93 Small Business CyberSecurity Guide
11 million records have been compromised in 2016 with close to 350 data breaches until now. Banking, finance, small businesses, and the startup sector suffer the most.
If we learned one thing f, it’s that hackers aren’t stopping. Last year, attackers have caused more than 8 hours of application and website downtime for several organizations. This year, it is getting worse.
Increased cloud adoption, frequent application changes, and limited security budgets in small companies should be backed by conclusive steps to stop hackers. To make it easier for CEOs, CIOs, CISOs, and other professionals directly responsible for security, we have broken down the ways of securing the website in several categories.
Why Should Small Companies Learn Ways about Cybersecurity
Although we have listed many ways to protect the business from hackers, it is critical to know why you need to go through this list first.
- 49% of hacking attempts happen to businesses.
- Startups and smaller businesses fail to recover from security lapses.
- Most businesses cannot afford separate security teams and hiring costs.
- There is an acute shortage of security professionals.
- Almost half of the companies suffering from cyber attacks blame competitors.
Here are the key points that business owners should think about.
- There are around 248,760 CEOs in the US and 28% have finance as primary expertise, tech or security expertise is -minimal.
- 62% CISOs think of information security as a cost, not a business enabler.
- 67% of companies have suffered from data loss recently.
What’s the point: Website security is not a key business area. It will never generate revenue and most CEOs know little about it. Plus, they won’t spend millions and then time to hire a team, and to train them.
10 Ways You Should Rethink of the Security Measures
1. Securing the website and customers is less network security and more application security today. 70% of the cyber attacks happen on the application layer.
2. Application security is often misinterpreted as mobile app security by non-techies. Modern-day websites cannot run without apps that run on browsers. These apps enable everything from shopping to messaging. In simpler words, all modern websites run multiple web apps.
3. Data breaches, distributed denial services, and even phishing attacks are more common in web applications than on network or physical layers.
4. Last year, 86% of the tested websites had at least one serious security issue that allowed hackers to attack.
5. Even if your developers follow secure practices, there is no security guarantee. Open source website code, plugins, ongoing code changes, all bring in a possibility of new weaknesses.
6. Website scanning solutions are getting increasingly popular, as they are fast and cheap. However, it can be ineffective as proficient hackers know how to hide the tracks.
7. Many security experts talk of OWASP 10 as the ultimate protection guide. Unfortunately, more than a dozen new vulnerabilities are disclosed every year. These didn’t exist before.
8. Security is not a business enabler. It doesn’t earn money for the business. However, the average downtime cost of a website is $5,600/minute with the loss of productivity, recovery, and stolen information.
9. An average CEO finds OWASP and web application security difficult to understand.
10. 47% of the developers do not have the authority to fix the vulnerability.
What’s the point: Cybersecurity war front has shifted to the application layer years ago and still most companies are unaware of how to proceed. Even if the weaknesses in web applications are found, it takes more than 1 to 4 months to fix vulnerabilities for various reasons.
10 Power Tools to Find Problems in Smaller Company Infra
1. Web Application Scanning: Most new-age companies and startups prefer continuous web application scanning to find out problems at every hour. Whenever the code is updated or any other change is made, scanning finds possible hacking points and reports it based on severity.
2. Penetration Testing: Where automated tools fail, penetration testing wins big. A security expert tests the website in the same way a hacker would. This will help you find logic issues within apps that scanning misses.
3. Development Tests: The development cycle has a dedicated phase for testing, which also includes testing for security issues. With tight deadlines and quick changes, most companies overlook development testing today, which they shouldn’t.
4. SSL Checker: Many data breaches and hacking incidents also happen due to inapt browser-server communication. Having an SSL does not mean security, find out if you have the right kind of SSL certificate capable of protection.
5. Security Bulletin: More than a dozen never-heard-of application weaknesses are found every year. The number is huge for CMS, software, and operating systems. It is important that your team knows about the most crucial ones. We have recently developed a page to solve the problem.
6. Apache JMeter: Run performance tools on your server every once in a while. Compare the reports frequently and flag performance issues to be investigated by the security team.
7. Downtime Notification: Businesses lose $5,600/minute for downtime. Talk to your developers who can set email notification you top executive whenever the website goes down.
8. DDoS Alert Mechanism: Distributed denial of service attacks are common. A traffic surge binds the server and crashes the website for real users. Indusface Total Application Security can provide you counts of these attacks on its portal.
9. OWASP Sheet: If you have a dedicated security team, it is best to cover the OWASP sheet first. Find out if your apps are vulnerable to any of the OWASP 10 issues.
10. Mobile App Scanning: Mobile apps talk to the server the same way web apps do. So if there are OWASP weaknesses there, hackers can exploit them the same way. Find them. Patch them.
What’s the point: Knowing that there is a problem is solving half of the problem. Most companies do not know of the vulnerabilities and weaknesses in their website. Make sure that something or someone is keeping an eye on existing and new issues that might arise.
Stop Hackers and Prevent Attacks using these 10 Ways
1. Web Application Firewall: Patching application issues is delayed and difficult. Use a web application firewall to block attacks continuously. It covered vulnerability and does not allow hackers to get into your apps and server.
2. Managed Web Application Firewall: Security experts say that a WAF is nothing less than a box if it is not updated and managed by a security expert. Use a WAF that’s smart and is updated regularly to block more than just OWASP issues.
3. Business Logic Flaw Blocking: Although this should be covered in managed protection, business logic flaws cannot be fixed or blocked until they are found first. You need penetration testing and then custom rules here.
4. Secure Sockets Layer Certificate: Get powerfully encrypted SSL certificates for your website. No technology can replace browser-server security.
5. Layer 7 DDoS Blocking: Unfortunately, most automated WAFs cannot detect fake traffic surges that crash server. You should either get one or invest separately in a DDoS blocking mechanism. Make sure that it’s not automated and offers security expert support.
6. Hire App Sec Guys: Most of the security budget goes to network and psychical layer security. If you have an additional budget and time to manage an appsec team, hire them. An average appsec team includes 3-6 people for penetration testing, WAF management, custom rules, and traffic analysis.
7. Fix Issues: Businesses take 193 on average to fix serious web app issues. That’s over four months and enough for hackers. Finding and fixing problems is the best approach, a highly difficult one though.
8. Bounty Programs: Companies with deep pockets also like to host bounty where they invite hackers to test the website and pay outrageous amounts for found issues.
9. Security Awareness: Survey shows most developers get failing grades at application layer security. Do we need to say more?
10. Server Updates: Panama Papers Leak revealed that the company was using a 2-year old CMS and server operating system. Keep the updates rolling. Half of the problems can be solved here.
3 Information Research Centers
1. Don’t have time to look at every vulnerability discovered in some parts of the world. Stay updated on the ones that matter the most for your website. You can also subscribe to the bulletin. For a simplified breakdown and effects of application security issues, you should subscribe to the
2. For a simplified breakdown and effects of application security issues, you should subscribe to the Indusface Blog. Scroll to the end and add your email address.
10 Must Security Bundle Tips for All Businesses
1. AppTrana: New-age companies opt for scanning, penetration testing, WAF, custom rules, and security expert support, all at once. Your website will not anything else for appsec
2. It acts as the complete application security solution with your own dedicated team to find and solve the problem.
3. Free Plan: Free trial for 14-days gives a complete idea of how it works. That’s like $1500 worth of usage, 70+ hours or expert support, and no obligation to pay or buy.
4. In the trial period, how can measure the overall appsec difference in terms of attacks blocked, vulnerabilities found, and more.
5. What does it do: Take the free guided tour to understand what your website security is missing.
6. You can also read about it in detail here.
7. Research Team Backing: Indusface Research Team works with 800 global companies, which is continuously working to find new issues and solve them. Point being, they already know how to detect issue and block it from damaging your website.
8. DDoS Security: There is no way to detect complex DDoS, unless the traffic is monitored by a security expert. Total Application Security gives you feed on these attacks and blocking status.
9. The Expert Angle: Made changes to the website, want to test it? Need custom rules to block attacks? Don’t understand something, need to call someone? Total Application Security covers that.
10. Simple Scan + WAF: For considerably smaller businesses, it is wiser to get web application scanning and web application firewall as a package that helps you detect issues and block hackers.