The Top Five Small Business Security Risks

How to keep your business data secure.

Let me start by saying I am in no way qualified to provide advice that is guaranteed to be IRS, FTC, or any three-letter-agency-compliant. If that’s key, you’ll want to seek out more qualified sources.

However, I’ve been a small business owner with contractors and employees working from home for multiple decades — even before Ask Leo!. So I have practical experience as well as a few opinions on the topic.

The #1 risk may not be the one you expect.

Small business security

People are the biggest risk to small business security. Mistakes, scams, weak passwords, old software, and personal devices all increase the danger. With appropriate training, strong passwords, regular updates, and clear rules, you can reduce risk without slowing work.

1. People

“Our people are our greatest asset.” — Every HR department everywhere
“Our people are our greatest risk.” — Every IT department everywhere

The biggest risk to the security of the information kept by your business is the people you allow to have access to it.

I don’t mean this in a malicious way. I’m sure you’ve taken steps to hire people you trust deeply, but it’s also easy to overlook what that trust entails.

• You trust that they have good intent. They’re not intentionally going to steal from your business or otherwise cause it harm.
• You trust that they understand what “good security” means and follow those precepts as they do their jobs.
• You trust that they have enough common sense to recognize, for example, phishing attacks or other outside attempts to compromise your data.
• You trust that they feel safe enough to raise any issues they encounter with you quickly and honestly.

The scary part is that we tend to assume all those things (and more), and yet a lapse in any one can lead to all kinds of disasters.

I don’t want you to suddenly distrust your staff — far from it. But I do want you to understand that in practice, this is the most common source of security-related incidents, particularly in smaller, less formal settings.

2. Social engineering

“60% of breaches [involve] the human element.”1

In a sense, this is a subset of the preceding item, since it still revolves around the people in your organization. Social engineering is when hackers trick your staff into divulging confidential information for fraudulent purposes.

We see it often in post-breach analysis: a malicious entity gains entry by pretending to be a legitimate customer or vendor with a legitimate need to sidestep, perhaps “just a little”, security protocol in order to gain access to a valuable resource. A good example might be a hacker who calls up your mobile provider pretending to be you, claiming to have lost and now replaced a mobile device. If they can trick the customer service rep into thinking they’re legit, they can take over your mobile number and all the apps and security processes associated with it.2

What this looks like for your business varies depending on how you’re exposed to the public. It could involve customer support telephone calls, phishing emails, spear-phishing3, bogus account recovery attempts, and more.

The prevention is similar in all cases: make sure everyone knows what to look for, that security procedures are always followed — even in the face of an angry “customer” — and that systems are designed ahead of time to require appropriate levels of either confirmation or authorization before sensitive information is shared or altered.

3. Password hygiene

“Every serious attack eventually aims at the same target: your identity. Not just your username and password, but the whole bundle of access you represent…”4

The username and password are the key. That’s what attackers look to compromise. It’s not the only thing they want, but it’s at the top of their list of valuable things to steal.

Passwords are low-hanging fruit because so many people don’t practice good credential hygiene. What does that mean? Well, that’s the problem: it’s the boring and inconvenient stuff we all already know and are tired of hearing about.

• Never reuse passwords.
• Use long, strong passwords.
• Use two-factor authentication whenever offered.

The first is responsible for many compromised accounts. The third is perhaps the single most effective way to prevent individual account compromise.

Particularly in small business scenarios, there’s another risk people often overlook as well:

• Don’t share passwords if at all possible.

This last one is difficult to control but important to be aware of. It’s not at all uncommon for multiple people to share login credentials to an online service used by the business, for example. That, unfortunately, multiplies the possibility for compromise.

4. Software hygiene

“One of the most common ways that hackers target organizations is by exploiting known vulnerabilities in outdated software.”5

I advise individual computer users to ensure that their software is as up to date as possible.

That seems to be significantly more important for small (and larger) businesses and organizations. It seems that businesses are at greater risk when using outdated software; it’s a commonly reported compromise vector.

We naturally think of the operating system, as well as the common applications we all use, as being at the top of this list. Those — the operating system, in particular — are important, to be sure, but there’s much more to it. Tools used primarily by business — collaboration, accounting, customer management tools, and more — are also important. It’s not uncommon for bad actors to target some of these tools specifically when targeting small businesses.

Updating software is not always easy — or even possible. The most recent version of a tool you rely on might exceed your system’s capabilities (or budget). At the other end of the spectrum, there are many stories of mission-critical software no longer being supported at all. Both of these scenarios add risk.

But, to the best of your ability, make keeping software as current and up to date as possible part of your standard operating procedure.

5. Personal equipment hygiene

“Convenience, as it turns out, often comes at the cost of control.”6

When people work at home, they typically use their own equipment. Even when company equipment is mandated, there’s still the networking infrastructure and other networked devices to contend with. Many aspects of the situation that would normally be under company control simply aren’t.

When work-at-home (or, in a more general sense, “Bring Your Own Device”) is in place, the company is placing even more trust in the individuals involved: trust that they are not only capable of using company resources securely, but their personal tools and services as well. When they’re on the same machine, a compromise of one — say a personal account — can lead to compromise of other things as well, both personal and company.

People generally treat their company-owned equipment with a higher standard of security than their own. When the two are intermixed, it’s generally the lower standard of safety that’s applied.

The ultimate solution is draconian: no business on personal equipment. That solution is also often completely impractical. The reality is that, particularly when people work from home, overall corporate security (and even monitoring) needs to be increased to prevent and/or detect the inevitable threats.

Podcast audio

Download (right-click, Save-As) (Duration: 10:12 — 9.4MB)

Subscribe: RSS