The elephant in the room of security is growing each month, and even small businesses with a digital presence are starting to take notice. It’s great to see more businesses taking security seriously, but the number of options available can be overwhelming. As a small business that relies heavily on our digital presence, we recently updated our security policy and wanted to share some tips based on our current practices. 

If you’re looking to keep best practices and don’t know where to start, take a look through our window into what a small business like ours can do. Stay safe out there! 

1. Use a password manager and share passwords properly

• It’s important to decide the best password approach for your business and then particular tools. For example, sharing a login via a password manager tool makes it very easy to update when team members leave, but having individual logins can help give better visibility on activity. If you opt for individual logins, just make sure you have a process for removing them when a staff member leaves. And remember, deleting a team member’s physical email account is not the same as removing their access to all your various platforms.
• Poor password quality is still the biggest risk we see day-to-day. You can learn more about password quality in this article but the TL/DR is any password that is reused or not automatically generated is a huge risk to being hacked.
• A password manager is great, but we often see them used to store insecure passwords, which defeats the point. If you have to pick between storing secure passwords in a Google Sheet for your staff to access (as long as their Google account passwords are secure) vs paying for 1Password but using it to store something like websitename2024, go for the Google Sheet!
• A password manager does make it easy to store 2FA code generators and control access (some let staff log into websites without ever having access to the actual password meaning it can’t be saved elsewhere).
• Did you know you can often store multiple passwords per account too? Remember hat security question about your first car or favourite food? Pizza and Camry aren’t that unique – but if you treat it as a new password that will be much harder to breach.
• Remember that sending login details by email is generally not secure. It’s best to send the password part separately through an end-to-end encrypted tool (eg. Whatsapp, Signal etc), or use a one-time sharing tool such as 1ty.me.

2. Have a verbal check for major financial transactions

• For major transactions (eg. deposits, withdrawals, changes of bank account details etc), have a policy that someone will do an additional check.
• A verbal check such as a phone call is best but other ways are fine, just make sure the second check asks the right questions, e.g. reconfirms bank details
• The main thing is that your team, customers etc know that you will NEVER ask for a deposit, withdrawal etc based on just emails. You need to spell this out very clearly to all parties. Consider adding this info to invoice templates and email signatures as a reminder.
• Emails are very easy to hack and the business email compromise scam is growing each year. Scammers have been known to sit idle inside email accounts for months before attempting to intercept a transaction. At Tactic Lab we’ve seen a case  where a lawyer’s email was hacked and the scammer sat monitoring various email correspondence for months until it came time to exchange bank account details with a client for a large cash transfer. They replied as the lawyer and simply gave the customer their own bank details instead of the real ones. By the time the mistake was identified, the money was already overseas and unrecoverable.

3. Don’t just get every type of security service/tool

• It’s easy to think that you need a lot of tools for your security. And that may be true for special cases as well as larger businesses. However there are plenty of tools being advertised that you may not need so think carefully about the use case.
• The downside to having too many tools isn’t just cost, if your security setup is very complicated that makes you less secure.
• There are a lot of ads for VPNs, but most digital businesses (especially small ones) probably don’t need one for browsing the internet, as long as you follow the other tips.
• Similarly, you might not need a fancy antivirus over and above the one that comes with Windows, or MacOS’s own protection.
• Physical devices that generate 2FA codes are great but that’s one more thing to lose, misplace etc. These are best to secure access to the most important assets such as your bank account.
• Your business is only as safe as its weakest link, so it’s worth testing your team from time to time to make sure these tools and processes are being used properly. This is referred to as pen testing and can be done in-house or via a third party agency.

4. Think before you enter data into any website (especially AI)

• It’s easy to forget this but any data you enter is transmitted to the website that is hosting the page! If you’ve just come across a new website, best to do some research first.
• If you just need to create an account, by itself this has little risk especially if you use a password manager and generate a new password.
• However, with the prevalence of AI “assistants”, people are getting used to asking questions that may be confidential or have customer data. We would strongly recommend never to enter anything private like that into any prompt, especially since these services are always going to be trying as hard as they can to use your prompts for further training – that’s the only way they can improve.
• In most cases, once you’ve contributed information to an AI tool, you can’t take it back. So make sure your team knows what company information can and can’t be used in conjunction with AI tools.

5. Take more ownership of your insurance coverage

• Have you checked recently that your business’ insurances explicitly cover you for a scam or hacking incident?
• Insurance coverage has had to adapt to the significant and growing cost of cyber crime. Cyber security is not commonly covered without an explicit opt in, at an extra cost. Even with the extra coverage, they are putting much more responsibility back on the customer around cyber crime, insisting that you have decent processes and safety guards in place. For example, it’s common these days that your policy won’t cover money lost due to a phishing scam (if you were tricked into giving your information/money).
• Likewise, most Professional Indemnity and Public Liability insurance policies (the ones that cover you for mistakes) have really cracked down on coverage for cyber crime.
• Don’t assume that your insurer understands your specific situation or coverage needs. We’ve seen lots of cases of cyber security policies whose security checklist is aimed at large companies with self-hosted servers, IT departments etc. These might not be geared towards the type of cloud-based storage and processes that a smaller org probably uses. Sometimes it’s good to engage an insurance broker to help you find the policies that are best suited to your business. Their costs are usually covered by the insurers and often they can negotiate a better deal for you on your premium.
• When estimating your risk and coverage, don’t ask “what’s the most that a hacker could steal from me by hacking me?“ as that might underestimate things, especially if you don’t have huge cash reserves. Instead, ask “what’s the most that a hacker could steal from my customers if they hack them by hacking me?“. For example, sending out fake invoices from your accounting system. That’s going to give a higher, scarier number, but if your security is lax, that’s what you might be liable for.