No business is too small for cyber-thieves to target. For National SMB Week, here are a few ways small businesses
can protect their data from thieves and their customers from malware.

By Fahmida Y. Rashid
Article Date: June 30, 2013 / PCMag.com

The most pervasive security myth is the one that has business owners sticking their heads in the sand,
ostrich-style. “It won’t happen to me,” small business owners say when they hear about targeted attacks,
phishing scams, and sophisticated malware. “I’m too small for the criminals to bother with,” they think,
when they hear about data breaches, network intrusions, and website attacks.

If that was ever true, it’s wishful thinking today. It’s increasingly clear that cyber-criminals don’t look at the
size of the company when launching their attacks. Data is data, and even the smallest organization has
valuable data the criminals can steal and sell. The days of “I’m too small for them to find me” are long
gone. In many cases, the small business may just be a stepping point in a chain of attacks, with the
criminals targeting the smaller and weaker networks as part of a comprehensive campaign against larger
partners.

Both the volume and sophistication of attacks are growing, making it difficult for SMBs to keep up their
defenses. In honor of National SMB Week, the Certificate Authority Security Council has provided a few
simple steps SMBs can follow to secure their online presence. With these tips, business owners can make
sure their site visitors can safely visit, search, enter personal information, and complete a transaction.

Passwords Are Essential

The first suggestion is to “Create unbreakable passwords” for accounts related to your online presence,
such as the domain registrar, hosting account, SSL provider, social media, and PayPal, among others,
said Rick Andrews, technical director of Symantec, on the behalf of CASC. While there is a lot of
discussion about the need for better authentication schemes, passwords are still the main way to protect
online accounts, making strong passwords essential.

Criminals can easily set up computers to cycle through random combinations to brute-force attacks. If the
password is weak, this process takes very little time. PCMag.com recommends using a password
manager to randomly generate strong passwords and to store them securely. If the service offers
two-factor authentication, you should really take advantage of the extra layer of protection.

Scan Your Sites

Websites can be infected with malware, just like your PC. Regularly scan your site for vulnerabilities and
malware. Attackers can take advantage of vulnerabilities to infect the site with malware or inject malicious
code to redirect visitors somewhere else. Infected sites may load slowly, display unwanted
advertisements, and infect user computers with malware. Look for a site scanner—something like
StopTheHacker Web-Malware Scanning, that will monitor your site for problems and alert you when
necessary.

Update & Patch

Is your Web server regularly being updated and patched? It’s not just the server, though—your Website
also needs to be regularly patched. If you used a popular content management system (CMS) such as
WordPress or e-commerce platform such as Zen Cart, then you need to make sure you are updating your
software regularly. Attackers frequently target plugins in WordPress, so installing patches regularly is a must.
Check with your hosting provider or site maintainer to find out if all the software is being updated on a regular basis.

“Updates must be installed on your website, just like installing the latest
Windows Updates on your PC,” Andrews said.

SSL Certificates

Consumers need to trust you are a legitimate business, and SSL certificates help verify your identity. No
site should attempt to collect personal information or e-commerce without a trustworthy SSL certificate to
assure users their information is safe.

Don’t Lose Control

No matter who you hire to work on your site, the business should always retain control of the domain
name, SSL certificate, and actual Website. It’s all too common for business owners to hire someone to
build their website, and when that person leaves, there goes the only person with access to the SSL,
domain name, and hosting account. It’s harder to add people to the account or transfer ownership when
the original account holder is not around. If building and maintaining the website is outsourced to a third
party, make sure someone within the organization is also on the accounts to retain control. If the
employee leaving is the one who had access to the accounts, make sure to add a new person to the
account beforehand. This way you will be able to still manage your certificate, domain name, and hosting
account.

This article originally published June 30th, 2013 on PCMag.com