4 Scary Facts About Cyber Crime (And 10 Ways to Protect Your Website)
By Karen Axelton
Do you think your small business’s website is too small for cyber crooks to bother with? On the contrary: Small business websites are actually more susceptible to hacks than bigger companies’ websites, simply because they don’t have the same level of security defending them. In honor of National Cyber Security Awareness Month, here are some surprising statistics about cybercrime—plus 10 things you can do to defend your business website against cyber crooks.
594 million people are affected globally by cybercrime each year.
If your customers are among them and it’s your fault, your business could face a lawsuit or worse. Last year, more than half of businesses surveyed by Cisco had suffered a data breach—with these painful consequences:
- 29 percent lost revenue; 38 percent of those lost over 20 percent of their revenues.
- 23 percent lost business opportunities; 42 percent of those lost over 20 percent of their potential new business.
- 22 percent lost customers; 40 percent of those lost more than 20 percent of their customers.
169 million personal records from the financial, business, education, healthcare and public sectors were exposed in 2015.
However, you don’t have to be in one of these industries to be at risk. Small businesses are “easy pickings” for cybercrooks, since they have smaller staffs, smaller budgets, and are less likely to have a security policy in place. Hiscox reports 47% of small businesses have suffered at least one cyberattack in the past 12 months; of those, 44 percent experienced between two and four attacks.
Business owners and executives Hiscox polled ranked cyberattacks as one of their top two concerns (along with fraud). Two-thirds say they are concerned or very concerned about it—but the vast majority haven’t taken the basic steps to defend their businesses. Just 52% have a clearly defined cyber security strategy.
24 billion+ internet-connected devices will be installed globally by 2020.
The “Internet of Things” (IoT) means opportunity for small businesses, but also poses new risks. Connected devices ranging from automobile GPS to “smart” tags on retail products packaging or inventory shipments could all provide entry points for cyber crooks. Attacks on IoT devices increased 600% between 2016 and 2017, according to the Symantec 2018 Internet Security Threat Report.
60% of small companies go out of business within six months after a cyberattack.
The average data breach costs $148 per compromised record, according to the Ponemon Institute, which reports the total cost, per-capita cost and average size of a data breach (by number of records lost or stolen) have all increased year over year. The mean time to identify a breach is 197 days; once a breach is identified, the mean time to contain it is a whopping 69 days. How much damage can be done in that time? It’s hard to imagine, but Hiscox says the average cost to a small business is more than $34,000 per breach.
10 things you can do to protect your business website from cyber attacks
Now that you know how vulnerable your website and your business are to cybercrime, here are some simple steps you can take to defend yourself.
1) Set your computers and devices to update apps automatically.
While some updates are cosmetic or simply add new features that you may not care about, many updates fix security risks. By automatically ensuring your apps are always up-to-date, you can easily protect your business without remembering to update manually.
2) Train your employees in cybersecurity policies and principles.
Employees are the weakest link in your cybersecurity chain. Educate them on the importance of:
- Passwords: Everyone knows they’re supposed to update their passwords regularly, not use the same password on multiple sites, or share passwords—but how many of us actually follow all these guidelines? Using a password manager can help by automatically creating strong, unique passwords; storing them; and signing into apps and sites automatically.
- Email hygiene: According to Symantec’s 2018 Internet Security Threat Report, 55% of all email is spam, up from last year. Remind employees to think twice before opening attachments or clicking on links in emails from unknown sources. In recent years “spearphishing” or the practice of sending spam emails that appear to be from inside a company, has grown. For example, a hacker might send an email purporting to be from your accounting department asking HR for an employee’s personal data. Whenever in doubt, have employees stop and think “Is there a legitimate reason for this email?” If not, call, text or email the sender to verify if they actually sent it.
- Mobile device management: If your employees use their own mobile devices for work, as many do, your business is at risk from the apps, websites, or links they access in their personal time. The number of new mobile malware variants increased by 54 percent in 2017, as compared to 2016. If you issue company-provided devices, you can install device management software, giving you more control over device security. If that's not practical, require employees to use stricter security measures, such as biometric access or two-factor identification, to access any apps or networks they use for business.
3) Secure your business’s network
Set up a firewall and install antivirus software on computers. If you provide free Wi-Fi for your customers (for instance, in a retail store or restaurant), set up a separate guest Wi-Fi network so outsiders can't expose your business network to risks.
4) Scan your site for malware
Malware (short for “malicious software”) can be installed on computers or websites to intercept users’ private data (such as financial or medical information), slow down the site or display offensive messages. Hackers may even embed links on your site that infect unwitting site visitors with malware when they click the links. By some estimates, over 1 million new website threats are released every day. Look for a website security solution such as SiteLock® that provides daily malware scanning checks to protect your website from existing and new threats.
5) Restrict user access to sensitive data
Storing data in the cloud provides more security than keeping it on a physical server in your business. However, you can still run risks if too many people have access to information in cloud storage. For example, make sure that only those who need it have access to employees' personal information or customers' payment details. Be especially careful when it comes to giving independent contractors, vendors or customers access to your cloud-based files.
6) Protect your business website with an SSL certificate
An SSL (secure sockets layer) digital certificate is installed on the server hosting your website and uses encryption to protect data entered on your website. For example, if a customer inputs their credit card number, SSL encryption masks it so cyber criminals can't intercept it. If you have an SSL certificate, visitors to your site see a padlock symbol in the web browser, the "HTTPS" prefix instead of "HTTP" in your URL, and a trust seal designating your site as secure. An SSL certificate has always been a good idea for a small business website — but in recent months it's become even more important. Since July, with the release of Chrome 68, Google Chrome has begun marking all HTTP sites as “Not secure.” When Google releases Chrome 70 in October, there will no longer be a green lock icon in the browser indicating your website is secure. Instead, if you don't have an SSL certificate, a warning with "Not secure" will pop up in the Google Chrome browser. (See the example below.)
7) Use private domain registration to protect your personal information.
When you register a domain, your name, business name, address, phone number and more are displayed publicly on the WHOIS database. This can expose your business to spam, botnet attacks and other cyberthreats. When you choose private domain registration, your domain registrar’s information shows up instead of yours, so cybercriminals can’t look up your data.
Here’s an example of how a WHOIS listing looks with and without private registration:
8) Guard your unexpected access points
Don’t forget about “internet of things” (IoT) devices when developing your cyber security plan. Networked printers, "smart" office thermostats, or GPS in your delivery vans—any internet-connected tools your business uses can be a potential access point for hackers. Before implementing any IoT device, carefully assess the risks and benefits for your business. If you do install the device, set it for automatic updates and follow the same protocols you would with any device.
9) Stay safe outside the office
Be especially careful when using computers and devices on the road. never use a public, unsecured Internet connection to access networked computers or sensitive data; set up a virtual private network (VPN) that you and your employees can use instead. If your devices are set up to automatically connect to the Internet or Bluetooth enabled devices, disable this feature and manually connect instead so you can select the networks to use. Never leave your laptop or mobile device unattended; lock your screen when the device isn’t in use.
10) Prepare for the worst
Despite your best defenses, cybercrime can still happen. Talk to your insurance agent about getting cyber insurance or data breach insurance to help protect your business in the event of a cyberattack. Combined with website security precautions such as those outlined above, insurance can provide a safety net to mitigate the actions of cyber criminals. Here are some more cyber security resources to help:
- National Cyber Security Alliance
- U.S. Computer Emergency Readiness Team
- Cybersecurity Planning Guide
- Department of Homeland Security
- Cyber Security Toolkit
- Network Solutions