Today we’re talking about the top cybersecurity risks to online businesses in 2022.
Cybersecurity is usually associated with big businesses with a network, the traditional IT department, and all the associated infrastructure.
Much of what is written and advice given focuses on protecting this infrastructure first.
As a smaller business or a startup, it seems like there isn’t much risk to your business if it doesn’t look like a business with traditional IT.
However, this isn’t the case.
While the traditional IT risks may not be present in your online business, many other risks still exist, along with some new ones because of how online businesses operate.
These are the risks we’re going to touch on in this episode.
Without further ado, let’s look at our top cybersecurity risks to online businesses in 2022.
3rd parties and vendors
Many smaller businesses and startups are increasingly reliant on 3rd parties and vendors. A lot of this comes in the form of software-as-a-service or SaaS offerings.
These types of services are where a company creates a software application and then offers a license over the Internet for a subscription. Services like Stripe, Quickbooks online, or Dropbox are examples of software-as-a-service companies.
The benefit of using these services is that you don’t need to install the software on your computer or server, maintain its update, or secure it.
The downside here is that you don’t control how well the software and the network it runs on are secured. It’s possible the software-as-a-service company’s cybersecurity won’t be acceptable to your business, and it’s also possible that the company won’t have any cybersecurity at all.
There is also the downside that the software is now available on the Internet instead of only being accessible on your computer desktop. Anyone who knows or can guess your username and password can access your account and data.
That brings us to our second risk.
Protecting your accounts
Everyone these days has a multitude of accounts everywhere. Compound that with the rise of software-as-a-service offerings, and for a smaller business or a startup, this can skyrocket when each piece of software you use now requires a username and password.
It’s also common to deal with this multitude of accounts by using the same username and password everywhere and making that password nice and straightforward. Unfortunately, this is going to do you more harm than good.
It’s essential to treat these accounts like they’re the only thing standing in between a hacker and your business (because sometimes they are) and use all means available on each account to protect them. If they are protecting sensitive information, it is especially worth the effort to go a bit farther to ensure that your account is safe.
The basics are the things that need to get done. If you took a page from cybersecurity 20 years ago, these are the things that would have been sufficient to protect your business. Now, they’re the absolute basics and lay the foundation for good cybersecurity in your business. These are things like:
- Using strong passwords and storing them in a password vault.
- Enabling MFA (multi-factor authentication) everywhere.
- Installing and using a good antivirus.
- Learning how to detect phishing emails.
- Keep your computers and devices patched and updated.
Why are these on our list? Well, that is because it has become common to ignore these. Either because they’re considered basic and ineffective or because there must be a more sophisticated flashy thing that can do a better job.
While you may think the basics are just that, basic, consider these statistics:
- Weak or reused passwords cause 80% of data breaches. (1)
- 80% of companies who had a data breach could have prevented it by patching on time or doing configuration updates. (2)
- 47% of the time, phishing emails are successful. (3)
- Ransomware remains the most prominent malware threat. (4)
If we all had these basics down and dusted, these statistics wouldn’t be as alarming, would they?
Protect What You Collect
Whether in data breaches or stolen via ransomware, attackers steal a lot of data from companies in their attacks.
This is increasingly pointing to the fact that we need to do more to protect the data we collect and that the data we do collect is poorly protected.
This goes for both the data we collect and store on our computers or servers and the data we collect or is collected on our behalf by 3rd party services.
It’s common for us to see the situation where everyone in the business has access to all the services the business uses and all the data the business has collected.
This overly permissive access increases the scope of who’s access could end up breaching the data, adding unnecessary and easily avoidable risk.
Secure coding and development
We talked about the security of 3rd party services; the same should be required of your services, too.
Secure coding is the practice of writing software that is free of vulnerabilities.
An attacker can use vulnerabilities to compromise the application to take control of the application, take direct control of a device, or provide an access path to another device.
Employing secure coding and development reduces the risk of an attacker using a vulnerability you’ve accidentally introduced into your software to compromise it and do any of several things, impacting not only your business but that of your customers, too.
All right, so those are the four strategies that we are employing this year and the ones we think will make the most impact for the investment to protect your business in 2022.
Let us know what you think of these. Are you going to work on any of these risks in your business this year? Are there any risks you feel would apply to all online businesses tracking that we weren’t on our list?
- (1) https://www.crn.com/news/channel-programs/logmein-poor-or-reused-passwords-responsible-for-83-percent-of-breaches
- (2) https://heimdalsecurity.com/blog/software-patching-statistics-practices-vulnerabilities/
- (3) https://dataprot.net/statistics/two-factor-authentication-statistics/
- (4) https://www.varonis.com/blog/ransomware-statistics-2021