A key theme of the recent Cybersecurity Nexus event in Washington, D.C. was the growing need for small and medium-sized businesses (SMBs) to adopt enterprise-like IT security best practices. In fact, SMBs might actually have an edge over the unrelenting competition they endure from larger enterprises because they are more proactive and nimbler in mitigating common IT security weaknesses. Recent data breaches have revealed that these issues can bring large conglomerates to their knees.

Five IT Security Best Practices for SMBs

To outfox rivals, security professionals should consider the five best practices we’ve outlined below to rise above the competition.

1. Don’t Trust Websites That Aren’t Protected by HTTPS

The easiest way to validate the authenticity of information displayed on a website is to confirm that the Hyper Text Transfer Protocol Secure (HTTPS) signifier appears at the beginning of the URL. If a site is not protected by HTTPS, you’ll need to make a conscious decision whether to trust or distrust its content.

In the fictional example below, a local webpage doesn’t include anything in front of the domain name for its URL. The term HTTP or HTTPS would normally have been shown at the beginning of the URL to indicate that the site’s owner and content could be verified. When neither is shown, insecure HTTP connections are the default, and you need to be particularly vigilant.

The information icon circled at the beginning of the URL can be left-clicked with a mouse to view details that highlight the following message: “Connection is Not Secure.”

We recently observed a major retailer’s website that exhibited similar insecure behavior. HTTPS was not enabled for its main e-commerce page and an information icon presented the same worrisome message that we illustrated in the fictional example above. If HTTPS protection had been enabled, a “Secure Connection” message would have been displayed along with the information icon.

When you view webpage content that hasn’t been verified, the information displayed on the page could be derived from unknown and unaffiliated sources. At a minimum, you need to enable HTTPS protection and proactively manage your own content to mitigate similar risks.


2. Don’t Trust Email Messages Marked With a Red, Unlocked Padlock

A quick test to determine whether information displayed in a Gmail email message is authentic is to check for a red, unlocked padlock icon.

In the picture below, a message is received by a Gmail account from another user who has opened a separate account with his or her internet services provider (ISP). A red arrow points to the unlocked padlock icon for this email and a message that reads “frontiernet.net did not encrypt this message” is displayed to the Gmail user.

Gmail implemented a basic encryption standard to verify whether an email retains confidentiality between messaging parties. However, if Gmail is not your email provider, the red, unlocked padlock icon is not an option for you and it may be difficult to determine whether a message is secure.

There are numerous email providers besides Gmail, and they all have their pros and cons. ISPs may even offer email as a free service to their customers. However, you need to be aware when confidentiality between messaging parties is not a priority. Do not arbitrarily trust a service provider to keep your message content private. You should research email providers’ commitment to security protection prior to implementing such solutions at your business.

3. Don’t Trust Third-Party Cookies

To determine whether a third-party cookie is capturing personal information without your consent, look for an advertisement pop-up for a product that’s unrelated to the webpage you’re visiting. The Federal Trade Commission cautioned that third-party cookies may develop a detailed history of the types of sites that you frequent for the sole purpose of delivering ads to you in this manner.

The fictional example below shows a local newspaper website that doesn’t include anything in front of the domain name for the URL. Without HTTPS, the owner of a website and its content cannot be verified. As such, insecure pages can enable unknown and unrelated parties to gather information about visiting users in the form of third-party cookies. In this example, the webpage boasts 83 cookies, many of which have no relationship with the newspaper’s publishing company.

By further researching the second cookie in the list from within the highlighted box in the picture above, the following details were uncovered.

The policy above describes the purpose of this particular cookie. Opt-out is required by visiting users, implying that personal information will be gathered from users without their consent.

Fortunately, most internet browsers include configuration settings that are set to block third-party cookies. You shouldn’t exclusively rely on webpage owners to protect your privacy. Instead, you should proactively block third-party cookies when you’re browsing the web and engaging in e-commerce.

4. Maximize the Value of Email

Email introduces entrepreneurs to the online world. It should be viewed as an asset and the lifeblood of day-to-day operations for SMBs like yours. Since you use it for practically every interaction with your clients, you need to be vigilant and protect the integrity of your email accounts.

An effective and professional email account is necessary to facilitate interconnectedness with your clients and partners. It also adds tremendous value by:

  • Enabling devices such as cellphones and tablets;
  • Creating profiles for your social media accounts and business channels;
  • Receiving online discounts and promotional offers;
  • Receiving product samples;
  • Streaming audio and video;
  • Enabling purchases and sales;
  • Providing e-receipts for brick-and-mortar shopping activities;
  • Providing notifications such as security incident alerts and critical software updates;
  • Facilitating renewals of licenses and contracts;
  • Interacting with financial institutions for banking or credit card relationships; and
  • Communicating with tax authorities regarding timely submission of federal, state and/or local taxes.

Since email has considerable value for SMBs, the growing theft of email accounts is not surprising. In fact, stolen email accounts are responsible for many of the most significant internet-based thefts.

Have I Been Pwned? is a great source of information about pilfered accounts. It enabled you to determine immediately whether your email account has been stolen. The site also contains a list of businesses that have fallen victim to significant internet-based theft.

Note that HTTPS appears at the beginning the page’s URL in the figure below. The information icon message indicates that the connection is secure and verifies the website owner’s name, Troy Hunt. Due to the level of security that this site exhibits, we regularly refer others here to learn more about IT security best practices.

5. Take Application Security Testing Seriously

If you develop your own applications to interact with employees, partners and clients, you need to adopt an effective application security testing program to protect valuable organizational data. IBM Security offers a convenient e-guide on the subject, titled “Five Steps to Achieve Risk-Based Application Security Management.” You can also register for a free trial of our IBM Application Security on Cloud solution and test-drive application security protection for yourself.

If you don’t develop applications on your own, you need to confirm that your providers routinely test their applications prior to production. You should also follow these proven IT security best practices to protect your valuable online reputation.

Learn More

Don’t let these IT security gotchas derail your business success. Instead, remain vigilant and gain a competitive advantage. For additional best practices, consult your local SCORE Association webpage or read this blog for additional tips about shopping online safely.

More from Application Security

PixPirate: The Brazilian financial malware you can’t see

10 min read - Malicious software always aims to stay hidden, making itself invisible so the victims can’t detect it. The constantly mutating PixPirate malware has taken that strategy to a new extreme. PixPirate is a sophisticated financial remote access trojan (RAT) malware that heavily utilizes anti-research techniques. This malware’s infection vector is based on two malicious apps: a downloader and a droppee. Operating together, these two apps communicate with each other to execute the fraud. So far, IBM Trusteer researchers have observed this…

From federation to fabric: IAM’s evolution

15 min read - In the modern day, we’ve come to expect that our various applications can share our identity information with one another. Most of our core systems federate seamlessly and bi-directionally. This means that you can quite easily register and log in to a given service with the user account from another service or even invert that process (technically possible, not always advisable). But what is the next step in our evolution towards greater interoperability between our applications, services and systems?Identity and…

Audio-jacking: Using generative AI to distort live audio transactions

7 min read - The rise of generative AI, including text-to-image, text-to-speech and large language models (LLMs), has significantly changed our work and personal lives. While these advancements offer many benefits, they have also presented new challenges and risks. Specifically, there has been an increase in threat actors who attempt to exploit large language models to create phishing emails and use generative AI, like fake voices, to scam people. We recently published research showcasing how adversaries could hypnotize LLMs to serve nefarious purposes simply…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today