises in her medium-sized limousine, fetched a 1 percent milk latte at her local cafe, and sat down at her desk to check her email. Then Marchand got the call no website manager ever wanted to get: the website was down and nobody knew how to fix it.
After calling the web hosting provider, the news got worse: Whales.net had been hacked and, to their horror, all visitors were being redirected to porn sites. Google even tagged the company's search results and warned potential customers that the site may be hacked.
"It was a total nightmare – I had no idea that something like this could happen," Marchand said in an interview with entrepreneur, "I would say 75 to 80 percent of our bookings are made online. If our website is not available, we are simply dead in the water."
At the provider's suggestion, Marchand called SiteLock, a website security company, and gave its agents access to the website. SiteLock discovered that the hackers exploited a vulnerability in a WordPress plugin that gave them access to redirect visitors to racy websites.
At the end of the day, Marchand was sitting in her car in the parking lot of her gym, talking on the phone to a SiteLock representative to review the action plan. Finally she had the feeling that everything would be fine.
Whales.net was operational again within three days. However, it took another three weeks for Google to remove the blacklist warning from the company's search results.
The hack hit about a month before the whale watching season began in mid-April, and although it wasn't a high season, the company still missed pre-ordering tour groups from schools and camps. Marchand estimated that the attack had lost the company by 10 percent in March and April business.
A risk for small businesses everywhere
Small business owners were victims of 43 percent of data breaches between November 1, 2017, and October 31, 2018, according to a Verizon 2019 report. The report tracked security incidents across all industries, but the most vulnerable sectors this year were retail, lodging, and healthcare.
What is the problem at national level? When we take the sample of infected sites, SiteLock said they found it in 2018 – roughly 47,244 out of 6,056,969 checked – and applies that percentage to the country's estimated 30.2 million small business websites, minus the estimated 36 percent First, we can easily estimate the number of infected small business sites at around 150,757.
As a small business owner, you may not believe that someone is targeting your website, but that is exactly what it is – bad actors are unlikely to target your website, said Mark Risher, head of account security at Google.
"Sometimes we talk about the distinction between goals of choice and goals of chance," said Risher. "Random targets are when the attacker just tries something – he walks across the parking lot and sees if one of the car doors is unlocked. The goal of the choice is when they have tuned into the shiny, eye-catching car and they are breaking into want – and they will try the windows, the doors … the moon roof. I think there is a temptation for small businesses to assume: "Nobody would ever choose me. Therefore I will only skate anonymously. "The problem, however, is that they don't take into account the level of automation that attackers use."
Even the least-visited websites continue to experience an average of 62 attacks per day, according to the SiteLock study. "These cybercriminals are really doing business now," said Neill Feather, president of the company. "With the increasing ease of automating attacks, compromising 1,000 small websites is as lucrative as investing your time and trying to compromise a large one."
John Loveland, head of cyber security at Verizon and one of the authors of the data breach report, said he has seen a significant increase in attacks on small and medium businesses since the report was released 12 years ago. When malware, phishing, and other attacks were "more widespread and more accessible to less-skilled hackers," he said, "They see the opening open … to types of targets that could be valuable."
What do the hackers get from the deal? It's not just about potentially lucrative customer information and transaction histories. There is also the possibility to improve the reputation of your website. By hosting malware on a formerly trusted website, a hacker can increase the spread of an attack – and increase the consequences – by enhancing the search engine optimization (SEO) of the malware. You can infect site visitors who search the site organically or access it through links from newsletters, articles, or other companies, according to Risher.
Even if you outsource aspects of your business – such as time and cost reports, human resources, storing customer data or financial transactions – there is no guarantee that this information will be safe if your own website is compromised. According to an annual survey by the software company, Loveland has seen an increase in email phishing, designed specifically for collecting user credentials for web-based email accounts, online CRM tools and other platforms.
How to protect yourself and your customers
How can small business owners protect themselves and their customers? Because many cyber attacks can be attributed to automation, basic safeguards against phishing, malware, and more can help ensure that your website is not exposed to the slightest resistance.
Here are five ways to improve your small business's cyber security.
1. Use a password manager.
There is an exhaustive amount of password advice, but the most important thing is that Risher said: Don't use the same password on multiple websites. It's a difficult rule to stick to for convenience, especially since 86 percent of Internet users say they keep their passwords by storing them, but cyber security experts recommend password managers as an efficient and secure workaround. Free password manager options include LastPass, Myki, and LogMeOnce.
2. Set up email account recovery methods to protect yourself from phishing attacks.
Phishing attacks are a continuing cyber security problem for large and small businesses: 83 percent of those surveyed in Proofpoint's annual phishing survey said they had phishing attacks in 2018, up 76 percent from a year earlier. The key to email security is maintaining a culture that is more cyber-secure, including vigilant searches for potential phishing attacks, suspicious links, and fake senders.
If you're a Gmail user, recent business studies suggest that adding a recovery phone number to your account blocks up to 100 percent of cyberattacks by automated bots, 99 percent of the mass phishing attacks, and 66 percent of the targeted attacks can. This is helpful since your phone will either receive an SMS code or a confirmation message on the device in the event of an unknown or suspicious registration. Without a recovery phone number, Google will be facing weaker challenges like getting the location of the last login – and while this still prevents most automated attacks, phishing effectiveness drops to 10 percent.
3. Back up your data to protect it from ransomware.
Ransomware – a cyberattack in which a hacker keeps your computer access and / or ransom information – has triggered a "flood of cybercrime-related activities that target small and medium-sized businesses," Loveland said. In fact, according to the Verizon report, it is the second most common malware campaign in 2019, accounting for 24 percent of the security incidents. Hackers generally see this as a potentially low risk, high reward option. It is therefore important to take protective measures against such an attack – namely that your data is completely secured so that you are not exposed to the hacker. Tools like Google Drive and Dropbox as well as automatic security programs like Code42 (all cost a monthly fee) help here. You can also buy an external hard drive with plenty of storage space to back up everything yourself.
4. Use a dedicated DNS security tool to block suspicious websites.
Since computers can only communicate via numbers, the Domain Name System (DNS) is part of the Internet in that it acts as a "translator" between a domain name you have entered and a resulting IP address. DNS was not originally developed with the highest level of security in mind. Therefore, using a DNSSEC (DNS security extension) can help protect against suspicious websites and redirects caused by malware, phishing attacks, and more. The tools check the validity of a site several times during the domain search. Although ISPs generally offer some level of DNS security, experts believe that using a dedicated DNSSEC tool is more effective. Free options include OpenDNS and Quad9 DNS. "[It’s] An inexpensive, easy step that can prevent people from getting wrong IP addresses, ”said Loveland.
5. Consider signing up with a website security company.
Paying a monthly subscription to a website security company may not be ideal, but it could end up paying off due to a site hack in the form of a lost business. If you reduce your vulnerability to attack, you'll need to install security patches and updates for all of your online tools as soon as possible, which can be difficult for a small business owner's schedule.
"It's tempting for a small business owner to say," I'm pretty practical – I can do it myself, "Risher said." But the reality is that even if you're very technical, you may not be working around the clock and … take care of maintenance and monitoring around the clock. It is certainly a good investment if a large organization does it for you. "