Small business owners are in a unique position when it comes to cybersecurity. They are certainly not high-profile targets for hackers like Fortune 500 companies such as Home Depot and Target have been. On the other hand, small businesses can’t afford massive investments in cybersecurity so if large companies can’t seem to effectively protect themselves after spending millions on cybersecurity, what can small business owners possibly do?

Nonetheless, small businesses are a major and frequent target for hackers, ransomware attackers, digital thieves and online criminals who seek every angle of opportunity to steal your data and, possibly, your money. Here are nine things every small business owner needs to know about cybersecurity.

1. You’re more vulnerable than you think — and so are your customers.

First off, let’s be clear: Your business is very much at risk, whether you realize it or not. Just because successful hacks and data breaches at large corporations are what make the news, don’t make the mistake of assuming that small businesses like yours are not being breached every day. They are, and in many cases, they are losing not only data but also customer information, revenue and money in legal fees and liabilities to boot. Everything you capture and keep about your business or your company’s customers is at risk, so it’s time to take cybersecurity seriously before your business is seriously impacted. With that in mind, the good news is there are some key steps you can take to reduce your risk.

2. Train your team to spot phishing.

One of the easiest ways that hackers use to gain access to your sensitive data is through what are known as phishing attacks. Phishing is “the fraudulent practice of sending emails or other messages purporting to be from reputable companies in order to induce individuals to reveal personal information, such as passwords and credit card numbers”. While in the past most people felt they could spot such emails due to common grammar and spelling errors or strange sentence structure, today attackers are much more sophisticated and are becoming highly adept at creating emails and messages that truly look and ‘feel’ real.

The best way to avoid being snared by a phishing attack is by training your team to never click on links inside emails claiming to be about sensitive information or requesting that you log in to your bank or other accounts right away to verify or correct something. Simply put, you should always open a fresh browser session and log in by directly entering the login URL and inputting your credentials from there.

Even an email that specifically says things such as “This email is sent to you in order to protect your security” are often fakes, and it’s getting harder and harder to tell the real messages from the imposters every day.

3. Get passwords out of spreadsheets, emails, sticky notes, browsers and documents.

Let’s move next to passwords. The first thing you should do right now is get all of your passwords out of spreadsheets, emails, documents and other random places. And in addition, stop storing passwords in your web browser’s memory or history (known as the ‘browser cache’) as well. No password or other login details should ever be kept in an unsecured or unencrypted file…ever.

Instead, you need to put all passwords, logins and other sensitive data in an appropriate, encrypted application such as a password keeper or security software. Some of the best-known applications in this category include DashLane, OnePassword, mSecure and LastPass. What these products have in common is that they enable you to place sensitive information in a purpose-built system designed to backup and secure the data appropriately.

4. Stop memorizing and start randomizing.

Two essential features of password management are randomizing and rotating. Randomizing is perhaps the single most valuable thing you can do to protect your online assets. Simply put, if you can memorize your passwords, they are probably ineffective (with rare exceptions). More to the point, research shows that when people use passwords that they’ve memorized, they are much more likely to use the same password (or a series of passwords with nearly-identical characters) across different websites.

This is what hackers are counting on — that if they steal your Staples.com login credentials, they can also gain access to your bank account with the same password or one that’s almost identical. That’s why passwords must all be completely unique so that you minimize exposure if any one password or login credential is exposed.

5. Passwords should never be permanent.

In addition to randomizing your passwords, it’s also essential to rotate them. Every year or, preferably, every six months, every password should be changed – across your business. The good news is that many password management applications can assist you in automating this process by setting reminders to generate the changes, and by using randomization tools to help you come up with new passwords quickly and painlessly. If you randomize and rotate your logins, you are well on your way to creating a far more secure digital environment for your business.

6. Some security questions are worth lying about.

There was a simpler time when one of the most effective ways to protect your identity was to use the security questions that are often asked of you when setting up a new account or login. The problem is, everyone started asking the same questions. Today, these questions are now one of the fastest ways that hackers can cheat security controls and gain access to your digital world. After all, how many times have you been asked things such as the last four digits of your social security number; your mother’s maiden name; the name of your first pet; and so forth? What hackers do today with this information is called social engineering, which is defined as “psychological manipulation of people into performing actions or divulging confidential information.” Simply put, a hacker can probably take one piece of your personal information (such as the last four digits of your social security number) and use it to place a phone call or open an online chat with your bank or other online service provider to turn around and reset your passwords or otherwise gain access to additional credentials. That’s why security experts today are strongly advising that we lie in these answers by creating random words or phrases each time, and then recording them as well in our digital password applications. This means that your answer to “mother’s maiden name” with one vendor will be different from the one you give another vendor – and neither answer will actually be your mother’s real maiden name.

7. Use provisioning to control employee access.

It’s not just enough to get sensitive information into a protected database. From there, you have to consider what information should be in the hands of which employees. Does every employee really need access to every customer’s credit card information, or logins for the company’s payroll and accounting systems? Of course not.

And that’s where provisioning comes in. Provisioning allows you to create role profiles for your employees (such as admin, sales, operations, customer service, supervisor, manager, director, etc.) and then determine what information or sets of information each role should receive access to. In addition, provisioning allows you to quickly turn access on and off, such as when an employee is promoted or when someone leaves the company.

8. Protect customer information properly.

The only information more important that your own company’s data is your customer’s data. Customers entrust you with all kinds of information — typically their contact information, payment information and probably their order history. This information on the whole can be used to gather a lot of sensitive insights about your customers, and that’s why protecting it is essential.

Consider moving credit card information into a secure eCommerce or payment application (for example, the Square payments application now allows you to record customer credit card information securely inside the database for repeat orders). In addition, if you use traditional paper or digital forms to collect payment data, avoid using email to transmit it — either use fax (it’s old-fashioned but far more secure than email) or use a secure online file sharing site such as ShareFile.

9. Use technology to protect your technology.

There are so many points of risk in your technology environment that it can seem overwhelming to manage it all. The easiest thing to do first is to make sure all of your software (desktop and mobile operating systems, email applications, office applications, accounting systems, etc.) are up-to-date and upgraded to the latest versions, since these updates often address security holes or vulnerabilities.

After that, look at other tools to fill in the gaps. For example, employees who use laptops in the field and access company data outside the office should be using a Virtual Private Network (VPN) to do so when connecting via public WiFi. Tools such as HotSpot Shield can provide this service easily and instantly.

Document repositories such as Box and DropBox can provide a safe environment for transferring and sharing sensitive documents. And where possible, enable Two-Factor Authentication (the process in which an application requires the user to enter a special code that is typically emailed or texted to them to complete each login process).

These nine keys are essential if you are going to take serious strides toward success in protecting your company’s digital assets, as well as the sensitive data that your customers entrust to you every day. Start now and begin working through the process to enhance, improve and sharpen your digital security strategy now, and it is almost assured that you will be very thankful for having taken these steps sooner rather than later.

Photo by Annie Spratt (Unsplash @ Creative Commons)