Small businesses are the target of 43% of all cybercrimes, and that number is increasing, which is why I've put together this article of small business cybersecurity quick wins.
The field of operations is vast, when it comes to battening down the hatches to keep businesses safe, so for this article, I'm just focussing on quick and effective things you can do over a day or two.
The thrust of these simple steps for keeping your online content secure, is to make sure your virtual doors and locks are as secure as possible.
To that, I'm going to focus on your website, emails, and passwords secure by making sure your:
- Website has SSL security in place
- Website has a backup system in place
- Website has a security plugin in place
- Plugins and other website elements are updated regularly
- Website, email, social media accounts, computers, and other services have two-factor authentication in place
- Passwords are generated by and stored within a password keeper
- Team is aware enough to NEVER click on links in emails and direct messages
For much of this article, I will assume you have a WordPress-based website, sitting on your own web hosting account, not sitting at WordPress.com. If you do have a hosted website sitting somewhere else, like WordPress.com, Wix, SquareSpace, or other service providers, the first four items in the list are likely to be covered (that's what you pay extra for) and I'll point that out as I go. So, let's begin.
Does your website have SSL in place?
Take a look at your website right now.
Does its web address (URL) appear in your web browser as https:// or http://? We want that answer to be yes.
Or, if you're using a browser that doesn't show the http part of an address, what we want to see is a locked padlock icon, as opposed to an open one, like in the image, below.
What the https or SSL status signifies is that the connection between your website and the person's web browser is secured; nobody else can secretly jump in and inject bad code or redirection commands, etc.
If you have a decent web host, as a minimum, they will offer you access to a service like Auto-SSl or similar, in which you get a security certificate for your website(s) for free.
There are, of course, many premium options beyond that (and websites hosted at WordPress.com, Wix, etc, will come with SSL as part of the subscription), but as a first step, activating the secure connection will be a perfect and sustainable solution that can take five minutes to deploy.
To activate https on your standard, WordPress website, simply:
- Check you have SSL active in your cPanel hosting account (go to Security, SSL Status) and check that there are green icons next to your domain name. If not, select the domain names from the list and Run Auto-SSL or similar. Failing that, chat with your host's support people to ask them to help you.
- In your WordPress site, go to Plugins > Add New and search for Really Simple SSL. This is a very handy, free plugin that will connect your site to its SSL certificate to make it active.
- After activing the plugin, make sure it has detected the certificate (if not, chat to your webmaster or web host), and then proceed to activate. You might get kicked out of your site and have to log in again, but when you do, you'll see your site is now sitting at https://.
There are a number of extra settings within that plugin, which we'll discuss in later articles but, for now, you can breathe easy to know that visitors to your site can proceed safely, and Google's little search engine bots will also feel comfortable crawling and indexing your site.
Does your website have a backup system in place?
If something ever did go wrong with your website, do you have a fresh, back up copy to restore it from?
If you're paying for a hosted website at WordPress.com, Wix, etc, part of what you pay for is having them take care of backups, so you can skip this section.
For the rest of us, as with the SSL section, above, most good web hosts now include varying degrees of backup either free, or for a nominal cost when you need restoration.
However, it's best to take matters into your own hands because in a time of crisis, it's unsettling to have to rely upon others.
There are many ways to back up your website when you're hosting it yourself, but in our case of a simple, WordPress-based site, Updraft Plus is a wonderful plugin with both free and premium options that will suffice.
The team behind Updraft has crafted some helpful tutorials on how to create and restore from backups. But first, here's what the backing up steps look like.
Once you've installed the plug via Plugins > Add New, activate it and go to settings to set the frequency of backups.
Next, choose the destination for saving your backups.
Each different choice has different instructions, as you'll see below, with Google Drive. Note: for the free version of the plugin, you get to choose Dropbox, Google Drive, FTP, S3, Rackspace, and Email.
Then, you're set.
Should something go wrong with your site, you can restore your WordPress website manually with these instructions from Updraft Plus, or you can restore from within the WordPress admin panel.
Here is that other tutorial from Updraft Plus, to get you up and running quickly: Backing up a WordPress website with Updraft Plus.
Does your website have a security plugin in place?
Every day, every website on this planet gets prodded and tested by hideous, lowlife, scamming crooks.
These insidious humans and organisations are driven by a desire to cause disruption and/or monetary gain.
Websites of all styles, shapes, and sizes can be hacked. Our job is to make yours as "hardened" as possible, so that hackers give up and move on to somebody else.
As that old joke goes, as retold by Matt Blumberg on BusinessInsider.com:
Two friends are in the woods, having a picnic. They spot a bear running at them. One friend gets up and starts running away from the bear. The other friend opens his backpack, takes out his running shoes, changes out of his hiking boots, and starts stretching. “Are you crazy?” the first friend shouts, looking over his shoulder as the bear closes in on his friend. “You can’t outrun a bear!” “I don’t have to outrun the bear,” said the second friend. “I only have to outrun you.”
According to Australia's Cyber Security Centre, if hackers do get into your website or, worse still for many businesses, into your computer systems, you should never pay any ransom because there's no guarantee you'll get your access back and it will make you susceptible to being extorted again and again. The Centre notes:
We recommend you do not pay the ransom ... Instead, restore your files from backup and seek advice. For this reason, it is vital to back up your data and put effective cyber security practices in place.
Your computer systems are outside the scope of this article but for your standalone, WordPress website, we recommend a good security and scanning plugin like Wordfence or WP Cerber Security, Anti-spam & Malware Scan.
With more than 1,000 website under my belt, I have long used Wordfence, but that has shifted this year because I was noting that it was conflicting with some of the preferred plugins I use.
Therefore, I have shifted alligiances to WP Cerber Security, Anti-spam & Malware Scan, and it has been doing a stellar job.
Here's a shortened list of the features in the free version:
- Limit login attempts when logging in
- Monitors logins made by login forms, XML-RPC requests or auth cookies
- Permit or restrict access by IP Access Lists with a single IP, IP range or subnet
- Cerber anti-spam engine for protecting contact and registration forms
- Automatically detects and moves spam comments to trash or denies them completely
- Two-Factor Authentication for WordPress (see the 2FA part of this article, below)
- Logs users, bots, hacker and other suspicious activities
- Security scanner verifies the integrity of WordPress files, plugins and themes
- Monitors file changes and new files with email notifications and reports
- Mobile and email notifications with a set of flexible filters
- Anti-spam: reCAPTCHA to protect WordPress login, register and comment forms
- reCAPTCHA for WooCommerce & WordPress forms
- Invisible reCAPTCHA for WordPress comments forms
- A special Citadel mode for massive brute force attacks
- Protection against (DoS) attacks (CVE-2018-6389)
Here's a screenshot of just some of the settings inside the plugin.
With this plugin installed, customised, and activated, you get a lot of extra peace of mind when running your website.
With all these sorts of plugins, you can receive a LOT of notifications, so take the time to curate the notifications to best suit your working style.
A daily digest or a weekly digest might suffice but notifications are only as good as the diligence of reading them when they arrive.
Updating routines for your website plugins
One of the beautiful things about having a well-made WordPress website with carefully (and minimally) curated list of plugins, is that you can get an enormous range of functionality from one website.
And with WordPress now powering more than 40% of all websites today, there is a healthy ecosystem of developers and users to be part of.
In other words, you're not alone in your small business cybersecurity needs and there are many of us on standby to work with you.
I've highlighted three key plugins in this article already BUT plugins are not completely set and forget.
While WordPress has now enabled Automatic Updates for WordPress itself, plugins, and theme files, it's a good idea to "get your hands dirty" at least fortnightly, to make sure you have the latest versions of all the components of your website.
Here's a screenshot of our website, just before the automated round of updates were to take place. The top left arrow is pointing to the Updates label in the WordPress admin screen - this shows how many plugins or themes have updates waiting. The other arrow is pointing to the notice telling us when the automated update will take place.
It is important to note that the automated updating should be considered a luxury for people whose complete income is not totally reliant on their website.
This is because, like all things in tech, when there are many moving parts (different plugins by different authors), there's always a slight chance that one update might cause a conflict or issue.
We have a three-person team of WordPress experts on hand, so we can dive into our site, should we need to, and, of course, if you're one of our clients you also have that benefit, plus a layer of support from your webhost.
But I still advocate strongly for either manually updating WordPress elements yourself (it only takes a few minutes), or getting our basic WordPress updating package ($40+gst per month, per site, on your webhost) or our premium WordPress safety package ($120+gst per month including hosting on our own servers), to make sure you have complete peace of mind.
Hmm, that doesn't sound black and white, Steve? Well, it's not. Very few things in this world are. Cybersecurity settings are similar to insurance policies. It is all about a balancing of risk. That's why I'm giving you this nuances approach to small business cybersecurity and not a one-size-fits-all approach.
If you are going to update your WordPress elements manually, I suggest doing them in this order:
- Update WordPress itself if it has an update available
- Update your plugins noting that sometimes, if you have a key plugin like Woocommerce (an incredible ecommerce plugin), it is suggested that you update any connected ecommerce plugins first and then update Woocommerce). Also, if you have more than five plugins awaiting updates, just do them in groups of five at a time. You simply select them one-by-one on the Updates page, cluck Update Plugins and WAIT UNTIL THEY'RE DONE. Do not navigate away from an update screen.
- Finally, update your WordPress theme, if available.
Check for updates whenever you log into your website, but aim for doing it at least fortnightly, if not more frequently.
Setting 2FA or two-factor authentication for your website, emails, and social media accounts
One of the simplest ways to keep the wrong people out of your online accounts is to use 2FA or Two Factor Authentication.
It's a genius of an idea.
When you have 2FA enabled for a website or social media account, for example, when you log in with your username and password, you not only have to get those credentials right but the system then sends you a code to your mobile phone, or separate email account, or an authenticator app on your smartphone, and only if you then correctly enter that code into the login area, do you gain access.
This is based on the premise that a lot of hacking is actually done by people you know but it's unlikely they'll have access to personal items like your smartphone.
Therefore, even if an opportunistic employee, mischievous relative, or a crooked colleague (or former colleague) has knowledge of your password (yes, I'm looking at you, some dear friends and clients who still persist on having a "password book" or "post it note" for storing passwords), they only get part way through the log in process. They are thwarted from actually getting into your site because the Two Factor code goes to you.
As I found out when someone from my past was trying to log into my accounts, most of these systems will alert you when an intruder is trying to gain access, either by sending you access codes that you didn't ask for, or formally documenting the number of failed attempts to log in with the username they were trying with.
Would you like this peace of mind?
It's simple to activate, you simply look for the option in the password or security settings within your social media accounts, website, email accounts, or any other services you use online.
Here's what the settings page looks like in Facebook. Note how you can not only turn on and manage 2FA but it can also list all the places where your account is currently logged in. This is helpful because if someone has longstanding access to an account, perhaps from a time BEFORE you used 2FA, you can simply lock them out and they won't be able to get back in without the special Two Factor Authentication code.
For your WordPress website, if you use the Cerber security plugin, mentioned above, it has a setting for enabling 2FA for your website.
If you're using one of those online web services like Wix, you will find 2FA settings easy to find in the security settings for your account.'
Generate and store passwords using a Password Keeper
There are two tricks for making passwords work for you.
The first, as I just hinted at, is by keeping them safe and NOT storing them in "handy" password books or post it notes. I say handy in quotes because such things are truly convenient for people who want to get into your online services. This is almost as bad as letting your web browser "save" or "remember" your passwords for you. Please don't use that option.
The second is making sure that passwords you do use are actually hard to crack; really hard.
And we have another decision to make here. We can either use really long and complicated passwords (this is my typical approach, eg, PeNy6H3G3$HRe936m7bjHPN&xSpP) or passphrases which are simple to remember but really hard to crack, eg, When I Walk 2 Dogs You Always Whistle At Me.
This table from Cyber Security Australia shows not only the various types of passwords, but rates them on how long they take to crack by crooks and hackers (along with how much it would cost you to hire someone to crack), juxtaposed against how easy they are to remember.
If you think you'll have an easy job remembering passphrases, then that is a low tech and very effective way to create passwords.
However, if you doubt your grey matter (I do, in things like this), then turning to one of the trusted, online password keepers is something I strongly recommend and do myself.
I use Dashlane, but there are plenty of others like Bitwarden (free, open source) and LastPass.
Once you have your account set up, you choose one truly memorable but truly difficult password as your master password.
This is your one ring to rule them all, as the Hobbits would say.
You now have only one password to remember but the service then stores and recalls your passwords for any services you access.
Furthermore, when signing up for new services, your password manager can generate new, difficult passwords like this one - I'm setting Dashlane to create its toughest password and here is what I got:
Good luck hackers: WK#d#6nsYq05?e5TvI&c&Pf#QlZktTtBMYiFybid
The trick with these password managers or password keepers is that you no longer have to remember any passwords, other than your master password.
I don't know a single password for any of my hundreds of online services. But Dashlane does.
What happens if I forget my master password?
Some services give you an option to entrust your password with a related account, or they allow a relative to access your service after a set number of days (great, in the case of accidents or death), or you can always use the password reset options on each service as you encounter it start from scratch with a new service.
And if you need some encouragement to up your password game, Michael McIntyre might have the motivation for you!
Be web savvy and trust no unexpected
The final quick win in boosting small business cybersecurity is simply to get savvy.
Gone are the days of open trust online because too many crooks are out there playing a numbers game to pick off the weakest among us.
You might have heard of phishing schemes in which hackers send us emails designed to look like they're coming from our bank, and asking us to log in and update our passwords by entering our old passwords first.
Well, those fake emails are getting more and more convincing and once you click on the fake link and go to fake bank site, the crook will have stored your username and password and then go on their merry way using your credentials to log in, not just to the bank in question, but then they'll try logging into all sorts of accounts.
They usually succeed because too many of us use the same username and password combinations across dozens of accounts.
So, we just need some savvy and Two Factor Authentication, and we'll be safe.
Rules for being cybersafety savvy online
Never trust any emails or SMS messages or direct messages containing links, even from friends. This might sound harsh but if a crook has gotten into your friend or colleague's email or social media account, one of the things they'll quickly do is masquerade as that friend and send out "plausible" pleas for help to everybody in the contact list. In short, NEVER click on any links sent to you unless you have asked for such a link to be sent.
- Remember that banks and other companies will never ask for your password in emails or phone calls. Period.
- Note that there are no rich princes wanting to give away their millions, nor gorgeous humans who have fallen in love with you and just need you to send a few dollars their way to help them out.
- Find a trusted human who will always be happy to check suspicious emails for you. If you are a Talked About Marketing client, you are ALWAYS encouraged to check ANY suspicious emails with me or my team. Just forward them to us. No charge.
- Be wary of phone calls from private numbers, overseas numbers, and unknown numbers - give no information on the phone and if concerned check with your "trusted human". As a trick, I have told many of my clients, when they are pestered by those pesky SEO people to say, firmly, all decisions are made by my marketing consultant, you are most welcome to call or email Steve Davis.
- Beware domain name and web hosting renewal notices. Many horrid companies out there monitor domain names coming up for renewal and send emails or letters with renewal details that LOOK like invoices but are in fact tricky forms for getting you to transfer your domain name to them. Please note: You should only be paying approximately $15 per year per domain name registration.
- If it's too good to be true, then it's not true. Always be suspicious and if they've contacted you and SHOULD have access to your email and address, ask them to send you an email with information. If they then ask you to tell them your email, remind them it will be on your file. Plus, you can always just hang up and use your phone to block the phone number.
- If an email wants you to log in to check a transaction or claim against you, etc, NEVER click the link from the email. Go to Google, search for the company in question and log in that way.
In short, there are many tricksters out there who either try to be very nice, very concerned (we've noticed errors on your website that are stopping it from being found - how ironic that you found me then), or threatening (phone calls or emails claiming to be from the ATO or police or courts). Ignore them all, teach all those around you to ignore them, and use your "trusted person" as a sounding board before taking any action.
I know this was a long read, but each of the seven steps are relatively quick wins to help you harden up your website and become more bulletproof online.