You'd be hard-pressed to find an American business that doesn't rely on the internet in one way or another. It's a great business tool that opens up global markets to small businesses everywhere.

But all businesses need to be wary of how being part of the connected world can put you in contact with hackers and scammers out to take advantage and profit at your expense. With small businesses putting a lot of time, money, and effort into growing and becoming successful, losing data to a security breach that could have been easily avoided is a sad thing. Some businesses have been severely impacted by online scams, and even put out of business entirely.

There are some relatively easy things you can do to better protect yourself and your livelihood, and you don't have to be an IT security expert to do them. Here are a few simple things businesses can do to reduce risk and better protect themselves online.

Practice good password hygiene

It is so important to be vigilant with your passwords. If someone has access to them, they also have access to all of your personal information and the financial goings-on in your business. You wouldn't give someone the PIN to your ATM or credit card, so why would you let them know your passwords? The more people who know a password, the greater the risk it will fall into the hands of someone who shouldn't have it.

Make sure that you use unique, strong passwords for each service that you access. If you use the same password across different services, a breach of one service can lead to access to all of those services.

Use a password safe utility to make managing multiple passwords easier. A password safe or manager allows you to create a secure and encrypted list of passwords that only you can access with a "master" password.

Understand what 2FA means, and use it

Two-factor authentication (2FA, 2SA, MFA) adds an additional layer of authentication to access your account. As well as a password, you'll require a second factor to login. This could be a code generated by an app on your smartphone or sent to your phone by SMS, or something physically unique to you, such as your voice or fingerprint. This makes it much harder for an attacker to access your account, even if they get your password, as they don't have the second factor.

Update your anti-malware

Malware is the generic name for malicious software, which includes viruses, Trojans, ad-ware, spy-ware, and others. Anti-malware is software designed to detect and prevent malware from getting into your systems and stealing your data or preventing you from accessing it. But mostly it relies on 'signatures' to detect malware, so must be kept up to date with the latest signature files to be effective. Use reputable anti-malware (anti-virus, anti-spyware) software and keep it up to date.

Keep your software up-to-date

Keep your operating system and all your application software up to date with the latest security patches. New security vulnerabilities are reported in software every day, which can be exploited by an attacker to gain access to your systems and data. The sooner you patch your software, the less window of opportunity there is for someone to exploit a vulnerability.

Be vigilant about your backups

One of the worst possible things that could happen to a business is losing all of their data to a system crash or ransomware attack. That's why it's so important to backup all of your data regularly. There are many cloud services you could use to backup your data so it's available to you from anywhere, or you can backup to a separate device, like a USB hard drive. If you are using your own backup device, keep it disconnected from the source device when you're not running the backup. If you're not using a cloud service, keep a copy of your data at a separate location to protect against fire and theft.

Learn how to spot a fake

Know how to spot phishing and scam emails. Don't click on links or open attachments in email unless you're sure they're from a trustworthy source. Make sure all your staff are trained and aware of the risks from malicious attachments and dodgy web links.

Some things to look out for:

  • Incorrect spelling or grammar: legitimate organizations don't always get it 100% right, but be suspicious of emails with basic errors.
  • The actual linked URL is different from the one displayed - hover your mouse over any links in an email (DON'T CLICK) to see if the actual URL is different.
  • The email asks for personal information that they should already have, or information that isn't relevant to your business with them.
  • The email calls for urgent action. For example, "Your bank account will be closed if you don't respond right away". If you are not sure and want to check, go directly to the bank's website via the URL you would normally use, or phone them. Don't click on the link in the email.
  • The email says you've won a competition you didn't enter, have a parcel waiting that you didn't order, or promises huge rewards for your help. If it sounds too good to be true, it probably isn't true.
  • There are changes to how information is usually presented, for example an email is addressed to "Dear Sirs" or "Hello" instead of to you by name, the sending email address looks different or complex, or the content isn't what you would usually expect.

Invoice fraud by email

Invoice fraud has probably been around since the day after invoices were first invented, but the internet means fraudsters can now target you from anywhere.

The New Zealand building industry and their customers were recently targeted for invoice fraud, by hacking the email accounts of builders. The fraudsters found recently sent invoices in their mailboxes and made a copy of them, updating the payment bank account numbers. They then sent another email to those same customers with the modified invoice attached, and some excuse in the email for why the customer now needed to make payment to a different (fraudulent) bank account.

If you ever receive an invoice with a new payment bank account number, confirm with the sending business that the bank account details are really theirs before paying. Do not use email to do this, instead make contact by phone or in person. If you're sending invoices by email, you should have 2FA enabled on your email account to help prevent this type of fraud.