editione1.0.0
Updated October 9, 2023In your small business, you operate with the support of others. Sometimes the tasks that you delegate to others carry security risk, and others might not have the same security mindset or risk-focused thinking as you. Now that your business is more than just you, it is time to start bringing your team into the fold and having a conversation about security. They need to be encouraged and enabled to make risk and security calls themselves to avoid making a mistake later.
You will need to give others, either your employees or a third party, access to the systems you have to run your website, application, or store. A large number of security incidents happen by taking advantage of human nature. Social engineering attacks are a fast-growing risk in almost all organizations. In a 2022 study by Verizon, 82% of the incidents investigated included a human element.
A social engineering attack may ask your employee or outside provider to “urgently download this file onto the work kiosk computer,” and next thing you know you are locked out of your files and can’t get back in. Making your systems and approaches “secure by default” and setting up those safety nets will be important.
Before we get into the doing, we want to share two pieces of advice to frame your mindset for this part:
Give your team the tools they need.
Be willing to change your operating model, if necessary, to truly be secure.
Think about the last time you hit a roadblock, and how you bypassed it. Maybe a customer sent a file and you didn’t have software that could open it, so you found a random one online. Or maybe you needed to share a file that was too big to send via email, so you created a Dropbox account and shared it that way.
You are resilient! While we will not let one roadblock stop us, we will always find the “path of least resistance” to get what we need. But there are problems in these situations, such as when we download software without reviewing to see if it is safe, or create a free account online to share data that could be sensitive.
This theme will rear its head multiple times in this book—and it starts even when you are a small business (and becomes quite the beast of a problem once you hit your growth stage). The best solution to this is to provide the tools that your team needs to do their job safely. We recommend investing in tooling early on to enable your team. For example, rather than letting your team set up and create individual, personal Dropbox accounts that you can’t see, you could pay a few dollars a month to be able to manage users on a business account and keep visibility and control over how it is used.
One way to consider if your employees need tools is to really think about their workflow—is working without those tools unrealistic? You might find your employees telling customers to send documents and files to their personal emails or accounts if there are unclear expectations and a lack of tools at their disposal. So before quickly saying they don’t need yet another tool, consider the expectations you set on your staff and the demands placed on them in their work.
Sometimes tools come with a cost. The cost can be a literal cost (as in a paid tool), but there is also the cost in time and attention for finding, setting up, and securing these tools. Consider this risk trade-off. Without the right tools, you have an unknown amount of risk and won’t know for sure where your business data might be. With tools, you have a known amount of risk because you know where that data is, and the risk depends on how well those tools are secured. Digital and online tools, after all, are an ideal target for attackers.
For the most part, the next steps you take after reading this book will involve making more well-rounded decisions about technology and configuring settings on tools that make your business safer. But you might also decide to entirely change how you do something within your business.
For example, your process for handling supplier invoices might currently be quite simple: a supplier sends you an invoice via email, and you pay it through an online banking system. Easy-peasy. After reading through this part of the book though, you might be surprised to hear about how often invoice fraud occurs, and how attackers get away with it. It stinks.
On the upside, there are some micro-changes you can make to how you pay suppliers to prevent these types of incidents. It could be as simple as a phone call to your supplier to ensure an invoice is authentic before paying into any new bank accounts. While you’re at it, you can use this as a bit of a relationship-strengthening exercise to talk about what is going on in their world, how their business is going, maybe ask how their families are doing. Relationships are big for small businesses, and this micro change has a huge security payoff; remember, trust is everything.
Not all changes will be as small. Sometimes it might be a big change to how you operate—perhaps giving your employees access to tools, accounts, or emails. This change has some overhead: setting up their access, configuring the settings securely, and keeping an eye out for any mistakes or mishaps. Alternatively, instead of going through that overhead, you might opt to change the operating model the other way, and make yourself more available for using those tools, accounts, and emails, rather than giving access to employees. It is a balancing act that you need to consider, while also questioning whether you are creating a roadblock for others that they might bypass. These are questions we can’t answer for you, but we can help you decide what security is needed depending on which path you take.
Attackers love small businesses, especially ones with no technology budget, no security budget, and loose business processes. Your work email, website, and various Software-as-a-Service (SaaS) accounts are ripe with data, and are where your customers interact with you financially.
Most attacks that a small business gets caught in are those where an attacker uses the same technique against businesses using a specific tool or technology, and is playing a game of numbers in hopes that a good percentage of their attempts are successful.
For example, a popular target for attackers is Magento, a platform used by small businesses for running e-commerce websites. Attackers create automatic programs that scan for websites with unpatched Magento platforms and break their way in. Once inside, they add credit card skimming software to silently send copies of credit card data back to the attacker. This way the website owner is unlikely to catch on to the attack, and the attacker’s program can sit there collecting data forever. Back in September 2020, there were over 2,000 website hacks alone over one weekend after Magento announced an older version of their platform as “end of life.” This target is so popular that the attackers and their software even have their own name, Magecart.