Print

Top 20 Cyber Security Tips for Small Businesses

Small Business Web Safety Tips

Businesses cannot exist without digital connectivity: While few exist exclusively online, most have to access the Internet for information, communication, data storage, purchase, banking, networking, recruitment, telecommuting, marketing and news. But every time you open this digital window to the universe, you run the risk of undesirable outcomes.

Anonymity is at the heart of several online safety issues. Face-to-face and physical communication, however inefficient, tends to have redundancies in authentication. An imposter visiting a bank branch, and attempting to fraudulently withdraw money would run the risk of being recognized as an imposter, getting recorded on the security camera, or being asked to sign a document.

Online, a password is often the only barrier to break into another person’s account. While businesses have to ensure that their own logins, passwords, and PINs do not get compromised, they also have to be the guardians of their customer’s digital authentication as well. You can significantly lower the likelihood of adverse events by taking the following precautions.

1. Only allow “tough nut” passwords.
As the name suggests, tough nut passwords are difficult to crack. Insist your employees and users create a password using all of the following: special characters, lower and upper case letters, and digits. This type of a password is harder to crack using the most common password crackers.

2. Limit the number of attempts of all steps in authentication.
Let me share some insider news without naming names. Recently a hacker found a way to crack anybody’s password on a major social networking platform. The method was simple: first, he tried random passwords until the platform blocked access for too many attempts. Then he was asked to enter a PIN that was texted to a phone number as a supplementary authentication method. The problem was that this website did not place any limits on the number of times you could enter a PIN. So even with a 6-digit PIN, there were only a million unique possibilities. And a password cracking software could do that in about a minute! The lesson: Limit the number of attempts at all stages of your authentication process.

3. Consider multifactor authentication.
Passwords, even when chosen intelligently, are just one of the methods of authentication. There are many more ways in which you can authenticate your customer’s accounts. We are already seeing implementations of biometric authentication for digital payments. While that might be overkill for your specific situation, you could consider adding a preselected image that a customer has to recognize, or security questions, or something beyond merely a password.

4. Consider the pros and cons of password management software.
There’s software out there that will create tough passwords, and remember them for you. If that feels like an interesting solution to the password problem, keep in mind that this could be akin to putting all your eggs in one basket. I am reminded of the LastPass episode from June 2015 where millions of passwords were probably compromised as hackers gained access to this password management software. The tip here is that you need to think hard before handing over your passwords to an online password management service.

5. Consider on-screen keyboards for sensitive information.
One of the simplest ways for hackers to gain access to your information is by installing keylogging software that records your keystrokes. You cannot be sure whether a keylogger is installed, especially when you are using shared computers. An easy workaround is to use on-screen keyboards. When you type using an on-screen keyboard, keyloggers cannot track your keystrokes. Many banks offer on-screen keyboards as an input option; use them. And consider offering this as an option to your customers, too.

6. Be careful about backups.
We have heard the dictum: backup, backup, backup. It is considered irresponsible for you to not backup. But keep in mind that when you backup, your data is now available at a remote storage location too. If someone broke into that location, they would gain access to your data. I am not discouraging backups—far from it. What I am recommending is that you encrypt, and password-protect your files before backing them up. In case of sensitive data, do not merely rely on the encryption that backup software offers.

Read more: Virus Protection You Should Install Right Now 

7. Think about whether you need to store the customer’s CVV number.
Storing the customer’s credit card details, with the customer’s permission, is a good idea as it makes future checkouts faster. But it also increases the risk of a hacker pilfering that data, and making fraudulent debits on your customer’s credit cards. As a partial solution, you could consider storing all credit card information except the CVV number. The customer would have to go through the, presumably minor, effort of entering 3 digits. But the credit card information would be far more secure without the CVV number.

8. Encode, encrypt, and divide customer data.
Online transactions are built on customers’ trust. After all, they are often clicking away large sums of money into your account with the faith that you will live up to your end of the bargain. That trust is your most important asset. So when you are storing customer data online, encode it, encrypt it, and store different elements in different locations so that one security breach does not give away the whole database.

9. Business espionage is real.
If you are a small business, the prospect of being a victim of business espionage might seem unlikely. But there are many who could gain from your proprietary information. Think about a competitor misusing your customer list or about your plans becoming public prematurely. Even the smallest business can take a hit if someone successfully spies on their information. Interestingly, business espionage is often accomplished with the help of an insider. So come up with processes about who can access what information. Like distributing customer data, consider dividing up where you store your own information.

10. Wage war on malware.
Viruses, trojans, adware, spyware: Malware has reached pandemic proportions. While there is no such thing as foolproof malware protection, there’s a lot that the right software can do for you. If your computers are connected to the Internet, you need to set up malware protection now.

11. Physical locks have a place in the virtual world.
There are several situations where the traditional lock-and-key approach could still keep you secure in the digital world. For instance, a secure safe is the best location to keep an offline backup on a removable hard disk. Likewise, your personal laptop is best kept behind a physical lock while you are away.

12. Beware the always-connected world.
In the early 90’s when the earliest issues of Internet safety reared their head, one common advice used to be, “remember to log out after you use your computer.” Today, with most of us having our personal devices, we tend to be logged in all the time. Otherwise, how else would we get our mobile notifications for messages and emails? As a result, accessing your accounts has become as easy as accessing your device while you are looking the other way. Consider whether you need to remain logged in at all times and when to log customers out automatically after a period of inactivity.

13. “Forgot Password” can be your worst enemy.
Passwords can be easily regenerated on the fly by clicking the “forgot password” option. So even if you meticulously log out of all your critical accounts, you may not log out of the email address associated with those accounts. So someone could simply visit your online bank account, click “forgot password,” access the resultant email or text to create a new password. The way to protect yourself is to remain logged out of your email account, too. If that is infeasible, consider having a separate secret email account that you never leave logged in. If you do have a separate account, make sure to login frequently to check if any important notifications have come your way.

14. Anonymous browsing can be your friend.
All web browsers have a privacy mode that allows you to retain anonymity while browsing. If you surf anonymously, your activities are not logged into your browser’s history. This prevents others from knowing where you have been. Also, data that you might use to fill up forms online is not available to other forms as an autofill, thereby keeping that data private.

15. Pesky notifications could save the day.
A couple of month’s ago, just before midnight, my wife received a text notification that she had withdrawn money from an ATM. The only problem: We had been at home all evening, and the ATM card was in her purse. The reason the fraudulent withdrawal was made close to midnight was to facilitate a similar withdrawal minutes later when the date changed. This way, the thief could withdraw double the daily limit within minutes. Luckily, we paid heed to the notification, and immediately blocked her card—thereby preventing the follow-up theft. If you enable notifications for your important transactions, you might be able to stem a problem before it becomes bigger.

16. An OTP is an elegant second line of defense.
Many payment services—banks, credit cards, digital wallets—allow settings that need you to authenticate transactions by entering an OTP (one-time password) that is texted to your mobile device. This creates one more layer of protection in case your password gets compromised.

17. Be cautious with free software.
Many of us have tons of apps on our mobile phones, and we have not paid for any. Choose reliable and well-reviewed software. You may not know it, but the software might come with hidden trojans that can steal your data, passwords, and even identity.

18. Take referrals with a grain of salt.
As a business owner, I might choose to help out in a specific case because a good friend referred it to me. This is the concept of social proof. I am more inclined to work with someone when I know that there is a common social thread that acts as a kind of a guarantee of authenticity. But scam artists know that, and can be use it to their advantage. They know that many people accept social invites, such as a LinkedIn invite, indiscriminately. So they could connect with an influential person, say Mr. XYZ, and then reach out to XYZ’s networks and say, “Mr. XYZ referred me to you.”

19. Secure your router.
People often tend to be unconcerned about the security of their WiFi routers. But there is simple freeware available that can break into most WiFi routers. This means that not only could a hacker steal your bandwidth, their nefarious activity could be traced back to your IP address. So, make sure to follow your router’s and ISP’s instructions to secure your connection.

Read more: Your Small Business Got Hacked: How to Manage the Crisis

20. Use common sense.
When it comes to matters of safety, there’s no substitute for common sense. If something does not seem right, think before you act. We all know that we shouldn’t click on email attachments unless we are sure about their source. Also, use email services with a strong spam filter, so that you are less likely to be attacked by phishing artists in the first place.If you have network devices: routers, servers, web hosts, CDNs (content delivery network), or the like, make sure you install the right firewalls and other security software. When you engage with someone online, do not assume that you are indeed talking to that person. And the list goes on; limited only by the creativity of the one out to get you. But use your common sense and stay up-to-date on the latest precautions (two resources I recommend are the Stop.Think.Connect. program by the Department of Homeland Security and Cyber Crime resources by the FBI), and you may be able to avoid the most common threats.

Follow Ajeet Khurana on Twitter @AjeetK.

Ajeet Khurana
Ajeet Khurana
Ajeet Khurana wears many hats: author, angel investor, mentor, TEDx speaker, steering committee of the NASSCOM Start-Up Warehouse, Director of Founder Institute, Venture Partner with the seed initiative of a top Venture Capital firm, and former CEO of IIT Bombay’s business incubator, among others. Before all this, he was entrepreneurial twice in the field of education and web publishing. As a lecturer at the University of Texas at Austin, he taught e-commerce back in 1993, when the term "e-commerce" had not yet been coined. An undergrad in computer engineering from the University of Mumbai, and an MBA from the University of Texas, Ajeet is presently an active name in the startup ecosystem. From starting two ventures as a solopreneur, to helping a large number of startups with their go-to-market, he has never shied from getting his hands dirty. At the same time he has helped dozens of startups raise investment. He truly believes that small business owners are driving change in the world, and need to be facilitated as much as possible. Innumerable small businesses have gained from his attitude, vast professional networks, financial acumen and digital mindset.

See all posts by Ajeet Khurana
  • All views expressed on the published articles at https://www.mastercardbiz.com are those of each of the authors, and do not in any way represent the opinions of Mastercard International Incorporated or any of its affiliates (“Mastercard”). Mastercard is not responsible of the information contained in these articles.