A key theme of the recent Cybersecurity Nexus event in Washington, D.C. was the growing need for small and medium-sized businesses (SMBs) to adopt enterprise-like IT security best practices. In fact, SMBs might actually have an edge over the unrelenting competition they endure from larger enterprises because they are more proactive and nimbler in mitigating common IT security weaknesses. Recent data breaches have revealed that these issues can bring large conglomerates to their knees.

Five IT Security Best Practices for SMBs

To outfox rivals, security professionals should consider the five best practices we’ve outlined below to rise above the competition.

1. Don’t Trust Websites That Aren’t Protected by HTTPS

The easiest way to validate the authenticity of information displayed on a website is to confirm that the Hyper Text Transfer Protocol Secure (HTTPS) signifier appears at the beginning of the URL. If a site is not protected by HTTPS, you’ll need to make a conscious decision whether to trust or distrust its content.

In the fictional example below, a local webpage doesn’t include anything in front of the domain name for its URL. The term HTTP or HTTPS would normally have been shown at the beginning of the URL to indicate that the site’s owner and content could be verified. When neither is shown, insecure HTTP connections are the default, and you need to be particularly vigilant.

The information icon circled at the beginning of the URL can be left-clicked with a mouse to view details that highlight the following message: “Connection is Not Secure.”

We recently observed a major retailer’s website that exhibited similar insecure behavior. HTTPS was not enabled for its main e-commerce page and an information icon presented the same worrisome message that we illustrated in the fictional example above. If HTTPS protection had been enabled, a “Secure Connection” message would have been displayed along with the information icon.

When you view webpage content that hasn’t been verified, the information displayed on the page could be derived from unknown and unaffiliated sources. At a minimum, you need to enable HTTPS protection and proactively manage your own content to mitigate similar risks.


2. Don’t Trust Email Messages Marked With a Red, Unlocked Padlock

A quick test to determine whether information displayed in a Gmail email message is authentic is to check for a red, unlocked padlock icon.

In the picture below, a message is received by a Gmail account from another user who has opened a separate account with his or her internet services provider (ISP). A red arrow points to the unlocked padlock icon for this email and a message that reads “frontiernet.net did not encrypt this message” is displayed to the Gmail user.

Gmail implemented a basic encryption standard to verify whether an email retains confidentiality between messaging parties. However, if Gmail is not your email provider, the red, unlocked padlock icon is not an option for you and it may be difficult to determine whether a message is secure.

There are numerous email providers besides Gmail, and they all have their pros and cons. ISPs may even offer email as a free service to their customers. However, you need to be aware when confidentiality between messaging parties is not a priority. Do not arbitrarily trust a service provider to keep your message content private. You should research email providers’ commitment to security protection prior to implementing such solutions at your business.

3. Don’t Trust Third-Party Cookies

To determine whether a third-party cookie is capturing personal information without your consent, look for an advertisement pop-up for a product that’s unrelated to the webpage you’re visiting. The Federal Trade Commission cautioned that third-party cookies may develop a detailed history of the types of sites that you frequent for the sole purpose of delivering ads to you in this manner.

The fictional example below shows a local newspaper website that doesn’t include anything in front of the domain name for the URL. Without HTTPS, the owner of a website and its content cannot be verified. As such, insecure pages can enable unknown and unrelated parties to gather information about visiting users in the form of third-party cookies. In this example, the webpage boasts 83 cookies, many of which have no relationship with the newspaper’s publishing company.

By further researching the second cookie in the list from within the highlighted box in the picture above, the following details were uncovered.

The policy above describes the purpose of this particular cookie. Opt-out is required by visiting users, implying that personal information will be gathered from users without their consent.

Fortunately, most internet browsers include configuration settings that are set to block third-party cookies. You shouldn’t exclusively rely on webpage owners to protect your privacy. Instead, you should proactively block third-party cookies when you’re browsing the web and engaging in e-commerce.

4. Maximize the Value of Email

Email introduces entrepreneurs to the online world. It should be viewed as an asset and the lifeblood of day-to-day operations for SMBs like yours. Since you use it for practically every interaction with your clients, you need to be vigilant and protect the integrity of your email accounts.

An effective and professional email account is necessary to facilitate interconnectedness with your clients and partners. It also adds tremendous value by:

  • Enabling devices such as cellphones and tablets;
  • Creating profiles for your social media accounts and business channels;
  • Receiving online discounts and promotional offers;
  • Receiving product samples;
  • Streaming audio and video;
  • Enabling purchases and sales;
  • Providing e-receipts for brick-and-mortar shopping activities;
  • Providing notifications such as security incident alerts and critical software updates;
  • Facilitating renewals of licenses and contracts;
  • Interacting with financial institutions for banking or credit card relationships; and
  • Communicating with tax authorities regarding timely submission of federal, state and/or local taxes.

Since email has considerable value for SMBs, the growing theft of email accounts is not surprising. In fact, stolen email accounts are responsible for many of the most significant internet-based thefts.

Have I Been Pwned? is a great source of information about pilfered accounts. It enabled you to determine immediately whether your email account has been stolen. The site also contains a list of businesses that have fallen victim to significant internet-based theft.

Note that HTTPS appears at the beginning the page’s URL in the figure below. The information icon message indicates that the connection is secure and verifies the website owner’s name, Troy Hunt. Due to the level of security that this site exhibits, we regularly refer others here to learn more about IT security best practices.

5. Take Application Security Testing Seriously

If you develop your own applications to interact with employees, partners and clients, you need to adopt an effective application security testing program to protect valuable organizational data. IBM Security offers a convenient e-guide on the subject, titled “Five Steps to Achieve Risk-Based Application Security Management.” You can also register for a free trial of our IBM Application Security on Cloud solution and test-drive application security protection for yourself.

If you don’t develop applications on your own, you need to confirm that your providers routinely test their applications prior to production. You should also follow these proven IT security best practices to protect your valuable online reputation.

Learn More

Don’t let these IT security gotchas derail your business success. Instead, remain vigilant and gain a competitive advantage. For additional best practices, consult your local SCORE Association webpage or read this blog for additional tips about shopping online safely.

More from Application Security

Kronos Malware Reemerges with Increased Functionality

The Evolution of Kronos Malware The Kronos malware is believed to have originated from the leaked source code of the Zeus malware, which was sold on the Russian underground in 2011. Kronos continued to evolve and a new variant of Kronos emerged in 2014 and was reportedly sold on the darknet for approximately $7,000. Kronos is typically used to download other malware and has historically been used by threat actors to deliver different types of malware to victims. After remaining…

Self-Checkout This Discord C2

This post was made possible through the contributions of James Kainth, Joseph Lozowski, and Philip Pedersen. In November 2022, during an incident investigation involving a self-checkout point-of-sale (POS) system in Europe, IBM Security X-Force identified a novel technique employed by an attacker to introduce a command and control (C2) channel built upon Discord channel messages. Discord is a chat, voice, and video service enabling users to join and create communities associated with their interests. While Discord and its related software…

A View Into Web(View) Attacks in Android

James Kilner contributed to the technical editing of this blog. Nethanella Messer, Segev Fogel, Or Ben Nun and Liran Tiebloom contributed to the blog. Although in the PC realm it is common to see financial malware used in web attacks to commit fraud, in Android-based financial malware this is a new trend. Traditionally, financial malware in Android uses overlay techniques to steal victims’ credentials. In 2022, IBM Security Trusteer researchers discovered a new trend in financial mobile malware that targets…

Twitter is the New Poster Child for Failing at Compliance

All companies have to comply with privacy and security laws. They must also comply with any settlements or edicts imposed by regulatory agencies of the U.S. government. But Twitter now finds itself in a precarious position and appears to be failing to take its compliance obligations seriously. The case is a “teachable moment” for all organizations, public and private. The Musk Factor Technology visionary and Silicon Valley founder and CEO, Elon Musk, bought social network Twitter in October for $44…