Our Articles

4 ways you could be putting your business' online security at risk

December 15, 2016

The Internet opens up small businesses to global markets and a wealth of opportunity, but it also puts you in contact with people whose intent is to harm your business. Avoidable security breaches are, sadly, a fact of life for many small businesses – in some cases the impacts of which are so severe that they can be put out of business entirely.

Without a team of security experts, you may feel helpless against such attacks – but that doesn’t have to be the case. Xero’s US President, Russ Fujioka, recently penned an article for Inc. where he shared some of the ways businesses are putting themselves at risk online and what they can do to rectify this.

You’re not paying close attention to email invoices

Both invoices you send and receive via email can pose a security risk for you and your customers. As Russ noted, this is not a new development.

“Invoice fraud has probably been around since the day after invoices were first invented, but the Internet means fraudsters can now target you from anywhere,” Russ said.

It’s important to take care even when paying an invoice to a longstanding supplier or vendor. As Russ emphasized, the New Zealand building industry and their customers were recently the victims of invoice fraud – with hackers attacking the email accounts of builders. After finding recently sent invoices in the builders’ outboxes, the fraudsters made copies of them and altered the payment bank account numbers. The modified invoices were then sent to the original recipients, along with an explanation as to why payment needed to be made to the fraudulent bank account.

This is an unfortunate lesson for businesses to confirm any invoice payment detail change with the sender. Doing so by phone or in person is more secure. You should also use two-factor authentication (2FA, 2SA, MFA) as it adds an additional layer of authentication to access your email account and helps prevent this type of fraud. This makes it much harder for an attacker to access your account, even if they get your password, as they don’t have the second factor.

You have poor password hygiene

Although you likely have strong relationships with your staff, it’s really important that you are vigilant with your passwords – that means not sharing login information with them. Russ elaborated that the more people who know a password, the greater the risk someone who shouldn’t have it will get their hands on it.

“You wouldn’t give someone the PIN to your ATM or credit card, so why would you let them know your passwords?” Russ said.

Good password hygiene also entails using strong, varied passwords for every service you use. Using the same password for every login means that a breach of one service can lead to access to all of those services.

To negate the difficulty of having to remember multiple unique passwords, consider using a password safe utility. This service gives you the ability to create a secure and encrypted list of passwords that can only be accessed with a “master” password. Again, using 2FA wherever it’s available will give you an added layer of security.

Your software is out of date

Russ wrote that small businesses should keep their operating system and application software up to date in order to make use of the latest security patches.

“New security vulnerabilities are reported in software every day, which can be exploited by an attacker to gain access to your systems and data,” Russ said.

The sooner the better as it minimizes the window of opportunity for someone with malicious intent to exploit a vulnerability.

Install reputable anti-malware (anti-virus, anti-spyware) software, and keep it up to date, to detect and prevent malicious software from getting into your systems.

You and your staff don’t know the traits of a fake email

By taking a critical eye to every email that comes into your inbox, you can ensure phishing and scam emails don’t get the sensitive information fraudsters are targeting. Russ recommended only clicking on links and attachments in emails if they’re from a trustworthy source.

“Make sure all your staff are trained and aware of the risks from malicious attachments and dodgy web links,” Russ said.

Typical traits of fake emails include: incorrect spelling or grammar, calls for urgent action, requests for personal information, the email is not addressed to you by name or advisory that you have won a competition you didn’t enter.

These are just a few relatively simple, yet effective, ways you can protect your business online.


Loading Conversation