Forget viruses – the No. 1 security threat you need to be on the lookout for as a small business owner is phishing. It often doesn't require any access to specialized technological tools, it can be done by anyone with a persuasive attitude, and it can work on pretty much any organization out there. The appeal for attackers is clear, but what should the average business owner do to protect themselves against this sort of thing?
What is phishing?
Put simply, phishing involves tricking a user into either submitting their credentials or installing malicious software. This is often done by masking the attack as something else. A classic example is an urgent email from your bank, alerting you of a breach in your account. You are told to follow a link to verify your credentials immediately or risk having your account frozen.
This kind of urgency can trip up many people, and before they know it, they are typing their password into a website owned by an attacker. Sometimes you may not even realize that anything has happened at all, as the attacker will then redirect you to the actual website of your bank (or whatever you were supposed to visit).
Here's what you need to do to protect your small business against phishing attacks.
1. Constantly train your employees on safe practices.
Even if you're aware of the dangers of phishing yourself, your employees are another story. You have to make sure that everyone is on the same page and that people are following the appropriate security guidelines down to the letter. Be harsh if you have to – have consequences for those who do not follow the rules, and reward those who do to prevent phishing attacks.
In the end, it's not you as the company's owner who is most likely to be targeted by a phishing attack. It's usually a low-level employee who is not as involved in the company as their colleagues but has just enough access to cause a lot of damage.
2. Update your software.
Some phishing attacks rely on outdated software that is then exploited by the attacker's systems. Preventing this is as simple as ensuring that everything used in your organization is always up to date. I don't mean the obvious things either, like Windows itself, your antivirus and firewall. You should install updates for absolutely everything you're using, because it's all a potential security hole.
Even something innocent like a PDF reader, even an image viewer, can be a weapon if it has the "right" kind of flaw in its code. The next time you get a notification about a Java update or something similar, don't postpone it, and don't allow your employees to do so either.
3. Enforce good password policies.
A common element in phishing attacks is that after a successful attack, the attacker will try to use the captured credentials in as many places as possible. If your employees keep using the same passwords all over the place, this is an obvious problem – it gives an attacker access to much more than what they originally broke into.
If a breach happens, you have to ensure it's as isolated as possible. To that end, enforce strong password policies and develop a system that prevents anyone from circumventing them. Sure, it will be annoying for your employees to have to change their password to a unique one every 90 days or so, but in the long run, it will prevent a lot of potential issues in your company.
4. Isolate critical components in your company's infrastructure.
On a related note, try to isolate critical components in your infrastructure as much as possible. For example, if you're running a centralized backup solution, not everyone needs direct access to the backup server. Some systems can be kept completely offline, save for a few critical connections to the central infrastructure. Not everyone needs to have access to the database that stores customer data, for example.
It will take some time to sort out your network in this way, and it might slow down some operations because they require an extra step or two. But if someone breaks into your network, they will find themselves pretty limited in what they can do from there.
5. Implement a centralized network protection solution.
No matter how well you might have trained your employees, sometimes someone will click on the wrong link. It's a good idea to run some sort of centralized filtering solution that prevents these issues from escalating. A central firewall that everyone connects through can easily filter potentially malicious sites and prevent employees from accessing them. You can even be alerted when an incident like this has occurred so you can evaluate it on a more detailed level.
Of course, your employees should retain their sense of privacy. But it's not a bad idea to have an extra eye checking the links that they want to visit.
6. Conduct drills.
Big organizations do this often, and it doesn't hurt to try it in your own company as well, even if you're more limited in resources. It doesn't take much to implement a training drill for phishing attacks, and it can give you detailed statistics on how your employees have performed. You can identify those who seem to have trouble adjusting to the new requirements in addition to determining if certain types of threats are more likely to succeed than others. This can be extremely valuable information to make your network safer in the long run.
Most importantly, you need to be proactive. Phishing protection is not something you should leave until the last minute. A breach only needs to happen once to mess things up significantly for you, and it will be quite difficult for you to recover. As long as you pay attention to the important factors and know how to approach this, you should be able to establish a safe, secure system that prevents most breaching attacks from getting through and causing any real harm to your business.
7. Remember that phishing attacks can happen to anyone.
Don't make the mistake of assuming that a phishing attack can never happen to you. Phishing attacks are more frequent than ever these days, and they hit various businesses regularly. Sometimes they don't even target businesses – one recent example saw a phishing attack designed to target activists in various fields. The attack extracted various personal details from their victims, including passwords, location data and work they've been involved in.
As you've probably surmised, this can be very damaging to someone involved in activities like this, and there has already been major concern about the implications of the situation. What's left for small businesses, then? If someone is willing to target individuals without even doing it for profit, then the implications for someone targeting your business are definitely frightening.
Professionals using LinkedIn were also recently reported to have been targeted by phishing attacks. This seemed to particularly target business owners, rather than employees of specific companies. As you can see, phishing attacks can come from many different angles, and it's difficult to predict where you'll be hit from. In some cases, even a professionally worded message on a social media platform could have sinister intentions, and it's important to pay attention to the small print to avoid getting burned.
Government organizations are frequently targeted as well, especially smaller ones. Florida's Collier County officials reported recently that scammers had managed to extract nearly $200,000 in a phishing attack that targeted the county directly. Despite the government taking active measures to protect itself against such attacks, cyberattacks still manage to break through occasionally.
This is exactly what things look like for the average small business and why it's so important to pay attention to current trends regarding phishing attacks and similar scams. The market is constantly evolving, and sometimes the new developments that we see on the technological front are frightening. Protecting your business against phishing attacks is an ongoing effort, not something you do once and call it a day.
Why are smaller businesses more attractive to hackers?
Limited resources are an obvious answer to that question, but there are many more reasons. With a smaller business, one could typically expect employees to be less experienced and less defensive. It's also reasonable to expect them to be somewhat less motivated in defending the company's secrets. All of these factors combined can indeed paint a very attractive target on your smaller company. It shouldn't be surprising that many of the major phishing attacks attempt to exploit vulnerabilities in smaller organizations.
This will likely get even worse in the future. It's getting easier and easier to start a small company with minimal resources these days, and many entrepreneurs have been taking advantage of that – meaning many hackers are trying to exploit the situation as well.
All of this means one thing for the random small business owner: Proactive protection is more important than ever. You have to take active measures to prevent these attacks from getting through, because it only takes once for things to get really bad. After that, you'll likely pay more attention to your security, but it may be far too late to save your company.