Over the past decade, the internet has become a scarier place to do business.
Cyberattacks continue to increase year-upon-year, putting small businesses at an elevated risk as cybercrimes evolve in complexity and breadth. This includes ransomware, the latest and possibly the most frightening cybercrime to come along in some time.
Colonial Pipeline and Fujifilm were just two of the recent companies targeted in ransomware attacks, which have grown more frequent and high-profile in the past year. The intelligence firm Group-IB estimates that ransomware attacks increased by over 150% in 2020, with the average demand doubling to $170,000 per business.
Ransomware is just one example of the evolving toolkit used by cybercriminals to take advantage of unsuspecting businesses. And it isn’t just huge conglomerates being targeted.
In a Ponemon Institute survey of small and medium-sized businesses, 66% reported experiencing a cyberattack in the past year, while 45% said their processes were ineffective at mitigating attacks. The data shows that there’s no discrimination when it comes to cybercrime.
Data breaches present another ever-present problem for small business websites. Just one security slipup can ruin the trust and goodwill built up with your users, potentially costing you future business.
Worse yet, once trust has been lost, it’s extremely difficult to gain back, especially among millennials.
Complete security is a laudable goal but it’s difficult, if not impossible, to protect your business against every conceivable cyberthreat. As cybercrime increases in complexity, law enforcement is often caught playing catch-up with the evolving threat.
However, you can avoid the common security pitfalls that leave many small businesses vulnerable to attacks.
Here are five of the most common security mistakes made by small business websites.
1. Not Educating Your Team About Cybersecurity
Any employee of an organization is a potential target of cybercriminals, so It’s not enough for the website owner to understand cybersecurity. Every member of the team needs to understand the real risks involved with cybercrimes.
While about half of cybercrimes come in the form of an outside hack, many others rely on human error to gain access. According to a Verizon study, 22% of cyberattacks were attributed to human error, such as sending information to the wrong recipient or accidentally giving away passwords.
Furthermore, the Verizon study found that 94% of all malware attacks come from email, proving that cyberattackers prey on oblivious employees not up to speed on the latest cybercrime tactics.
To reduce the vulnerabilities caused by human error, it’s important to educate your team about cybercrime. However, cybercrime is such a broad and complex topic that it can be difficult to know where to start.
At the very least, the following topics should be discussed with your team:
Password Usage – Employees should be encouraged to use strong passwords and update them regularly. You can use password management tools like RoboForm or NordPass to prevent lost or forgotten passwords.
Website owners will also want to ensure that they’ve removed password access for any departed or departing employees.
Social Media Usage – Social media accounts for over half of all data breaches, with 1 in 5 organizations having been affected by malware through social media. In the past year alone, we witnessed data breaches occur at Facebook, Instagram, LinkedIn, Parler, and many more.
Website owners should develop a clear social media usage policy that requires passwords to be strong and unique. This is especially important in light of the increase in remote working, where employees may be using personal devices for work purposes.
Third-Party Tool Usage – Employees should also understand the risks of downloading third-party content. Make it clear that while third-party content is important and even necessary, employees need to evaluate if the content is trustworthy.
Website owners are best served by compiling these security policies into one place so it’s easy for employees to find.
2. Not Testing Your Security
You wouldn’t put a lock on your door then leave your home without testing it. The same principle applies to web security, which should be tested regularly to ensure that no elements are overlooked.
Testing methods should include:
- Password cracking
- Analyzing data flow
- Ensuring personal data is encrypted
- SQL injection and invalid input checks
- Cross-site scripting checks
There are a number of tools providing web security tests such as Acunetix and Netsparker, along with Zed Attack Proxy (ZAP) and Wapiti, which are both open-source and free.
3. Not Having a Data Breach Response Plan
It’s comforting to think that as long as you’re careful, then your site will be safe from data breaches. But this optimism doesn’t reflect reality after 2020 saw over 1,000 data breaches affecting more than 155 million people in the United States.
With cyberattacks occurring more frequently, even businesses employing every security check in the book can see themselves become a target for cybercriminals. One slipup is all it takes.
For this reason, website owners are best to get ahead of the problem and prepare a clear set of instructions for responding to a potential data breach.
The Federal Trade Commission (FTC) outlines a series of actions to take in the case of a breach, which includes:
- Fixing vulnerabilities
- Taking all affected information offline
- Securing physical areas associated with the breach
- Changing all affected passwords
- Assembling a team of experts to investigate
- Consulting with legal counsel
- Interviewing people who discovered the breach
- Keeping all evidence for followup investigations
- Notifying all affected individuals, businesses, and organizations
The FTC website provides more in-depth tips on how to respond to a breach and supplies a sample template letter for contacting law enforcement.
Website owners should also be aware of any state and federal laws regarding notification protocols. The important thing to remember is that transparency is always the best route. Avoid digging a deeper hole for your business by trying to hide the breach.
4. Not Using HTTPS
In recent years, HyperText Transfer Protocol Secure (HTTPS) has become the standard as inexpensive (and FREE) solutions have become readily available.
Currently 95% of all sites run on HTTPS, with the number rising since Google implemented the protocol into their crawler metrics in 2018. Now sites lacking HTTPS get flagged as “insecure” by Google, dealing a blow to any sites still relying on outdated security protocols.
HTTPS serves as the guardian of information traveling from your server to a visitor’s browser. It blocks potential attacks by encrypting data, so attackers only see random characters in place of sensitive information.
HTTPS works in partnership with a Transfer Layer Security (TLS) certificate, which actually encrypts the data. TLS certificates are issued and authenticated by vetted businesses known as Certificate Authorities (CA). (Note: TLS Certificates are still often called “SSL Certificates” – SSL and TLS are used interchangeably in conversation, but TLS is the modern technology being used.)
Making the move to HTTPS can be a complicated process if you plan to go it alone. You’ll first want to reach out to your hosting company to see if they offer an easy HTTPS option (or find a hosting company that does). For example, Kinsta and WPX Hosting both offer one-click FREE options for migrating to HTTPS that take less than a minute to complete.
If your provider doesn’t offer these options, we would recommend consulting a professional if you lack the technical expertise to pull off such a complex task. But if you want to push forward, you can visit Let’s Encrypt or SSL2Buy to obtain a TLS certificate.
This guide from Kinsta also provides step-by-step directions for a complete HTTP to HTTPS migration.
5. Using Vulnerable Or Outdated Technologies
Over the past decade, a host of third-party technologies came along to help developers more easily create eye-catching, interactive sites.
These tools helped knock down the barriers to entry for web development and enabled small businesses to create the same types of cutting-edge sites as large corporations.
But as the internet democratized and evolved, so did hackers. Cyberattacks increased in frequency and complexity, often targeting these same third-party tools that can be helpful and necessary.
Your best defense against third-party attacks is to make sure all technologies are updated with the latest version. Also, you should ditch any outdated technologies that have ceased new updates.
Nothing else defines outdated and vulnerable technology quite like Adobe Flash, once considered the king of the internet.
Over the past two decades since its creation, Flash has been plagued with massive vulnerabilities. The National Vulnerability Database tallied 1,222 vulnerability reports for Flash Player since 2002, with the most recent occurring in 2020 and receiving the highest possible threat rating.
If you’re still using Flash, you should migrate immediately to HTML5, which has become the new standard. HTML5 performs many of the same tasks as Flash, while being more customizable and compatible with mobile devices.
If you have content made with Flash and want to convert to HTML5, you can use tools like Google Web Developer or Adobe Animate CC, which comes with the Adobe Creative Cloud suite.
In Security We Trust
As a website owner, maintaining user security is a never ending task. If nothing else, cybercriminals have proven themselves creative at outsmarting the latest security efforts.
But keeping up to date on the latest security patches and being aware of the latest cybercrime trends helps keep you one step ahead. Not only does this keep your business out of jeopardy, but it also instills user confidence in your site.
Through your efforts alone, you show that you take user data seriously and will do what’s necessary to keep it safe. This trust eventually translates to more repeat visits and more sales.
If you’re ready to tighten your site’s security even further, consider getting a Trust Score from DigitalTrust. The Trust Score entitles you to a free trust report analyzing your current security measures and provides a detailed list of additional security measures to implement on your site.
In addition, the trust report analyzes your website for over 50 factors in the areas of safety, transparency, usability, and reputation, all important elements for gaining user trust. You also have the chance to earn a free Trustmark, providing you with third-party authentication of your site’s trustworthiness.