Managing Small Business Cybersecurity During COVID-19

Small businesses are undertaking extraordinary changes during the coronavirus epidemic. They’re laying off staff, shifting their business models, and managing the challenges of remote work. The pace of the stay-at-home orders and the abrupt halt of the economy required small businesses to move quickly. States are in the midst of gradually reopening, but many smaller firms will continue to face impactful challenges for the rest of the year and beyond. In addition to the safety and health issue concerns, small firms are also facing cybersecurity risks.

Compared to enterprise-level firms, small businesses do not possess massive IT budgets to confront threats. Large firms have capital to weather business interruptions that might come from data breaches. Small businesses are already devastated during COVID-19 and can’t risk losing data and being offline for even a day. And there’s the PR hit that comes with a data breach event. A small firm cannot likely survive a breach, especially in the current economy where competition for dollars is at a premium.

Unfortunately, there’s many bad actors out there. Cybersecurity hacking attempts are rising during the COVID-19 pandemic, as hackers prey on fear and uncertainty. To that end, here are three of the most persistent and damaging COVID-19 driven security threats for small business, along with some tips for mitigating the risks.

  1. Stop Malware in its Tracks

Malware encompasses spyware, viruses, trojans, and other tools hackers use to infect computers. The actual programs live on attachments and within software such as PDF viewers. Staff members must avoid downloading unapproved programs and understand the types of actions that can lead to malware.

The COVID-19 outbreak offers opportunity for hackers. For example, there’s malware embedded in some live maps of the virus’ spread. COVID-19 themed malware that wipes a computer clean is also circulating. Firewalls and anti-malware programs are a first line of defense for small businesses. These programs must use automatic updating for maximum protection so they can detect the latest threats.

Workers now operating from home are exposing their company’s data and networks. They’re using home Wi-Fi, and many are searching on non-approved or dangerous websites. Restricting search for remote workers is tricky but is possible through secure search engines. Secure search engines and communication platforms like GOFBA limit malware by stopping users from reaching suspicious sites, while still allowing them to access information that pertains to their jobs. Small business staff should also limit their information gathering about the COVID-19 pandemic to established news and health organization sites. Unknown sites filled with information about pandemic “cures” or various conspiracy theories and other content are likely filled with malware.

  1. Prevent Phishing

Phishing schemes are simple. A hacker creates a formal-looking email and sends it out to a large group of recipients. Their goal is for someone to open the email and either click a link or download an attachment. That simple action then launches malware which infects the person’s computer and the linked company network. The hacker then controls the firm’s data, encrypts it, and holds it for ransom.

The pandemic provides ample material for phishing schemes. Emails touting fake COVID-19 tests or miracle cures prey on people’s fear about the virus. Other emails pushing for donations to charities prey on people’s willingness to help, while directing money to fraudulent accounts. Many phishing emails mimic communications from local government agencies or the CDC, with official-sounding messages about pandemic news or recommended actions.

Small businesses workers must read about the dangers of such emails, and how to recognize fake and dangerous communications. The typical phishing email gives itself away with some clues:

  • Amateurish design with outdated graphics and feel
  • Unprofessional-sounding content with misspellings
  • Odd URLs that do not match the company/organization (users can hover their mouse on links to see the destination address)
  • The email asks the recipient to confirm personal information, such as “Enter your SSN to see if you qualify for free COVID-19 testing”
  • Messages that play on panic and suggest urgent action are very often phishing schemes

Remote employees need a better understanding about phishing emails and should err on the side of caution before clicking any links or attachments. Remind the employees that deleting the email is the safest move.

  1. Properly Manage BYOD

With a massive move towards remote work comes the need for laptops and phones to connect to work. Some firms provide employees with devices. Others use a BYOD, or “Bring Your Own Device” policy that allows employees to utilize their personal device to access work software.

There are multiple risks when employees use their own devices for work. Since they’re at home and comfortable with their phone and laptop, many users will engage in riskier searches and look at sites they’d never consider at the workplace. These sites increase exposure to malware, which then puts the connected company networks at risk.

Small businesses must take the time to implement personal device policies. This includes detailing how employees are accessing and storing company data. For example, are staff saving information to their laptops? Are they using unsecured cloud storage through Google or Dropbox instead of the corporate cloud? Do employees use strong two-factor passwords? What happens with data access when a remote worker leaves a company? A formal plan is essential for protecting both the company and the employees.

Companies must strike a balance during this work-from-home period. They need to protect their data through rules and processes while also giving staff enough flexibility to access needed information. There are also privacy considerations in play. Small business owners must understand the employee’s family members are also using the home Wi-Fi, so there’s only so much control the owners can exert. A solid approach for remote workers is to create formal guidelines to include mobile device management software that automates updates, features virus detection, and gives employees limited control. The key is transparency. Both the employee and employer are on the same page regarding expectations and rules. And as the pandemic eases in some areas, business owners must decide if workers can remain at home, need to come back to offices, or if they will adopt a hybrid approach.

Key Takeaway

During the pandemic, small business owners are pivoting while trying to retain good employees. Cybersecurity threats are an additional unneeded stressor for already strained companies. Thankfully, by following guidelines for remote workers and managing risks, firms can reduce the chances of a cybersecurity event and focus on making it through the crisis.