Small Business Concerns

By "small business" here I mean relatively small businesses owned and operated by just a few people perhaps with a small staff, and businesses which do not have a significant on-line/web presence. The business's website is simple and used as a marketing mechanism for their customers to call/email or otherwise connect with them. The website itself doesn't perform perform any on-line sales, and is not the main focus of the businesses economic activity. My business and website would qualify as a small business.

Many, though certainly not all small businesses, will have some sort of Point-of-Sale equipment that will charge customer's credit or debit cards, while others will be strictly service providers who bill their clients and are paid via check or ETF.

Common areas of concern

For these businesses, I see the following main areas of concern in more or less priority order:

Electronic Banking

This area covers all your electronic/on-line banking, and physical check writing including access to your accounts, and who can write/sign checks. Exerting significant control here is very important for any business and setting limits on cash outflow, especially, is important. If the company is large enough to have external help, this is even more an issue. Monitoring here should be consistent, and something you look at frequently.

Even in a small business, email should not be relied upon for transfers above the amount you're willing to loose. A business email compromise could easily allow an attacker to send an email that appears to come from the owner to trigger a payment to the attacker. You should consider implementing some controls that require a phone conversation and even possibly a codeword or phrase, to approve transactions above your loss threshold.

I suggest the codeword because we see that both audio and even video fakes are easier and easier to create, and realistic enough that they can pass for the real thing. And since it's also easy to fake a "from" phone number on a call, the codeword is really the only way to be absolutely certain that the requested transaction is legitimate.

Credit and Debit Card Information

Some payment processing systems allow you to hold/store credit card information, and some do not. My recommendation would be to try to work without holding this data if it's at all possible in your business. What you don't have, can't be breached during an attack on your business. Credit and debit card data is one of the most sought after types of information by attackers. I would include here not just the credit card number, but also all the data used to help prove that you have the card info legitimately, or the card is present at the point of sale - including the name on the card, billing address, expiration information, security code, billing zip code, etc. All of that information is useful, and criminal organizations will pay one another for lists of this information. A data breach of your customer's data can be fatal to a business of this size fairly easily, as it can significantly erode customer trust in the business' ability to protect their information. So, it's better not to hold the credit card data at all, unless your business really requires it. Some processors give you a link, without the actual credit card info, that you can use to trace transactions, and even perform additional billings.

Other Customer Related Information

This can include anything from billing history to ownership information, to banking data like account numbers, ABA routing numbers and other EFT related information. Here again, a data breach can be fatal. Where possible, minimize your customer's data you keep in your systems.

Information about Minors

There are limits on what you can and can't do with information about minors. There are both FTC and some state laws that are enforced. The FTC regs apply when collecting information from children under the age of 13.

California has additional requirments under the "California Age-Appropriate Design Code Act", which becomes effective July 1, 2024. This Act impacts businesses which collect information from California-based children under 18 years of age, even if the business does not intend to do so (i.e., the business is not 'targeting' children under 18).

Networking, Wi-Fi, and VPN

Network security is important for all companies, and even more since the advent of wireless networking like Wi-Fi. Having a long, random password for your Wi-Fi network is probably your best defense here, and change the password on a scheduled basis.

If your business has a public wifi that it offers to your customers, you need to ensure that that network is fully isolated from your office network, and that it's setup as a 'guest' network. Guest networks do not allow any sort of connection from one user's device to another on the guest network, nor to see your office network if its properly setup, nor to something like a printer. They only allow connection to the internet via your router. But even with a guest network, a hacker can still watch the traffic on that guest network.

I know of a couple of companies that don't rely on Wi-Fi in their office, but instead use wired connections. This does eliminate a number of attack vectors, but it has it's own hassles too.

A virtual private network (VPN) can be very useful for helping to secure your office computers, printers, and any computers that staff use to work from home/remotely. And I would suggest that your IT team use both a VPN and some form of multi-factor authentication (MFA) too - preferrably either a phyiscal device like a FIDO™ key, or a software 'device' such as the Google Authenticator app.

Finally, on the subject of networks, I would suggest that you not permit any devices other than computers/laptops and printers/scanners on your office network. Devices like HVAC systems, lighting, etc. that can be controlled, managed, or maintained remotely via the web or mobile apps should not be permitted on the same network that has your businesses critical data. Consider putting these devices on a guest network, or at least on a network that is separate from your office network, if at all possible.

Backups

Hopefully all businesses by now are creating backups. Backup frequency, how the backup is stored, and used if necessary, are all factors that should be carefully considered, and be reviewed occasionally. For example, if your business is storing these on-site, in a drive that is accessible to your staff's computers, you may find it hacked one day. Most experts, myself included, prefer off-line backups. Some go so far as to recommend 2 sets of backups: one on-line, and the other in safe off-line storage. These 2 types can have different frequencies, but neither should exceed the amount of time where your business would be significantly 'down' following a breach.

With an off-line backup, an attacker can't get at these, unless he comes inside the location where they're held and physically removes or destroys them. Many companies used to store these on tape, in a safe deposit box at their bank. Tape is long gone as the media of choice, but small USB drives can easily be purchased, and 2 sets can be swapped out between trips. Of course, they have to be on-line while they're being made, but you should ensure these time periods are as short as possible.

Ransomware attackers will happily encrypt your backups, if they can reach them. Note that even encrypted backups can be encrypted *again* by the attackers. That wont get them access to the data in the backup, but it will keep your backups from doing what they're supposed to do - making it possible to restore your data and get your business moving again.

Backups should include all critical data to run your company. That would include any information needed for business filings to local, state, and federal authorities - not just the IRS. It would include anything you need to setup and allow POS systems to function. It might include login information for any SaaS tools your company needs, such as the online version of Quicken, for example.

You may choose to backup all your employees data, and any email server data as well (including cloud-based accounts).

Another often overlooked aspect of backups is testing them on a regular schedule to be certain you can extract all the data you need. This is of critical importance if you're backing up to disk drives. Many believe that backup to a web-based service doesn't need to be tested, but even here, I'd suggest occasionally verifying that the service is working as you expect it to.

Internal Email

Internal email can be, and is often, attacked via multiple methods. These sorts of attacks include Phishing, Spear-Phishing, and other forms of Social Engineering. An attacks can lead to an attacker getting the same access as the attacked account. In smaller companies, the expertise to ensure email is as secure as possible if often not present, and the company must rely on outsourced providers.

Internal computer systems and office networks

This is related, to a degree, to the Internal Email issue. Even small companies should have some kind of endpoint monitoring in place (Endpoint Detection and Respones or EDR) to help stop problems when Phishing and other malware attacks are successful. Note that I didn't say 'if' - some will almost certainly get through. This would include having staff, internal or outsourced, to find and remove any malware inserted into your systems by successful attacks.

Hiring

Earlier in my career, I was working for a company that was just about to hire a new senior engineering manager. One of that company's staff happened to do a quick internet search of the candidate, a few hours before the company was planning to extend an offer. The search turned up a conviction for computer crime in this candidate's past. This was before that company started doing background checks for all staff. Imagine what might have happened, had that person been hired. Would the person return to their previous ways? Would they have been a great manager? Was it worth the risk to find out?

Background checks should be considered for anyone being hired even by a small business. It's very common for employees of small businesses have very widespread access to the company's resources. For that reason, it seems to me that background checks may be more useful in the small business, than they may be in an enterprise-sized business where individuals would likely have less access, and less ability to do the business harm.

Training and testing

Research suggests that roughly 85% of all attacks have as a component some form of staff error. Errors can be those of omission, such as failing to correctly configure a security setting, or commission, such as opening an email from an attacker. Periodic Security Awareness training and Phish training are effective antidotes. Prepackaged training is available from several vendors, sometimes packaged with phish testing of your staff which will help them recognize and correctly respond to phishing email in their inboxes.

Email Marketing

The US, Canada, and many other countries have limits on email marketing. In the US these are the CAN-SPAM laws. They limit what you can do, and what you must do in your marketing email. The Federal Trade Commision (FTC) is probably the primary regulator here, though the Federal Communcations Commission (FCC) has rules and authority too here, especially where the email is targeting radio/cell phones.

These rules relate mainly to the content of the message, that the message can be clearly understood as marketing, and to ensuring that the person being targeted can easily opt-out of receiving additional emails, though there are other requirments here too.

There are also mechanisms to enable consumers to control tracking technologies (Do Not Track signals) that generally must be adhered to as well.

It's also become quite common to see Cookie opt-out mechanisms that allow users to opt out of having cookies installed on their machines for several categories: necessary, performance, functionality, and marketing/targeting are often selectable.

Physical security

Physical security can be an issue for smaller business too, depending on the amount of cash, inventory, etc. on-hand at the business's locations. Some small businesses may also be worried about individual employees being threatened on the job.

Video surveillance is a commonly used device to help prevent/identify theft, especially where the company has many short-term staff, when staff turnover is frequent, or when inventory is out for public display. Some juridictions have limits on video surveillance, especially of public areas.

For companies that have significant physical security concerns, there are "physical penetration testing" companies that will test your controls for you. They essentially 'break in' to your space, and show you how they did it. All of this is under a contact, that will specify what they are to do once they find a way in (they very likely will), what they can do once they're in, etc. The contract should be written to protect both the business, and the test firm's employees doing the testing. It's truly amazing some of the techniques that they have for non-destructively entering "secure" locations. You'd want to work with one that's Bonded, of course.

Closing Thoughts

Small businesses today are under the same sorts of attack as larger companies. While they tend to have employees and owners wearing 'multiple hats', they still need to attend to many of the same sort of security controls that large companies do, though generally on a smaller scale. Small businesses may want to look into a Managed Security Services Provider (MSSP) or Managed Service Provider (MSP) to address many of these challenges. Its important to understand what a particular provider does, and does not, supply you and to come up with a plan for the rest.

By Craig Payne