Keeping Your Small

Business Secure

-1- www.namecheap.com
Index
Keeping Your Small Business Secure 3

A Short History of Online Security 4

The 1990s Network Effect 4
Vulnerabilities on the Edge 4
New Millennium, New Threats  5
Distributed DoS Attacks 5
The Rise of the Botnets  5
Ransomware  6
Cryptocurrency Mining  6
Identity Theft 6

What Might the Future Hold? 7

The Most Common Attacks 8

Key Areas to Safeguard 9

Logins9
Banking9
Web hosting 10
Domain Name System (DNS) 10
Public Wi-Fi and VPN’s 10
Detection and Response 11
Recovery11
Communications11

Final Sanity Check 12

Conclusion12

-2- www.namecheap.com
It takes 20 years to build a
reputation and a few minutes
of cyber-incident to ruin it
Stéphane Nappo, Technologist
-3-
A successful security breach is like a fire in a factory or a tornado hitting a warehouse. It
is potentially devastating and it takes strong nerves and good preparation to survive one
without getting too badly hurt.
To make matters worse, the threats always seem to be growing as we become more and
more reliant on our technology. Organized cybercrime is now bigger than the drug trade.
It’s a diversified industry worth billions of dollars a year, causing more than a trillion dollars
in damage. The typical loss from a successful ransomware attack, for example, runs into the
hundreds of thousands of dollars — as reported by CNBC1.
It’s not just big-business that’s being targeted, either. In 2018, 43% of cyberattacks hit small
businesses, according to the 2019 Verizon Data Breach Investigations Report2. That number
continues to grow, and so do the threats. 400,000 new malware samples are created each
day, and thousands of new vulnerabilities are discovered each year.
We now have to successfully guard against millions of attempts, and an attacker only has to be right
once. And once every 20 months an attacker will be right, on average. The consequences could be
truly devastating, with 60% of small businesses affected shutting down within six months of being
victimized (CNBC).
Luckily, there are things you can do to greatly increase your chances of being in the other
40%. But before we explore all your options, let’s look at how we got here.
1 https://www.cnbc.com/2019/10/13/cyberattacks-cost-small-companies-200k-...
2 https://enterprise.verizon.com/resources/reports/dbir/2019/summary-of-findings/
www.namecheap.com
A Short History
of Online Security
The first viruses were created when computers weren’t as interconnected as they are now.
They often traveled by diskette, attached to ‘cracked’ software. The first antivirus programs
were written to detect and disable specific known threats. The arms race had begun.

THE 1990S NETWORK EFFECT

With the rise of poorly secured corporate networks and email in
the 1990s, malicious payloads started to spread far and wide. This
could range from displaying pop-ups for scam sites to stealing confidential information.

The cybercriminals kept finding vulnerabilities in the new digital tools. They also exploited the
unsafe ways people went about using them. This meant the new breed of antivirus software
had to scan and decontaminate things like files, spreadsheets, and even screensavers.

VULNERABILITIES ON THE EDGE

As technology evolved, businesses came to rely on always-on connections to the Internet in
order to communicate and trade with the world. This automatically exposed them to more
mischief coming into their networks from the outside.

These outside threats lead to the birth of firewalls to block unwanted traffic, and Internet
Service Providers (ISPs) having to cope with denial-of-service (DoS) attacks — which deluge
corporate web and email servers with traffic meant to knock them offline.

-4- www.namecheap.com
NEW MILLENNIUM, NEW THREATS
In 2000, the ILOVEYOU worm spread to tens of millions of computers by exploiting
weaknesses in Microsoft programs and naiveté on the part of email users. Although the
malware cost billions of dollars in lost productivity, its creators didn’t reap any benefits. But
the serious cybercriminals of the new millennium were not going to abide by that pattern,
and these threats are still very real today.

DISTRIBUTED DOS ATTACKS

A simple denial-of-service (DoS) attack coming from a single computer can give a small
server the equivalent of a bad cold. A distributed DoS or DDoS attack might involve hundreds
of thousands or even millions of computers, and can overwhelm a corporate domain or
a cloud storage provider with connection requests — a condition more like an influenza
pandemic.

Whether the attackers are extortionists or disgruntled employees, if their DDoS attack takes
down services you rely on, it can hurt your production, your sales, or your visibility. Recent
targets of big DDoS attacks have included:

E Code-sharing platform github in 2018

E Security and content delivery network CloudFlare in 2014
E Anti-scamming non-profit Spamhaus in 2013

THE RISE OF THE BOTNETS

The 2000s also saw the rise of stealthy coordination techniques that allowed pirates to
harness big pools of infected machines into huge botnets. Some have tens of millions of
computers under their control, sending billions of pieces of spam per day or launching
massive denial-of-service attacks.

Botnets today are still expanding via email and compromised web traffic, thanks to insecure
client software and unfortunate antivirus and network configurations. Today’s botnets can
even be involved in the types of cyber damage that have come to dominate the headlines in
the 2010s, i.e. ransomware and cryptocurrency mining.

-5- www.namecheap.com
RANSOMWARE
Ransomware takes the cake when it comes to scariness. Imagine, all of a sudden, all your
important files are completely unreadable, and your programs unusable. A piece of malware
that somebody downloaded and inadvertently ran has encrypted your disks. You learn
through a popup that the person behind the attack is willing to sell you the key in exchange
for the transfer of a few bitcoin.
How do you know that you can trust them to actually restore full access to your disks? Law
enforcement and security experts strongly advise against paying the ransomware demands.
The hope is that in the long run, this will discourage the extortionists. However, in reality,
some victims have gone the route of negotiating down the payment and shelling out.
E-commerce businesses of all sizes are also increasingly at risk from individuals using stolen
or fake ID’s to purchase goods. The threat of credit card chargebacks, and the merchant fees
and fines that can come along with them, can become a real headache.
Many credit card processors and fraud prevention tools automatically flag suspicious
transactions, but these can often take an overzealous approach — losing you legitimate
sales. There are some newer innovations, however, such as validation.com which are
now employing new types of technology to quickly check customer ID more thoroughly.
Weeding out the fraudsters without blocking genuine customers.

CRYPTOCURRENCY MINING
Cryptocurrency mining is more of a nuisance than a catastrophe for the victim. Here,
infected machines are made to run invisible programs that solve the mathematical
calculations that verify the integrity of the cryptocurrency accounts. As a reward, the “miner”
gets paid some amount of the cryptocurrency.

A lot of viruses make your machines do work for others, whether it is by sending spam, running file
servers or simulating web ad traffic. Usually, computing power isn’t the only resource they’re after. Small business identity theft
An untarnished IP address will help bypass spam blacklists or file-transfer restrictions. Unauthorized
cryptocurrency mining doesn’t even care about that. It is electricity theft in its purest form. — stealing a business’ identity
IDENTITY THEFT
to commit fraud — is big
It’s not just individuals who can have their identity stolen. The number of business identity thefts is also
on the rise according to the National Cybersecurity Society (NCSS). Small businesses are particularly
business for identity thieves
at risk due to the lack of established security controls. They may also have plenty of information freely
available online, such as company directors, financial results, and business numbers. Mary Ellen Seale, NCSS CEO

The ways attackers can target you is also varied and requires vigilance. This can range from
setting up rogue Wi-Fi hotspots around offices, to phishing email scams, and sending fake
‘company’ emails asking for financial information.

-6- www.namecheap.com
What Might
the Future Hold?
Thanks to how much of our businesses are now widely connected, the scale of the rewards
keeps going up for the criminals. The global black markets in cracking websites and the
exchanges where the fruits of cyber-crime can be bought and sold are efficient, self-
organized, and responsive to market trends.
This means both businesses and consumers will need to more seamlessly secure their
data, activity, whereabouts, and identifiable information. Your security will need to become
increasingly robust as connected technology becomes more woven into devices all around
us, such as Face ID technology, bio scanning, and other tools.

Hackers will keep probing new online platforms for weaknesses. They will keep testing Small groups of motivated pranksters can now have a huge influence on commercial
new communication tools for security holes. They will also keep trying to get into the new or political outcomes through clever manipulation of social media. All it takes is some
connected devices. And they will continue to beat the well-intentioned security researchers elementary hacking skills and a loose interpretation of the terms of service. So it’s also a
on the other side in the race to find the vulnerabilities. good idea to keep private social media separate from your business’ as much as possible.

Here are some well-known technologies that have been exploited in the last year or so3 alone:

E Apple FaceTime
E Facebook messenger
E WhatsApp calls
E Google Chrome
E Youtube creator authentication
E Android phones

Internet-enabled devices are proliferating. From cameras to headsets, fridges to doorbells,

researchers have made it abundantly clear: many are vulnerable, designed with little thought
to security. They are a big, juicy target for inclusion into botnets.

3 https://www.zdnet.com/article/the-scariest-hacks-and-vulnerabilities-of-2019/

-7- www.namecheap.com
The Most
Common Attacks
Ransomware attacks and user-data breaches are the most publicized threats facing any
business connected to the Internet. They belong to the class of indiscriminate attacks
where your network is one target among millions because you just might have something
generically valuable:

E Credit card numbers that can be sold on the black market.

E Banking information that can unlock your business’s deposits
E Business-critical infrastructure and data that can be held hostage.
E Computing resources that can be harnessed for building a botnet or mining
cryptocurrency.

When you do a threat assessment for your company, however, look honestly at the possible
motivations for more specifically targeted attacks. These may include:

E Stealing your specific business secrets in order to gain a competitive advantage.

E Affecting availability in order to spread doubt among customers
E Infiltrating or subverting communications channels to damage reputation
E Revenge, as by aggrieved current or former employees

It’s good to think through these angles to recognize your vulnerability to narrowly tailored
social-engineering approaches.

-8- www.namecheap.com
Key Areas to
Safeguard
LOGINS
Login management, the simpler cousin of identity management, should rank near the top of
any security checklist. Especially now that so many websites and merchants store customers’
card details for easy use. These ‘credentialed transactions’ are now covering all aspects of
day-to-day business affairs.
This has brought systems like Two-Factor Authentication (2FA) into play, with many
companies now offering it as part of their login process. 2FA comes in different forms,
such as U2F (Universal 2nd Factor) service, TOTP (Time-based One-Time Password), and
OneTouch (SMS). But they all essentially offer customers an extra sign-in step on top of their
username and password.
If your business holds payment card details or sensitive information, you may want to enable
a form of 2FA. There are providers who can now offer simpler ways to set it up, and we are
likely to see more emphasis on it in the future.
If you are handling more than a couple of dozen users in a house, or offering services to a
larger public, without already having at least one full time IT person on staff, you will need to
start looking around. A qualified professional can help you implement security policies and
ACLs, manage nameservers and certificates, and meet regulatory requirements.
If you are a small team or solopreneur, however, that just want to stay safe without sacrificing
the convenience of having your tablets, phones, and laptops constantly logged in to certain
apps, social media accounts, and vendors’ websites, then you’re in luck. The latest breed of
-9-
password managers from providers like Dashlane,1Password, and LastPass take a real stab at
this problem and manage to be intuitive to use.
BANKING
Financial relationships are likely to be scrutinized closely if an attacker gets in undetected.
Volunteer Voyages, a one-person tour organizer in Oregon, took a $14,000 hit when hackers
impersonated them in emails to their bank.
The attackers who made off with more than $1 million from the account of Stuart Rolfe, a
Seattle businessman, went undetected for a long time because they only impersonated him
to his bookkeeper when his Outlook calendar said he was in a meeting and then deleted
these communications before he would check his email again.
So make sure your procedures for taking money out of your accounts or for changing
account information are as secure as they can be. These days that means:
E Enabling 2FA, and removing devices and addresses no longer used for 2FA
E Adding a verbal passphrase or PIN for over-the-phone verification of large transfers
E Testing that the systems in place also do work
www.namecheap.com
WEB HOSTING
You have decided that you need a website with your own domain name. It remains a good
marketing decision. Choose a hosting solution that fits your needs and your budget, but also
look at what they offer in terms of security-related features.
All hosts will apply operating-system security patches to their servers promptly, which is a big
burden off your back. But beyond that, you should see if they offer easy-to-understand options for:
E Virus protection
E Firewalls
E Backups
E DDoS protection
E Spam filtering
E SSL certificates for encryption
DOMAIN NAME SYSTEM (DNS)
You also don’t want to risk attacks coming through your DNS, which is essentially the Internet’s
phonebook. It’s the system that actually connects people to the websites they’re looking for.
But it can also be a minefield of security risks, including Denial of Service (DoS) attacks and
Cache Poisoning — when visitors are sent to a fraudulent version of your website.
VPN stands for Virtual Private Network. It allows you to connect your computer to a private
network, creating an encrypted connection that masks your IP address to securely share data
and surf the web — protecting your identity online. Using a VPN can be an inexpensive and
secure method to access the internet from anywhere: your home office, a cafe, the airport, etc.
It provides secure communication between you and your employees, customers, and banks.
Sending private emails and presentations will remain out of the hands of hackers and
eavesdroppers. A VPN ensures your data, and that of your customers remains private.
Connecting via a VPN protects your data as it travels from your laptop, tablet or cellphone. The
data is encrypted through a ‘VPN tunnel,’ and your ISP can no longer eavesdrop on your history
or data either. They can’t see your activity online since it’s routed through the VPN servers.
Anyone else trying to snoop through a hacked WiFi will only see you’re connecting through
a VPN, not your ISP, and cannot read your data. If they are able to get any of the data, it will
look like gibberish.

The company through which you register your domain should implement DNSSEC extensions
to make it harder to divert your incoming traffic or leave you open to attacks. All good
domain providers should offer a DNS with security features. It might also be worth investing in a
more state-of-the-art DNS service if you think your website is particularly at risk. To really amp
up your security.

PUBLIC WI-FI AND VPN’S

As a small business owner, you may often work remotely, or have remote employees and
contractors who need to work on the go. This can mean using public WiFi, which can easily
be hacked. It’s possible you’ve logged in to a fake public WiFi (with a similar name to the
legitimate network) once or twice already. So let’s talk VPN’s.

- 10 -
DETECTION AND RESPONSE
When you are choosing where to direct your cyber-security efforts and tailoring systems
to your company’s needs, the area where you have the most control is in the agility of your
response. At some point, an attacker will get in. What happens next?
E Identification of the problems: mode of attack, systems affected, data compromised
E Recovery mechanisms triggered
E Communications to staff, external users, partners, industry groups and regulators
On the technical side, there are two main questions: are you capable of identifying what has
happened? And what recovery mechanisms do you have in place?
Once you have established that a system has been infiltrated, do you have methods in place for
figuring out what the intruders have done so far? Have you frequently backed up all your data?
RECOVERY
Backups are essential to rebuilding your network if the worst should happen. All manner
of important customer or financial data can be lost, such as mailing lists and other vital
information. If a virus has attacked you, and you can’t restore everything cleanly, your
website or database could be out of action for days. The effect on a small business could
be catastrophic.
Just one hack, malware attack, or even an instance of simple data corruption can leave you
vulnerable. So it’s vital that you keep backup copies of important information, and back data
up regularly — failover servers sometimes fail too! Ask yourself, can I be back up and running
in less than a day? Or in less than an hour?
If you’d really just rather be getting on with growing your business, rather than looking over
your shoulder for the next attack, there are professional backup services you can use. Cost
will obviously be a big factor here. But also be sure to check providers for backup speed,
overall reputation, customer service, and make sure the service can integrate easily into your
current hosting or website systems.
- 11 -
Some hosting providers even include automatic backup with their services. So backups
simply happen automatically if anything goes wrong. Your website just goes back in time to
the point before the breach happened.
COMMUNICATIONS
In extreme cases, and if your business is applicable, there is a public-relations aspect to the
response. This is not an IT function, which means the damage non-technical staff can do by
themselves is at its greatest here.
Prepare as much of this response in advance. Work out a communication plan that feeds
relevant information gleaned during forensics and recovery to the appropriate parties,
including mandatory regulatory disclosures and voluntary reports to the relevant infosec
industry groups — if applicable.
The worst-case scenario of all is customers leaving immediately due to bad communication
and ensuing distrust, especially for small businesses operating in fickle environments. So you
need to do all you can to limit this damage.
When customer data is wiped out, or account data is compromised, how do you break
that news? What is the proper balance to strike between common courtesy and legal self-
protection? The ideal would be documented procedures covering the most important
imaginable cases, verified by lawyers.
www.namecheap.com
Final Sanity
Check
That may all seem quite overwhelming. So here’s a checklist of the main things you can do
to ensure your basic IT hygiene is done:

E Change default passwords to secure passwords

E Enable email encryption
E Educate your staff on common dangers
E Apply all updates that are compatible with your existing processes
E Run only what’s necessary. Disable unused services on workstations and servers.
E Mandate Wifi-Protected Access WPA2 encryption on your wireless routers
E Shut down the ports you don’t need
E Keep a set of regular backups stored off your network
E Make sure everyone can still communicate if servers are unavailable

CONCLUSION
There are some things you can do yourself, and then there are some things you should hire
others to do for you.

As a rule of thumb, in a typical small organization, it takes about two hours a week to do the
IT support work needed for one user. This number is derived from studies by Workforce and
Gartner showing averages of about one full-time IT staff for 20 employees4,5. Further data
shows that of this IT support time, 5 to 10% should be dedicated to cybersecurity tasks6.

4 https://www.workforce.com/2003/02/06/ratio-of-it-staff-to-employees/
5 https://www.gartner.com/doc/2324316/it-metrics-it-spending-staffing
6 https://www.nuharborsecurity.com/information-security-staffing-guide

- 12 - www.namecheap.com
Given these proportions, for most small businesses it is perfectly rational to spend around 5
to 10% of their equivalent of IT personnel costs on outside security contracting. This comes
out to one hour of security consulting per month and per user.

Try to integrate a testing mentality into your thinking around IT rollouts and updates. Ideally,
qualified IT people would run sandboxed tests to validate OS or database upgrades, new
connected cameras, updated libraries, new cloud configurations, etc. But this is probably beyond
the internal technical capabilities of small, non infosec-oriented companies.

Nevertheless, it is useful to keep asking yourself how you could put a new component
through its paces. If you can think of obvious breaking points, maybe you can come up with
some ways of probing them before you push the component into your live business.

The benefits of testing also apply to the human links in the vulnerability chain. If you have
employees, run periodic simulated phishing attacks to see if they are staying alert to the
warning signs of fraudulent requests. Many security companies will be happy to organize
such phishing drills for you, and it doesn’t even cost that much.

As a small business, you should do exactly as much as you are comfortable doing. Enough to
ease your mind and put you in control of the cyber-security aspects within your reach. It is
easy to go very deep and to lose one’s balance. There is such a thing as worrying too much.
That’s why you have to prioritize. Learn about the risks in your context, factor in the total
cost of the solutions available, and implement those that make sense for your operation.

As the world is increasingly

interconnected, everyone shares the
responsibility of securing cyberspace
Newton Lee, Newton Lee, Counterterrorism and
Cybersecurity: Total Information Awareness

- 13 - www.namecheap.com
- 14 - www.namecheap.com