Hacking is fast becoming a multi-trillion dollar industry. Worse still, having a small business doesn’t mean you’re safe from harm.
On the contrary, 58% of data breaches target small businesses. And of those affected, only 20% survive more than 18 months after the ordeal.
Naturally, protecting your data from the prying eyes of nefarious cyber criminals needs to be a top business priority.
But what exactly can you do about it?
Let’s take a look at what we can learn from past data breaches to keep your online business secure.
#1: Use a Password Manager
As you’re probably aware, having a single password for all your accounts isn’t the safest way to protect against unwanted intruders. Furthermore, forcing your employees to remember a series of unique passwords could lead to complacency.
A cringe-worthy example is Equifax in Argentina, where employees would log in using the credentials “admin/admin.”
A password manager such as KeePass or LastPass easily allows users to manage a complex array of passwords through a single master key.
After all, compromised passwords cause as many as 81% of data breaches.
#2: Use Two-Factor Authentication (2FA)
Financial institutions the world over have been flocking to this uber-effective solution in droves.
Essentially, two-factor authentication uses either software or hardware tokens to verify a user’s identity. Hardware options such as RSA or YubiKey are best because they’re nearly impossible to spoof.
Although the process is relatively cumbersome, it’s worth considering for employees who handle sensitive information.
Just ask Zomato. In 2017, one of their developers’ accounts was compromised, which resulted in a data breach that affected 17 million users. Two-factor authentication would have easily avoided the fiasco.
#3: Develop a Recovery Plan with Regular Backups
A recovery plan may not prevent a breach, but it’ll go a heck of a long way towards minimizing the damageshould one occur.
Determine your recovery point and recovery time objective before formulating a plan in line with your business needs. And don’t forget to test the whole process thoroughly.
Most web hosting services offer automatic remote backups every 24 hours or so. For example, InMotion Hosting includes this service for free for customers on their VPS and shared hosting plans with under 10GB of data. HostGator, on the other hand, charges a few dollars per month.
Keep in mind that these services are designed for the most disastrous situations. It’s always prudent to run your own backups as well.
#4: Use Brute Force Detection Software
As computers become exponentially more powerful, brute force attacks are destined to increase.
Essentially, this is when the attacker uses a script to guess every possible password combination until it finds the right one. It may sound far-fetched, but a modern PC is now able to crack a 26-character password in as little as 35 minutes.
Apple fell afoul of the popular technique in 2014 when thousands of iTunes accounts were individually targeted and compromised. The result? Numerous private photos of celebrities were leaked.
Thankfully, it’s relatively easy to protect against such attacks. Brute Force Detection software can ban users on specific IP addresses from logging on after a predetermined number of attempts.
#5: Insist on HTTPS
Without a valid SSL Certificate, a hacker could be listening in on your traffic and pilfering sensitive data on a whim.
Reputable web hosts such as 1&1 include the certificate for free, so there’s really no excuse not to have one in 2018. Furthermore, that highly-lauded HTTPS prefix will boost your SEO and build consumer trust in your brand.
#6: Throw Up a Firewall
Firewalls are a nifty tool for keeping your data secure as they’re able to block most unwanted connections.
Either opt for a hardware or a software firewall or both, depending on your business needs. Linux and Windows both have their own – Iptables and Windows Firewall – so there’s really no need to neglect this essential bit of security.
#7: Ensure All Software Is Up to Date
You know how it goes.
A hacker finds a vulnerability and causes a whole bunch of damage. The vendor fixes it through a patch and the process repeats indefinitely.
With so many known vulnerabilities out there, it’s imperative to ensure your software is up to date at all times. Better yet, go a step further by quizzing your web host to ensure they’ve patched or backported all the latest updates as well.
To use an infamous example, the Equifax debacle was the result of a known vulnerability in their Apache Struts software.
Key programs for businesses to update include their operating systems, cPanel, PHP, caching technology, phpMyAdmin, and MySQL servers.
If you’re on WordPress, make sure the CMS is always updated to the latest version. Managed WordPress hosting providers such as Bluehost will do this for you automatically, but if your plan doesn’t include auto-updating as a feature, you’ve got to do it on your own. Read more on preventing WordPress hacks here.
#8: Actively Search for Vulnerabilities
The only way to truly secure your website is to find potential vulnerabilities before the bad guys do.
Penetration testers specialize in such things, although their services aren’t cheap. Nevertheless, they could save your business a huge amount of money by identifying a harmful vulnerability before it’s too late.
Case in point: an attack from a newbie hacker on Freedom Hosting II could’ve easily been prevented by searching for the vulnerability ahead of time.
#9: Be Transparent
Once a breach has occurred, it’s crucial to be open and honest from the get-go. Otherwise, you’ll cause further damage to your already-tattered reputation and could be violating the law as well.
Payday loan company Wonga is an example of an enterprise that failed spectacularly in this regard. Rather than promptly and directly informing their 245,000 customers of a serious data breach, they decided to discreetly write of the occurrence on a seldom seen section of their website.
Nobody was impressed.
#10: Be Wary of the Cloud
Although cloud storage is relatively safe, highly-sensitive data is best kept on a dedicated server. Only there can administrators have full control over their security settings and the utmost confidence in avoiding unwanted infiltrations.
Former online communications platform HipChat knows the perils of the cloud all too well. In 2017, they inadvertently exposed a huge amount of personal data held in a cloud-based third-party library.
Learning from your mistakes is great. Learning from the mistakes of others is even better.
Take this easily-earned information onboard and use it to protect your business from a potentially catastrophic data breach.