How SMEs can Improve Cybersecurity for their Customers

How can small teams protect themselves when resources are low and other projects are vying for immediate attention? In this piece, we highlight three areas where startup and small business leaders can invest their time and money to secure their sensitive data and safely grow.

1. Secure your users from the start.

From the moment you begin hiring, safely and easily managing access to your technical systems becomes a challenge. Yet the pace of startup growth and the looming chance of failure can make it difficult to spend time on credential management.

A lack of strong user management and authentication system, however, can sink you.

In Verizon’s annual Data Breach Investigations report, they found that 63% of confirmed breaches involved weak, default, or stolen passwords. A bad password doesn’t threaten a single account. If users reuse passwords, one compromised account could lead to the loss of many other devices and systems.

2. Plan your response to attacks.

Unfortunately, with data breaches on the rise, you can’t afford to not plan ahead.

In 2017, the startup Kickico found itself unprepared. They endured a wave of distributed denial-of-service (DDoS) attacks as hackers spoofed their site, cloned their platform on GitHub, and readied the clone to fool potential users once the original site went down. Luckily, the hackers appeared to run out of funds to keep up the DDoS attacks, and GitHub promptly responded to Kickico’s request to block the attackers.

Kickico wasn’t ready, and admitted “We did not realize such a small and inconspicuous company without huge PR actions [would] attract any attention.”

Many startups are ill-prepared and subtle attacks can take much longer to detect. One study found that over two-thirds of companies took months or longer to discover a breach-even though those breaches took mere minutes to accomplish.

Startups can build in preparedness with tools that offer breached password notifications, so that you know about leaked credentials instantly, and can even lock out users until they reset their passwords.

3. Guard against web-based attacks.

Your website is like your company’s front door, yet hackers have thousands of ways in. Forty-nine percent of cyber attacks are web-based, and 44 attacks per day strike the average small business site.

Web security depends on more than the connection between two entities. Data goes through third parties to get where it needs to go, so authentication at all stages is central to secure communication.

If the right communication protocols aren’t set, transmitted information can become vulnerable to so-called man-in-the-middle attacks. HTTP, an application protocol you’ve likely seen in many URLs, is historically focused on sending information, not securing it.

HTTPS, a newer protocol with security built in, makes attacks much harder to accomplish. HTTPS adds Transport Layer Security, or TLS, which ensures a client is only communicating with the expected server and that all data passed between is encrypted.

Using an HTTP Strict Transport Security, or HSTS, header reinforces HTTPS across your web application by telling browsers your site can only be accessed through HTTPS. Even if users have an older version bookmarked or type https://, an HSTS header forces browsers and applications to use HTTPS instead. Hackers won’t be able to access the encrypted information, steal your site’s cookies, or force a redirect to a spoofed site.

3. Guard against web-based attacks.

Your website is like your company’s front door, yet hackers have thousands of ways in. Forty-nine percent of cyber attacks are web-based, and 44 attacks per day strike the average small business site.

Web security depends on more than the connection between two entities. Data goes through third parties to get where it needs to go, so authentication at all stages is central to secure communication.

If the right communication protocols aren’t set, transmitted information can become vulnerable to so-called man-in-the-middle attacks. HTTP, an application protocol you’ve likely seen in many URLs, is historically focused on sending information, not securing it.

HTTPS, a newer protocol with security built in, makes attacks much harder to accomplish. HTTPS adds Transport Layer Security, or TLS, which ensures a client is only communicating with the expected server and that all data passed between is encrypted.

Using an HTTP Strict Transport Security, or HSTS, header reinforces HTTPS across your web application by telling browsers your site can only be accessed through HTTPS. Even if users have an older version bookmarked or type https://, an HSTS header forces browsers and applications to use HTTPS instead. Hackers won’t be able to access the encrypted information, steal your site’s cookies, or force a redirect to a spoofed site.

Auth0 enforces HTTPS connections to all of its services, which means any non-HTTPS connections will be upgraded.

Startups have to use their limited resources judiciously, but in the same way, a new restaurant wouldn’t skimp on locks, neither should startups ignore these web security best practices.

Security on day one

Poor cybersecurity is technical debt. These shortcuts can keep a company moving but compound over time, eventually becoming expensive burdens. You can wait on establishing good cybersecurity procedures, but hackers won’t. The longer you take to make security a priority, the harder it’s going to be to retroactively protect yourself.

Cybersecurity is an investment in the sustainability of your company. Growth without cybersecurity best practices in place is growth for the benefit of hackers seeking a big payout.

Start by addressing one of your primary vulnerabilities: identity. With an outsourced provider like Auth0, you can scale security with user growth, form an informed threat response plan, and build a secure login environment. Investing in security early will keep you safer and better-informed when it matters most.