7 Of The Worst Small Business Cybersecurity Mistakes
By Stephen M.W
It’s hard to grasp the gravity of small business cybersecurity mistakes without appreciating how critical information technology is for the modern enterprise. In fact, so integral is IT in everyday work that it’s easy to take it for granted until a mission-critical system malfunction or a network goes down and is unavailable for just an hour or two.
Small businesses, in particular, have found that technology has given them the leverage to compete against far bigger rivals. But while IT has undeniably been good for business, it has also introduced new risks and threats. Business systems and data are constantly in danger from hackers, malware, rogue employees, system failure, and natural disasters. This means that robust IT security program is necessary to ensure these risks are adequately mitigated against.
Large corporations often have a deep appreciation of why they need IT security — and they have the deep pockets to make it so. Small companies don’t always take cybersecurity as seriously as they should. Here’s a look at some of the worst small business cybersecurity mistakes.
1. Thinking they are too small to be a target
We often assume that hackers are primarily interested in infiltrating large organizations as the payoff is enormous. And it makes sense. A rational person would invest their time and energy in the thing that will give them the highest return. It doesn’t necessarily work that way when it comes to IT security though.
Large corporations have an army of IT security experts at their disposal backed by deep pockets. They can invest in sophisticated security systems. Since penetrating such systems is difficult and time-consuming, many hackers opt to shift their focus to small and medium-sized businesses (SMBs) instead because they expect to run into much less resistance.
In any case, even small businesses today handle substantial volumes of confidential information including payment and bank data for thousands of customers. Therefore, companies no matter how small should see themselves as a legitimate IT security target and take appropriate, reasonable measures to protect their systems and data accordingly.
2. Sharing passwords
One of the most significant advantages small businesses have over large corporations is the minimal bureaucracy. You can make decisions quickly and with much greater flexibility to accommodate customer needs. Many small companies enjoy deep camaraderie between employees. There’s an almost family-like relationship where staff members consider themselves close friends in and outside work.
The problem with such harmony is that it can slowly introduce laxity and presumption in everyday risk management and especially around IT security controls. Many small business employees don’t see the big deal in sharing their password with a colleague. Yet, shared passwords can make accountability near impossible as it’s never really clear who was truly responsible for a certain system action.
3. Falling behind on security patches
New IT vulnerabilities are discovered every day. Often, these vulnerabilities are posted on publicly viewable hacking and cybersecurity websites. That means the knowledge is out there for anyone skilled enough and interested in exploiting it. Software developers regularly release patches for their applications that are meant to plug these loopholes.
Best practice is for system administrators to apply these patches as developers release them. Many small businesses, however, accumulate a backlog of updates often on the idea that their staff is stretched or that they cannot afford to employ IT employees to apply patches on time. It’s one of the most potentially catastrophic small business cybersecurity mistakes. It leaves systems vulnerable to malware infection or hacker infiltration.
Small businesses should instead seek to automate their patching routines so that minimal to no human intervention is needed.
4. Using public WiFi
Small companies don’t have the established reputation or the recognizable brand name of large corporations. So they often must bend over backward to meet customer demands. That means being able to work at almost anytime and anywhere. Small businesses will also offer telecommuting as a perk instead of the much larger remuneration their staff would otherwise receive if they worked for a large organization. Employees will therefore regularly use public WiFi to connect to their corporate email, business applications, and file servers.
Yet, public WiFi isn’t safe. An attacker could deploy packet sniffing or a man-in-the-middle technique to intercept sensitive data including passwords. They could also create a deceptive hotspot in the vicinity bearing the same name and requiring the same login credentials as the true public WiFi. To mitigate against this, employees must never connect to the company network via public WiFi unless they do so through a VPN (virtual private network).
5. Poor governance of portable devices
To cut costs, enable mobility, and increase flexibility, many small businesses have an above-average use of smartphones, tablets, laptops, USB drives, and external hard disks. Today, these devices pack substantial processing and storage capacity that often rivals that of the average desktop computer. Whereas these portable computing devices are convenient, they are also more prone to theft or loss.
Small businesses often do not have specific policies and procedures that govern the management and security of portable devices. If these gadgets fall into the wrong hands, they could expose huge quantities of confidential information to unauthorized or malicious persons.
All portable devices should have encryption software installed. That ensures their content remains unreadable even if the device were to fall into the hands of hackers.
6. Using free cloud-based services
Bootstrapped startups have to take advantage of free software and cloud-based applications to keep their expenditure low. Using free Internet email such as Gmail or Yahoo Mail may be somewhat understandable in a startup’s early days (though web and email hosting services are incredibly affordable nowadays).
However, these free services do not provide the degree of protection required to keep your most confidential data safe. In certain cases, they may not be adequate in ensuring compliance with relevant data protection laws such as SOX and HIPAA.
Worse still, both Gmail and Yahoo Mail have billions of accounts. That means the likelihood of personalized urgent customer service if you run into a problem you can’t resolve on your own is slim. You have much greater discretion, flexibility, and security when your applications and data are hosted on a paid SaaS.
7. Illegal software
Illegal software is a common trap for startups and small businesses. To minimize their expenditure, some small enterprises are willing to illegally procure the software they need. At other times, business owners fall into this trap out of ignorance. For example, an inability to distinguish licensing models such as open source, licensed, and one-time purchase.
Leading developers such as Microsoft, Oracle, and Adobe, have become more aggressive in chasing down and prosecuting persons and organizations using their software without permission. Of course, the illegality is just part of the problem. Illegal software is also more prone to malware infection. Some websites that illegally distribute copies of proprietary software embed malware into the installation files. They can then later use this backdoor to gain access to your network, applications, and data.
Small business cybersecurity mistakes can be costly
Small businesses may not have the human, technical, and financial resources to keep track of the latest security threats, security tips, and technology news. They are therefore prone to making IT security mistakes. Nevertheless, the cost of failing to comply with IT security best practices is far greater than any short-term savings they may enjoy for their oversight. A breach could even put you out of business.
No matter the size of your business, you have sensitive information that hackers would love to get their hands on. By steering clear of these common small business cybersecurity mistakes, you can strengthen your cyber defenses, lower your odds of getting hacked, and ultimately safeguard your data assets.