Your website goes down. Is it your web host? Has it been hacked? Is it being attacked? Is my customer data safe? These are just a few questions that you need to ask yourself when your business has issues with your website. What kind of malicious cyber attacks happen? Let's get that list out of the way first:
- 26% - Viruses, malware, trojans, worms - This one is obvious to most people - Malicious or rogue types of software that can harm or hijack your computer. Some are so sophisticated that they can lay dormant for any amount of time, or be switched on at a particular time. Other forms of malware can remain on your hard drive even after being erased/formatted if they are installed in the boot sector of your drive.
- 17% - Malicious Insiders - This includes someone such as a disgruntled or former employee with access to certain technology. It is often tied to the other cyber attacks listed here.
- 13% - Theft of device - This includes devices with credentials that can access your network, or even ID theft.
- 13% - SQL Injection - These types of attacks typically use a technique that exploits data-driven applications & pass a newly formed malicious SQL command within your database.
- 10% - Phishing - Mainly performed through email, this type of attack attempts to trick your employees to click on something they shouldn't. Train employees to never click on links within email, Skype, or any other web-based service.
- 8% - Social Engineersing - This is the practice of manipulating people into performing actions or divulging confidential information. One example of this cyber attack would be a rogue outsider calling a company employee & asking for computer passwords or network passwords.
- 8% - Web-based attacks - These include attacks from known-bad domains or websites. You can protect your business from these types of attacks by using an onion-layered security policy for your network.
- 5% - Other types of attacks
Now that we know the types of cyber attacks that can occur, what things can you do to prevent these attacks? Although this list is obviously endless, we've compiled this list as a guide to protecting your small business online.
- Install good Anti-Virus Software
This is item #1 simply because it is the main cause of cyber or internet attacks on small businesses. You may have negligent employees who are simply unwitting, or you could have a malicious insider in your company. SilicolnIndia listed the 10 best business anti-virus solutions, with my favorite, TrendMicro Endpoint Solutions, coming in at #5. The #1 spot was reserved for BitDefender, which I've heard a lot about lately on the blogosphere.
- Train Your Employees to Practice the Company Safety Policy
Sometimes, performing certain safety policies aren't as obvious to employees as you might expect. Giving anyone information over the phone should be mentioned, and I've personally even seen employees give a stranger on the phone (posing as 'IT') remote access to their computer(s). Add cyber security to your businesses employee policy.
- Get Cyber Liability Insurance
Since attacks that are internet-based are specifically mentioned as 'not covered' under a General Liability Insurance policy, many small businesses bundle a GLI policy with a Cyber Risk Insurance policy. FYI: Your web host is not liable for the attacks. This includes not only coverage for damage done to hardware and software, but also litigation in case a hacker grabs lots of sensitive customer information.
- Have a PEN (Penetration) Test performed on your network
Depending on the nature of your business, you might want to have a professional network security team perform a PEN test on your website. Specifically if you are 100% web-based, a PEN test can reveal security holes in your network & applications. Also known as network forensic professionals, or ethical hackers, these professionals will uncover unknown security holes or flaws.
- Utilize Data Breach Detection Software
There are a few solutions for preventing & detecting data breaches, other than viruses & malware. There is a good possibility that you've been attacked & may not know it until its too late. Data breach protection & detection is made possible by a few companies, including invincea. They offer a trial version on their website - Rapid response is the key when your website is under attack.
- Keep track of your devices
Whether its a desktop, laptop, tablet, or phone: Most of these devices have access to, and credentials for, your network. They also can contain sensitive company data or information. Warn employees about leaving any of these devices in the wrong area, think a coffee shop or car. Be sure to identifying & classifying any confidential information.
- Have a strong password policy
Include a strong password rule in your companies policy. A strong password is one that includes upper & lower case letter, as well as a special character - Ideally you would have 26 characters, but for most people that is too long. Instead of "Password", you could use "[email protected]$w0rd1235". Its not that hard to remember, and is highly effective against password crackers & brute-force attempts.
- Deploy data loss prevention technologies
Data redundancy is extremely important - You should have a backup offsite, and another offline, especially for your most important/sensitive information. External backups, usb flash drives, DVD/Blu-Ray discs, and cloud storage should all be utilized but also make sure to oversee that proper privacy policies are enforced and encrypted.
- Implement multi-factor authentication
Multi-factor authentication is important for companies that have a lot of devices. A good example of a one-factor authentication would be a computer password. A two-factor authentication would be a computer password and an RSA authentication fob. You could add another authentication by adding a fingerprint scanner.
- Encrypt your devices
Data encryption is by far the best method to prevent data breaches. Whether its encrypting your customer information database, desktop/laptop operating system, or individual files/folders. If you are transporting data over a network, data encryption is a must. Finally, if you have any applications that have been built for your business, make sure all the correct data is encrypted when it forwards the information to another application/database.
Protecting your small business again cyber attacks is an easily preventable item that you can check-off your to-do list. The hardest part of this practice is simple: maintaining & performing the policies that you have in place, as well as check that your employees are following the same practices.