According to the FBI’s 2020 Internet Crime Report, 791,790 businesses reported cyber attacks that year–a 69% increase in total reports from 2019.
From cross-site scripting, in which attackers insert new lines of code into unsecured website components, to phishing attacks targeting group email accounts and malicious malware with obscure file links, cybersecurity is a growing concern for small business owners. For this reason, it’s vital that they understand cybersecurity basics and how to protect their systems from data breaches throughout their day-to-day operations, whether that’s creating a website or understanding how best to host their website.
What is cybersecurity?
Cybersecurity is the safeguarding of protected information and critical data online. Organizations and small businesses implement cybersecurity measures to defend sensitive data from both internal and external threats and to best prepare for an attack.
To improve defense systems and unify federal agencies, US President Joe Biden signed the Strengthening American Cybersecurity Act into law on March 1, 2022. The legislation now requires all critical infrastructure entities to report attacks to the Cybersecurity and Infrastructure Security Agency (CISA), the government organization aimed to manage and reduce risk.
That being said, as national infrastructure improves, so do hackers’ methods. While it is nearly impossible to eliminate all threats, you can greatly reduce your business’ exposure to hackers by establishing a strong cybersecurity posture, an industry term that refers to a system’s effectiveness.
The most common cybersecurity threats to small businesses
According to a Small Business Administration survey, 88% of small business owners feel vulnerable to cyber attacks. And they are—hackers target smaller enterprises for two primary reasons: One, because they know that small companies are often vulnerable without the resources of an IT team, and two, small businesses may also have partnerships with larger companies, providing a direct pathway for hackers to reach their sensitive data.
To effectively protect your company and customer information, you need to understand three primary cybersecurity threats to small businesses:
Malware includes a variety of cyber threats such as trojans and viruses. In these attacks, hackers use code to break into private networks with the intention of stealing or destroying data. Malware attacks usually originate from fraudulent downloads, spam emails or from connecting to other infected devices, potentially costing businesses an excessive amount of money to repair.
According to CISA, ransomware threats significantly increased in 2021. Hackers usually inflict computers through email, and can result in significant damage and expenses. As the name suggests, ransomware attacks hold a victim’s sensitive data, such as passwords, files, or databases, for ransom. Hackers require the money to be paid within 24-48 hours or they will destroy or leak the data.
Phishing is when a hacker sends a fraudulent email or direct message to company employees with a malicious link. In fact, members of an organization and work emails are a leading cause of small business data breaches because they provide a direct pathway into business networks.
Phishing attacks can result in data leaks, system freezes or virus installations. According to the FBI’s 2020 Internet Crime Report, a rise in these attacks caused adjusted losses of $54 million in that year alone.
How can small businesses protect themselves?
As mentioned earlier, small businesses arguably suffer from cyber attacks more than larger enterprises because they lack the resources needed to recover. In fact, 60% of small businesses close within six months of an attack.
Before describing how small businesses can defend themselves, we’ll first discuss the CIA Triad, a widely-accepted model that serves as the basis for modern cybersecurity standards.
What is the CIA Triad?
The CIA Triad defines three vital components: confidentiality, integrity and availability. Every cyber attack attempts to breach at least one of these attributes, and the relationship between them provides guidance and security standards for how information systems should operate.
Confidentiality: All sensitive business data should be kept confidential and accessible by authorized users only.
Integrity: Proper measures should be taken to ensure that system data is reliable and trustworthy.
Availability: All authorized personnel must be able to access the network and its data at any given time. This means that businesses need to continuously monitor network security and system functionality.
To better understand the relationship between these terms, here’s an example of the CIA Triad in play for someone running a successful eCommerce website:
Confidentiality: To log into the account, the business owner needs to enter their username and password. If they forget their credentials, they can take advantage of two-factor authentication, which sends users a code to reset their password.
Integrity: Once logged in, they have access to accurate, unaltered personal and customer data.
Availability: Lastly, the business owner and their customers can access the store at any time because of its 24/7 online availability.
The NIST Cybersecurity Framework
The NIST, or the National Institute of Standards and Technology, is a department within the US Department of Commerce that helps businesses increase their cybersecurity posture. Using the CIA Triad as a guide, the department established the NIST Cybersecurity Framework, a five-step system for small businesses to defend their information security systems:
The first step of creating a cybersecurity plan is to identify all devices, accounts, and data that need monitoring and protection. This includes:
Equipment. Computers, laptop POS systems, smartphones, routers
Network. Your Wi-Fi network and VPN
Account credentials. Login information for email accounts, company software and tools, computer and laptops
Cloud Storage. Any files or information utilizing cloud storage
Your website. Including client information, inventory and your payment processor
Your business needs a multifaceted approach to defend against cyber threats. Here are the primary steps:
Appoint an employee to direct all cybersecurity initiatives (If you’re the only employee, you’ll have to manage it yourself or hire a reputable contractor).
Install antivirus software, full-disk encryption and host-based firewalls. Set up all software to install updates automatically.
Only allow authorized staff to login to your systems and your network.
Require strong passwords for all devices and accounts and update them every six months. Strong passwords have:
At least 8 characters
One or more uppercase letters
One special character
Implement email spam filters.
Provide staff training on the most common threats.
Perform regular security audits to ensure there are no holes in your system.
Backup all critical assets.
Use multi-factor authentication.
Use a secure payment processor to protect your client data.
Your first line of defense against cyberattacks? Consistently monitoring your network systems. Any unusual or suspicious activity, such as unknown login attempts, strange file transfers or movement of data should be reported to your security point person and investigated immediately.
Identify which systems or data have been compromised.
Confirm the type of attack.
Inform all users on your network. If the source of the breach was an email, inform all employees to immediately delete it.
Take the source computer, system or application offline to isolate the attack.
Have your point person or an IT professional check for any backdoors hackers may have set up to regain access in the future.
Identify the damage.
Recovering from a cyberattack can feel overwhelming. Like any unfortunate incident, take it as a learning experience and iterate on your security so it doesn’t happen again. After an attack, remain patient and allow your systems and employees to prioritize recovery before resuming business as usual or pursuing new initiatives. Meanwhile:
Inform law enforcement and regulatory agencies.
Remain transparent and inform clients or customers about the breach to regain their trust. While a cybersecurity attack can hurt your reputation, not sharing the information with your stakeholders can cause more damage than good.
Choosing a secure website builder
Your website may contain private data like payment process information, customer credit card data, email addresses, login credentials and inventory -- this is why website security is one of the most important aspects of protecting your business. Therefore, select a website builder that guarantees the highest level of defense.
Self-hosted platforms vs. managed platforms
Unlike self-hosted platforms which leave users responsible for their own website security, managed platforms, like Wix, have dedicated 24/7 security teams to take care of this. To ensure the highest level security for all users, Wix develops review processes, investigates suspicious activity, works with outside security consultants, runs a bug bounty program and provides reliable web hosting and HTTPS and SSL certificate protection. Business owners can feel confident that their websites are protected, leaving more time to manage company activities. You can learn more about how Wix handles security here.
Managed website builders are also committed to the highest international privacy and security standards. This applies to all business tools and apps it develops, too, like scheduling software, email marketing services and online payment processing. As cybersecurity threats evolve, arm yourself with a provider that has the necessary resources to respond to these threats so you can focus on your business.
Make sure your you choose a website platform aligned with:
The Payment Card Industry Data Security Standard (PCI DSS) Level 1: This ecommerce compliance standard protects the security of credit card and cardholder data.
SOC 2 Type 2: Developed by the American Institute of CPAs, SOC 2 Type 2 is an auditing procedure that ensures service providers securely manage user data.
International Organization for Standardization (ISO) standards 27017, 27001, 27018, 27701: These are ISO’s four primary security standards, the organization that oversees companies that manage services, data, and intellectual property entrusted.
General Data Protection Regulation (GDPR): An EU-governed law ensuring strict privacy practices and data protection. Companies outside the EU adhere to the GDPR to telegraph to customers that they’ve willingly implemented the highest security standards.
Brazilian General Data Protection Law (GDPR): Brazil’s version of GDPR. This law unifies the many Brazilian’s policies that govern personal data, both online and offline.
California Consumer Privacy Act (CCPA): A California law that allows consumers to see all personal information a company has tracked as well as which third parties that information was shared.
Knowing that a managed website builder oversees your site's security gives users the peace of mind they need to efficiently operate their small businesses. However, you’ll still need to secure other password-protected systems or databases like your internet network and email accounts. Without an IT department, smaller enterprises may find it difficult and overwhelming to establish a complete security system. Take advantage of these existing resources to help create a comprehensive plan:
Federal Communications Commission’s (FCC) cybersecurity planning tool: The FCC regulates communication across all fifty states and created this tool to help businesses develop a complete response plan.
The Department of Homeland Security’s (DHS) Cyber Resilience Review (CRR): Business owners can use this assessment tool to evaluate how prepared their business is for a cybersecurity attack, or request an assessment by a DHS professional.
Cybersecurity and Infrastructure Security Agency (CISA): CISA provides helpful materials for SMBs to create a strong cybersecurity posture, including their Cybersecurity Resources Roadmap and Cyber Essentials.
National Cyber Security Alliance (NCSA) case studies: Created in collaboration with NIST, these simulated scenarios help business owners understand how to better respond to attacks and improve their own cybersecurity.