editione1.0.0Updated October 31, 2022
🚀 As explained by Erica
confusion Not sure if you’re a small business or a startup? Check out our guide in the introduction.
The speed of adoption of technology that helps us sell more things (from point-of-sale systems to websites) has always been faster than the adoption of technology that protects our systems, data, and selves. The gap makes sense. There are a lot of small businesses—the local brick-and-mortar shops, the online shops run out of houses or small offices, the side hustles run on established e-commerce websites like Etsy. And when you think about security, you recall the bad news about that big corporate or global enterprise that got hacked. You don’t often think about those small businesses getting hit.
In reality, the small businesses do get hacked—they are just often not big enough for journalists to cover. “Local insurance agencies get hit with ransomware and go out of business” isn’t a headline that draws readers quite the same as seeing a recognizable brand like CNA Financial.
Trust us, security breaches happen to small businesses. It often hits quite unexpectedly. Shouting, tears, and frantic phone calls do not fix the situation. As a small business owner, you are also unlikely to make the problem go away with some highly paid consultants or incident support teams. At the end of the ordeal, a lot of these businesses may quietly shut their doors and go under.
I’m not saying this to scare you, but because the biggest fallacy we tend to hear and see from small businesses at SafeStack is “I am too small to be noticed.” But as discussed earlier, the security threats to small businesses are often not targeting your business directly, but as a result of automatic scripts run to target the technology you use, or arise from data breaches resulting in loss of passwords that are reused for multiple accounts. These attackers are trying to make quick and easy money. In 2022, Verizon found 100% of the breaches they investigated for very small businesses were financially motivated.
Think about it: why would attackers go after large companies with funding, resources, and security measures already in place, when they could instead go after small businesses—simply by tricking a few people to pay into the wrong bank account, or by harvesting data that can be sold at a large scale? The US Cybersecurity and Infrastructure Agency (CISA) noticed in 2021 that 70% of the attacks were against companies with fewer than 500 employees.
Let’s look at how protecting business data affects your security strategy.
The previous part on individual security talks about protecting access to your personal email, other accounts, and devices. As a small business, you protect not just your own data, but the hold the data of others—your customers, clients, employees, and partners.
When you yourself sign up to a new service or website, you agree to a long, waffle-y terms of services that uses legal jargon to explain a simple agreement: by signing up, you are giving your data in exchange for a service. You are trusting the creator to be ethical with that data.
Well, the same applies here in reverse. If you are providing a service or a product to someone, they are trusting you to protect the data that they share with you. If your website banner said, “Give us your credit card data at your own risk,” I can’t imagine you would have many sales. There is an inherent trust relationship you are creating when you collect data from others.
If you lose this data, you break that trust. Not every country right now requires you to fess up when this happens, but these updated privacy laws will come soon. The General Data Protection Regulation (GDPR) in the European Union requires you to notify those impacted within 72 hours, and is likely to set precedent globally. The California Consumer Privacy Act of 2018 allows consumers to sue companies that have a breach. In New Zealand, the Privacy Act requires organizations to disclose breaches that might cause serious harm. Even without these laws and regulations, sometimes people can put two and two together to find out it was you and then publicly expose you online and on social media.
It only takes a few public incidents before the negative reviews, videos, and posts start to affect your profits and resilience.
In your small business, you operate with the support of others. Sometimes the tasks that you delegate to others carry security risk, and others might not have the same security mindset or risk-focused thinking as you. Now that your business is more than just you, it is time to start bringing your team into the fold and having a conversation about security. They need to be encouraged and enabled to make risk and security calls themselves to avoid making a mistake later.
You will need to give others, either your employees or a third party, access to the systems you have to run your website, application, or store. A large number of security incidents happen by taking advantage of human nature. Social engineering attacks are a fast-growing risk in almost all organizations. In a 2022 study by Verizon, 82% of the incidents investigated included a human element.
Before we get into the doing, we want to share two pieces of advice to frame your mindset for this part:
Give your team the tools they need.
Be willing to change your operating model, if necessary, to truly be secure.
Think about the last time you hit a roadblock, and how you bypassed it. Maybe a customer sent a file and you didn’t have software that could open it, so you found a random one online. Or maybe you needed to share a file that was too big to send via email, so you created a Dropbox account and shared it that way.
You are resilient! While we will not let one roadblock stop us, we will always find the “path of least resistance” to get what we need. But there are problems in these situations, such as when we download software without reviewing to see if it is safe, or create a free account online to share data that could be sensitive.
This theme will rear its head multiple times in this book—and it starts even when you are a small business (and becomes quite the beast of a problem once you hit your growth stage). The best solution to this is to provide the tools that your team needs to do their job safely. We recommend investing in tooling early on to enable your team. For example, rather than letting your team set up and create individual, personal Dropbox accounts that you can’t see, you could pay a few dollars a month to be able to manage users on a business account and keep visibility and control over how it is used.
One way to consider if your employees need tools is to really think about their workflow—is working without those tools unrealistic? You might find your employees telling customers to send documents and files to their personal emails or accounts if there are unclear expectations and a lack of tools at their disposal. So before quickly saying they don’t need yet another tool, consider the expectations you set on your staff and the demands placed on them in their work.
Sometimes tools come with a cost. The cost can be a literal cost (as in a paid tool), but there is also the cost in time and attention for finding, setting up, and securing these tools. Consider this risk trade-off. Without the right tools, you have an unknown amount of risk and won’t know for sure where your business data might be. With tools, you have a known amount of risk because you know where that data is, and the risk depends on how well those tools are secured. Digital and online tools, after all, are an ideal target for attackers.
For the most part, the next steps you take after reading this book will involve making more well-rounded decisions about technology and configuring settings on tools that make your business safer. But you might also decide to entirely change how you do something within your business.
For example, your process for handling supplier invoices might currently be quite simple: a supplier sends you an invoice via email, and you pay it through an online banking system. Easy-peasy. After reading through this part of the book though, you might be surprised to hear about how often invoice fraud occurs, and how attackers get away with it. It stinks.
On the upside, there are some micro-changes you can make to how you pay suppliers to prevent these types of incidents. It could be as simple as a phone call to your supplier to ensure an invoice is authentic before paying into any new bank accounts. While you’re at it, you can use this as a bit of a relationship-strengthening exercise to talk about what is going on in their world, how their business is going, maybe ask how their families are doing. Relationships are big for small businesses, and this micro change has a huge security payoff; remember, trust is everything.
Not all changes will be as small. Sometimes it might be a big change to how you operate—perhaps giving your employees access to tools, accounts, or emails. This change has some overhead: setting up their access, configuring the settings securely, and keeping an eye out for any mistakes or mishaps. Alternatively, instead of going through that overhead, you might opt to change the operating model the other way, and make yourself more available for using those tools, accounts, and emails, rather than giving access to employees. It is a balancing act that you need to consider, while also questioning whether you are creating a roadblock for others that they might bypass. These are questions we can’t answer for you, but we can help you decide what security is needed depending on which path you take.
Attackers love small businesses, especially ones with no technology budget, no security budget, and loose business processes. Your work email, website, and various Software-as-a-Service (SaaS) accounts are ripe with data, and are where your customers interact with you financially.
Most attacks that a small business gets caught in are those where an attacker uses the same technique against businesses using a specific tool or technology, and is playing a game of numbers in hopes that a good percentage of their attempts are successful.
For example, a popular target for attackers is Magento, a platform used by small businesses for running e-commerce websites. Attackers create automatic programs that scan for websites with unpatched Magento platforms and break their way in. Once inside, they add credit card skimming software to silently send copies of credit card data back to the attacker. This way the website owner is unlikely to catch on to the attack, and the attacker’s program can sit there collecting data forever. Back in September 2020, there were over 2,000 website hacks alone over one weekend after Magento announced an older version of their platform as “end of life.” This target is so popular that the attackers and their software even have their own name, Magecart.
In this part of the book, we focus on the “secondhand Windows laptop” type of security for your small business: steps that will be cheap (but usually free) and simple to do. They will be strategic in the sense you will be able to quickly think through the risks and make a call to secure something (or just live with the risk, which is a valid response when done intentionally).
If you read through Part I of this book, you will have made your own personal, individual security to-do list.* This part focuses on key areas that most small businesses tend to relate to: email, websites, tools, and the third parties you work with. The context of how your business and employees operate, along with the company size and growth, will drive the need or decision on certain security controls.
🚀 As explained by Erica
We already learned a lot about how valuable our email is, and the power we have to be able to secure it ourselves. Personal email security might just apply to a single inbox. As a small business, employees may need email addresses, and email security applies to the total number of inboxes that represent your business and are in your business’s domain.