While small-business owners are a diverse group, most have a couple of things in common. First, they want their companies to thrive. Second, they rely on their websites to be much like a digital business card, to build their brand and reputation while attracting new customers and driving transactions. 

Unfortunately, as the threat landscape continues to evolve, cybercriminals are becoming even more skilled at finding new ways to harm organizations of all kinds, and small businesses are not immune.

Although many try to educate themselves, they're often bombarded with numerous misconceptions about cybersecurity best practices. Here are some of the common myths small-business owners need to be aware of to protect themselves and their customers: 

Myth 1: Your business is too small to be a target.

Many small-business owners believe they're too small to be a target for cybercriminals, but being a smaller brand doesn't protect or make their site less appealing to attack. Small businesses are attractive targets for cybercriminals because they often lack in-house security expertise, or because they don't have a cybersecurity solution in place. According to recent research, 43 percent of cyberattacks target small businesses, and the consequences of such an attack can be devastating. 

To protect your customers and company data, you should take a proactive approach to cybersecurity. This doesn't mean you need to add a security department to your employee head count. Using a comprehensive cybersecurity solution offers businesses of any size the same security large organizations use to protect their data, secure communications, and defend their websites.     

Myth 2: You don't collect payment details, so you don't have data worth stealing.

Although many small-business websites don't collect payment details, they still collect other kinds of valuable customer information that appeals to cybercriminals. For example, cybercriminals look for personal identifiable information (PII) such as names, email addresses, and passwords, in addition to sensitive payment details, in order to gain access to all sorts of accounts.

Once cybercriminals have this data, they can use it for all kinds of malicious purposes. They might sell customers' PII on the dark web or use an email list to create a phishing scheme to trick people into giving away their credit card information. Ransomware attacks are another malicious use case for this information. During this type of attack, cybercriminals will withhold stolen customer data until the business pays a specified amount. 

Myth 3: Antivirus software and a firewall alone keep you safe.

Many small businesses think that if they have a traditional endpoint security solution in place, their website is fully protected from cyberattacks. However, antivirus software and a firewall alone aren't enough to secure a business's website. As cybercriminals become more sophisticated, small businesses must take a more holistic approach to cybersecurity. This means implementing multiple layers of security and protecting all points of entry. 

Antivirus solutions mainly detect threats that arrive as executable programs or macros that run inside common types of documents like Microsoft Word. But today's cybercriminals have infiltrated web applications, including WordPress, to install malware that can compromise these systems and cause significant damage. Since traditional antivirus software cannot detect these threats, it can leave users' websites exposed to malware.

To counter these threats, small businesses should invest in automated website scanning solutions. Website scanning goes a step further than traditional endpoint security to scan the site files and database for malware and other cyberthreats. For added protection, businesses can select a scanning solution that automatically fixes security vulnerabilities found in outdated CMS apps. Following guidelines from the PCI Security Standards Council can help small e-commerce businesses set a strong cybersecurity foundation.

Myth 4: External attackers are the only cybersecurity threat for businesses.

While external attackers are a serious threat, internal team members can also pose significant security risks through various unknown errors. In fact, employee error contributes to 60 percent of data breaches, which means it's essential to teach your employees about cybersecurity. 

 Employee cybersecurity training should occur at least yearly. Your annual sessions should include lessons on identifying a phishing scam, using a password manager to keep track of unique and secure passwords, and using a virtual private network (VPN) for connecting to public Wi-Fi networks.

There are far too many cybersecurity myths in circulation that can leave small businesses susceptible to an attack. Today's small businesses can protect themselves and their reputation by dispelling these common security myths and ensuring they have the best cybersecurity practices in place to help them weather the growing risk of cybercrime. 

Published on: Dec 13, 2019
The opinions expressed here by Inc.com columnists are their own, not those of Inc.com.