Security is an ongoing challenge that businesses, regardless of size, want to take action on. Many just don’t know where to start. This can be exacerbated by needing to comply with specific government regulatory requirements – for example: health care providers, financial institutions, public safety professionals or any organization accepting payment and credit cards.
By knowing what threats to look for and specific security mitigation steps to take, you can put your business on the offense rather than fall victim to analysis paralysis. Start by building a culture of shared awareness and responsibility throughout your organization.
Here are 4 common security threats facing small businesses with easy mitigation solutions.
1. Email Spoofs and Phishing Scams
What it is: Illegitimate emails to obtain funds or access credentials for monetary value. A typical scheme starts with an email from a supposed CEO. It will sound high-priority and time-sensitive, explaining that money must be wired to an account for a business opportunity. Another type of fraudulent email requests the purchase of gift cards, then asks for the numbers from the back of the cards so they can be redeemed.
How to beat it: Protective policies and employee security awareness training can offer safeguards against such measures. Cybersecurity awareness training effectively helps your company build and maintain a “human firewall”. For added protection, look to Advanced Threat Protection to reduce the number of phishing attempts received by employees.
2. Hacked Websites and Email Servers
What it is: Compromised credentials can allow changes to websites’ .htaccess file directing visitors to the wrong pages and allow unauthorized access to website email services. These symptoms show clearly that “bad actors” and malware have affected your website and can result in being blacklisted by Google Chrome and other web browsers. Google will show a message that your site has unreliable content, requiring a lengthy process to first remediate and reinstate your website for Google to whitelist it. Should another blacklist “incident” occur, it’ll be more difficult than the first time to whitelist it.
Additionally, if unauthorized access to email servers is detected, email service providers blacklist ALL emails from your domain, automatically marking anything you send as SPAM. This can make it difficult or impossible to conduct business. To be whitelisted again, you’ll have to go through the individual reinstatement process for each service provider.
How to beat it: The goal is to prevent hacks like these which, due to the unique complexities of each website environment, is more than we can cover in one article. A good place to start is a small business security assessment. If a breach has already occurred, Deerwood Technologies can assist in remediating the incident and then determine the root cause of your website or servers’ security compromise. Once the immediate problems have been addressed, a more in-depth assessment is conducted to identify potential issues and take steps to mitigate future risks.
3. Unprotected Cardholder Information
What it is: No merchant or business is permitted to retain or have access to un-encrypted consumer credit card data. Any business that works with payment cards is regulated by the Payment Card Industry Data Security Standard (PCI/DSS) to protect cardholder information. Many are unaware of the regulation or their responsibilities to it. Requirements vary based on credit card transaction volume and dollar amount. Businesses that aren’t meeting requirements are likely paying an additional surcharge per transaction. The risk for fraudulent transactions has shifted to the merchant as banks and payment processors have implemented policies and mechanisms that protect them from merchant negligence.
How to beat it: For non-chip credit cards specifically, the responsibility is entirely on the merchant. To comply with PCI/DSS, you must complete complex questionnaires about your data collection, storage, networks and cybersecurity. We recommend working with an IT compliance specialist who has deep experience working through PCI/DSS audits to help work through these compliance steps in partnership with you and your team.
4. Privacy and Security Compliance
What it is: In addition to PCI/DSS compliance, healthcare providers must adhere to other regulations designed to safeguard patient information. Protected health information requirements are defined by the Health Insurance Portability and Accountability Act of 1996 (HIPAA). Your business may have to show proof that you’ve educated your employees on compliance procedures and that they’re following those requirements. You may have to keep up-to-date monitoring logs, such as for failed login or password attempts, and show evidence of those reviewing and maintaining reports from these sources.
How to beat it: In medical industries, patient information must always be protected and businesses have to be prepared for an audit at any time. In the financial sector your employees aren’t allowed to look up banking or personal information about customers simply because they feel like it (for example, if you have celebrity clients). Protecting your business from non-compliance begins with learning the requirements and instituting policies. It’s then supported by regular training on procedures and staying current with regulations. It helps to work with an IT partner who has in-depth knowledge and expertise with compliance.
Work with Deerwood Technologies for small business security solutions like policy development, training, security infrastructure, compliance management and any other security support you need. Contact us today.