A key theme of the recent Cybersecurity Nexus event in Washington, D.C. was the growing need for small and medium-sized businesses (SMBs) to adopt enterprise-like IT security best practices. In fact, SMBs might actually have an edge over the unrelenting competition they endure from larger enterprises because they are more proactive and nimbler in mitigating common IT security weaknesses. Recent data breaches have revealed that these issues can bring large conglomerates to their knees.

Five IT Security Best Practices for SMBs

To outfox rivals, security professionals should consider the five best practices we’ve outlined below to rise above the competition.

1. Don’t Trust Websites That Aren’t Protected by HTTPS

The easiest way to validate the authenticity of information displayed on a website is to confirm that the Hyper Text Transfer Protocol Secure (HTTPS) signifier appears at the beginning of the URL. If a site is not protected by HTTPS, you’ll need to make a conscious decision whether to trust or distrust its content.

In the fictional example below, a local webpage doesn’t include anything in front of the domain name for its URL. The term HTTP or HTTPS would normally have been shown at the beginning of the URL to indicate that the site’s owner and content could be verified. When neither is shown, insecure HTTP connections are the default, and you need to be particularly vigilant.

The information icon circled at the beginning of the URL can be left-clicked with a mouse to view details that highlight the following message: “Connection is Not Secure.”

We recently observed a major retailer’s website that exhibited similar insecure behavior. HTTPS was not enabled for its main e-commerce page and an information icon presented the same worrisome message that we illustrated in the fictional example above. If HTTPS protection had been enabled, a “Secure Connection” message would have been displayed along with the information icon.

When you view webpage content that hasn’t been verified, the information displayed on the page could be derived from unknown and unaffiliated sources. At a minimum, you need to enable HTTPS protection and proactively manage your own content to mitigate similar risks.


2. Don’t Trust Email Messages Marked With a Red, Unlocked Padlock

A quick test to determine whether information displayed in a Gmail email message is authentic is to check for a red, unlocked padlock icon.

In the picture below, a message is received by a Gmail account from another user who has opened a separate account with his or her internet services provider (ISP). A red arrow points to the unlocked padlock icon for this email and a message that reads “frontiernet.net did not encrypt this message” is displayed to the Gmail user.

Gmail implemented a basic encryption standard to verify whether an email retains confidentiality between messaging parties. However, if Gmail is not your email provider, the red, unlocked padlock icon is not an option for you and it may be difficult to determine whether a message is secure.

There are numerous email providers besides Gmail, and they all have their pros and cons. ISPs may even offer email as a free service to their customers. However, you need to be aware when confidentiality between messaging parties is not a priority. Do not arbitrarily trust a service provider to keep your message content private. You should research email providers’ commitment to security protection prior to implementing such solutions at your business.

3. Don’t Trust Third-Party Cookies

To determine whether a third-party cookie is capturing personal information without your consent, look for an advertisement pop-up for a product that’s unrelated to the webpage you’re visiting. The Federal Trade Commission cautioned that third-party cookies may develop a detailed history of the types of sites that you frequent for the sole purpose of delivering ads to you in this manner.

The fictional example below shows a local newspaper website that doesn’t include anything in front of the domain name for the URL. Without HTTPS, the owner of a website and its content cannot be verified. As such, insecure pages can enable unknown and unrelated parties to gather information about visiting users in the form of third-party cookies. In this example, the webpage boasts 83 cookies, many of which have no relationship with the newspaper’s publishing company.

By further researching the second cookie in the list from within the highlighted box in the picture above, the following details were uncovered.

The policy above describes the purpose of this particular cookie. Opt-out is required by visiting users, implying that personal information will be gathered from users without their consent.

Fortunately, most internet browsers include configuration settings that are set to block third-party cookies. You shouldn’t exclusively rely on webpage owners to protect your privacy. Instead, you should proactively block third-party cookies when you’re browsing the web and engaging in e-commerce.

4. Maximize the Value of Email

Email introduces entrepreneurs to the online world. It should be viewed as an asset and the lifeblood of day-to-day operations for SMBs like yours. Since you use it for practically every interaction with your clients, you need to be vigilant and protect the integrity of your email accounts.

An effective and professional email account is necessary to facilitate interconnectedness with your clients and partners. It also adds tremendous value by:

  • Enabling devices such as cellphones and tablets;
  • Creating profiles for your social media accounts and business channels;
  • Receiving online discounts and promotional offers;
  • Receiving product samples;
  • Streaming audio and video;
  • Enabling purchases and sales;
  • Providing e-receipts for brick-and-mortar shopping activities;
  • Providing notifications such as security incident alerts and critical software updates;
  • Facilitating renewals of licenses and contracts;
  • Interacting with financial institutions for banking or credit card relationships; and
  • Communicating with tax authorities regarding timely submission of federal, state and/or local taxes.

Since email has considerable value for SMBs, the growing theft of email accounts is not surprising. In fact, stolen email accounts are responsible for many of the most significant internet-based thefts.

Have I Been Pwned? is a great source of information about pilfered accounts. It enabled you to determine immediately whether your email account has been stolen. The site also contains a list of businesses that have fallen victim to significant internet-based theft.

Note that HTTPS appears at the beginning the page’s URL in the figure below. The information icon message indicates that the connection is secure and verifies the website owner’s name, Troy Hunt. Due to the level of security that this site exhibits, we regularly refer others here to learn more about IT security best practices.

5. Take Application Security Testing Seriously

If you develop your own applications to interact with employees, partners and clients, you need to adopt an effective application security testing program to protect valuable organizational data. IBM Security offers a convenient e-guide on the subject, titled “Five Steps to Achieve Risk-Based Application Security Management.” You can also register for a free trial of our IBM Application Security on Cloud solution and test-drive application security protection for yourself.

If you don’t develop applications on your own, you need to confirm that your providers routinely test their applications prior to production. You should also follow these proven IT security best practices to protect your valuable online reputation.

Learn More

Don’t let these IT security gotchas derail your business success. Instead, remain vigilant and gain a competitive advantage. For additional best practices, consult your local SCORE Association webpage or read this blog for additional tips about shopping online safely.

More from Application Security

X-Force Identifies Vulnerability in IoT Platform

4 min read - The last decade has seen an explosion of IoT devices across a multitude of industries. With that rise has come the need for centralized systems to perform data collection and device management, commonly called IoT Platforms. One such platform, ThingsBoard, was the recent subject of research by IBM Security X-Force. While there has been a lot of discussion around the security of IoT devices themselves, there is far less conversation around the security of the platforms these devices connect with.…

4 min read

Patch Tuesday -> Exploit Wednesday: Pwning Windows Ancillary Function Driver for WinSock (afd.sys) in 24 Hours

12 min read - ‘Patch Tuesday, Exploit Wednesday’ is an old hacker adage that refers to the weaponization of vulnerabilities the day after monthly security patches become publicly available. As security improves and exploit mitigations become more sophisticated, the amount of research and development required to craft a weaponized exploit has increased. This is especially relevant for memory corruption vulnerabilities.Figure 1 — Exploitation timelineHowever, with the addition of new features (and memory-unsafe C code) in the Windows 11 kernel, ripe new attack surfaces can…

12 min read

Backdoor Deployment and Ransomware: Top Threats Identified in X-Force Threat Intelligence Index 2023

4 min read - Deployment of backdoors was the number one action on objective taken by threat actors last year, according to the 2023 IBM Security X-Force Threat Intelligence Index — a comprehensive analysis of our research data collected throughout the year. Backdoor access is now among the hottest commodities on the dark web and can sell for thousands of dollars, compared to credit card data — which can go for as low as $10. On the dark web — a veritable eBay for…

4 min read

Direct Kernel Object Manipulation (DKOM) Attacks on ETW Providers

17 min read - Overview In this post, IBM Security X-Force Red offensive hackers analyze how attackers, with elevated privileges, can use their access to stage Windows Kernel post-exploitation capabilities. Over the last few years, public accounts have increasingly shown that less sophisticated attackers are using this technique to achieve their objectives. It is therefore important that we put a spotlight on this capability and learn more about its potential impact. Specifically, in this post, we will evaluate how Kernel post-exploitation can be used…

17 min read