Getting cyber security right is crucial for any business today; but many SMBs incorrectly assume that they're too small to be targeted (remember that the Target breach in 2013 was the result of one of that firm's suppliers being hacked). Logan Kipp, lead security analyst at SiteLock, says that that could not be further from the truth:
"Cybercriminals target SMBs to steal valuable resources such as website traffic, bandwidth and customer data. Although media headlines typically highlight the security breaches of large, well-recognised brands, in actuality, SMBs are on the receiving end of 60 per cent of attacks."
It's important for SMBs to remain hyper-vigilant about security - Logan Kipp, SiteLock
SMBs are low-hanging fruit for hackers, often without the security measures or resources to defend themselves against sophisticated attacks. While some have taken the warning of recent high-profile breaches seriously, many have either ignored them, or don't know where to start.
"Website security can be a challenging subject to navigate, compounded by common misconceptions, such as the perception that all you need is an SSL to secure your website. To clarify, SSL certificates only secure data in transit; they are the armored trucks of the internet, not the bank vault.
"As a rule of thumb, just remember: Find, Fix, Prevent and Train. A complete security posture includes mechanisms to scan for malware and vulnerabilities, fix issues by removing malware and remediating vulnerabilities, and prevention of breaches with a web application firewall and encrypted communication. Establish a secure development lifecycle and an incident response plan, and follow-through by training staff on proper execution."
Kipp mentions many threats that can affect a small business, but he says that by far the most common is not external at all: outdated software. Ironically, it is also perhaps the easiest to mitigate.
"Software such as content management systems frequently receive updates in response to new vulnerabilities being discovered. With the release of security fixes comes the added safety of vaccination against the latest threat discovered - but only if the patches are applied."
Software patches often highlight vulnerabilities in older versions, arming threat actors with insights into how they can be exploited. Kipp also recommends using the Open Web Application Security Project's (OWASP) list of the top 10 most common web application attacks, to understand active threats and how they can be countered.
Another internal threat - which comes up in relation to security all the time - is human error and social engineering. Kipp agrees that employees are the weakest link in the cyber security chain, saying, "For as long as humans are incorporated into a business's overall security model, they will be a viable target for adversaries.
"Unlike computers, humans autonomously apply the abstract concept of subjective trust, which is not inherently influenced by explicit criteria. What this means is that humans may inadvertently provide information that could be used by an adversary through social engineering to gain escalated privileges, because a human may either trust the adversary, or trust that the information is innocuous. Training is the best route to counter social engineering."
Turning your business into a virtual bank vault can be a daunting and frustrating task - and it might not even be the best solution. Perimeters will get breached, and ensuring that there are internal as well as external defences is key; we'll coin the term ‘virtual Temple of Doom' instead.
Even the Temple of Doom wasn't built by one person, though (that boulder was heavy). "It's dangerous to go alone," says Kipp. "In the ever-changing landscape of website security, education and visibility are your most critical allies."
Another important lesson - which might sound obvious, but is often not learned until too late - is to have your defences in place before an attack:
"Many companies have taken the potentially fatal attitude of being reactionary in their approach to security rather than being proactive and staying ahead of threats; recognising the need for advanced security measures only after being breached. It is important to acknowledge that there is always much more to learn and security tools available that can help you best proceed in securing your website.
"Partnering with security professionals to understand your risk, properly develop a response plan and train your employees are all critical steps to ensuring your security profile is complete."
Alexa for Hospitality will link with existing systems so guests can order room service and control the air con
Massive volcanic eruptions could have warmed Mars' surface sufficiently for oceans to form
Examination of fruit flies' brains generated more than one billion data points for scientists to analyse
Hinge-based 'Project V' never got released