Cybersecurity is a big priority for everyone and that includes small businesses. As an ever-evolving space, it can often feel hard to stay on top of the latest threats and developments designed to keep your sensitive company and customer data safe.
We spoke to five successful small business owners from across Europe - Rudy Bandiera, co-founder of NetPropaganda, Hendrik Gottschalk, CEO of GetBaff, Carl Reader, author and small business champion, Barbara Labate, CEO of ReStore and Juan Merodio, CEO of the TEKDI Institute - to find out what security concerns keep them up at night and how they try to reinforce cybersecurity best practice in their business.
What’s the most difficult thing about staying on top of cybersecurity?
Carl Reader: For me, and I guess many small business owners, the biggest issue around cybersecurity is actually fear. I think that fear comes from the intangible nature of attacks. When we think of security from a physical perspective, it is relatively easy to think about what you should and shouldn't do. We can visualise the doors that might be vulnerable to access, where the alarms should be placed, and how CCTV can help us identify any intruders. Cybersecurity feels a lot more abstract and both the attacks and the methods of protection are moving at some pace!
Rudy Bandiera: Bill Gates put it best when he said that most computer problems are actually sitting in front of the monitor. We, as people, tend to approach technology without necessarily considering the risks associated with it – such as using the same password on all services instead of making use of a password manager. Cybersecurity is undoubtedly a complex issue that needs a simple and unified solution to make devices safe.
Barbara Labate: In my opinion, it is the fact that there are always new threats appearing. While we tend to trust online platforms to save and protect our files, it’s always key to back your business’ data up.
Hendrick Gottschalk: There are a huge amount of Zero-day vulnerabilities. Keeping up-to-date with these can feel like a fulltime job.
So, what do you think are the biggest cyber threats to your business and businesses in general?
Rudy: Those that affect all companies on the planet! Data theft is a big issue - in our case, it’s the threat of someone hacking our social media profiles. We pay close attention to this for the simple reason that all our work, our turnover and our credibility comes from social media: if someone took possession of these accounts, we would lose everything.
Luckily we are super sensitive to this risk and prepared: I, for example, use Google Authenticator on all the social services I use. Even then, that risk still exists and is always present.
Juan Merodio: We too are regularly exposed to the threat of theft of private and customer information. It is something that happens to large companies known to everyone but also in small businesses as well. The only difference is that when it happens in a small business, its impact is often less public - but the damaging effect for the business and its customers is the same.
Carl: My core businesses are all in the financial space, so the data that we hold is the most valuable thing to any potential cyber attacker. We regularly receive low level attacks, such as 'director impersonation fraud' - where an attacker will email, perhaps with a cloned email address, asking for a bank transfer purporting to be a director. But these kinds of threats are fairly easy to detect and prevent by adapting our working processes and checks.
Hendrick: We also get a lot of phishing emails. Many of them look like they were sent from our CEO which is especially dangerous because usually you open an email from your boss! To counter this, we have increased employee awareness to be more wary about downloading any attached files and to not click any links without double checking their authenticity.
With the threat environment growing quicker than ever, how do you stay on top of cybersecurity?
Barbara: We regularly run penetration tests on our websites to check they are secure. We use companies who specialise in these tests to help us figure out if we have any vulnerabilities in our system.
Juan: Staff training in cybersecurity best practice can always be improved, but we are sure to convey to the team the importance of certain methods to increase the security of data and information. After all, bad practices can not only impact their own data but also that of the company and their colleagues.
What is your plan of action in a cybersecurity emergency?
Juan: Our security methodology is based around a preventive mindset, instead of a reactive one. We keep backups of the information that we use with a high frequency so in the case of a theft or blocking of information, we can recover it quickly and re-operate the affected systems – reducing the impact to our business and customers.
Rudy: We use the Cloud a lot, like everyone else, and we have two-factor authentication and backups all over the place. We never feel completely safe, since no one truly is, but we feel prepared enough and protected to sleep peacefully at night!
Do you ask your employees to regularly change their passwords for their work devices?
Carl: Yes, yes, and yes again! Thankfully it isn't a major issue as we have a few requirements built into the software settings on our server, compelling team members to change passwords, and to also set passwords on any mobile device (even if used in a BYOD - bring your own device - setting). One of the latest things that we have done in our business is that we have started to use password management tools to protect ourselves on a wider basis.
Have you noticed your employees using more of their own devices while working from home?
Rudy: Most of our employees use their own devices regularly. To manage this, we ensure that only a few people have access to business relevant information or passwords. We change those passwords on a regular basis, using strong credentials, and share them via an encrypted password manager with access control.