BLOG

Small & Medium Businesses: Your Most Valuable Asset is Probably Unsecured

small business risk

Rising Tides Lift All Boats. Tidal Waves Do Something Similar.

The irrevocable march of technology forces businesses of all shapes and sizes to adapt. 30 years ago, few companies had websites. Today it would be corporate suicide not to. New business technology also brings new risks. SME business owners have long since invested in basic security around their websites, including SSL, rudimentary encryption, DDoS prevention, pop-ups with security disclaimers and cookie policies. This has become second nature, and operating in a digital world necessitates security and risk mitigation in order to be successful.

However, the very playing field has changed. Websites are no longer the premier online marketing tool; social media has taken the throne. Consumers now expect that every business have a Facebook page, Linkedin page, Twitter account, Instagram and more. It’s where they check for company updates and accounts for the majority of impressions. 74% of buyers consult a business’ social media accounts prior to making a purchase. It’s many SME’s #1 advertising platform.

With all this value comes risks, just like websites before it. Anyone reading the headlines lately has been hearing about social media cyber attacks, account hacks, scams, fraud, fake profiles, misinformation and more. SMEs are behind the behind the ball when it comes to putting security around their social media accounts, for many, their business’ most valuable digital assets.

SMEs are Riding Horses to a Tank Fight

Take the example of the aforementioned security pop-ups, which are especially popular in industries like insurance, credit unions and small banks. One type of security pop-up warns users when they have clicked a link that will navigate away from the corporate website. This includes links to the company’s social media pages, and is presumably their way of saying “anything that happens on social media is not our fault” (more on why that’s not a valid approach later). This merely passes the security buck from one place — a traditional marketing channel like the website — to another place — the modern marketing channel of social media. Regardless, the consumer sees this as a seamless extension of the brand.

In the last five years, most small and medium sized business have adopted social media. However, very few have succeeded in adopting social media protection best practices and technology. This gap is every cybercriminal or scammer’s sweetspot. They know that money is being exchanged on social — that is to say, there’s customers ready to be exploited — but small and medium sized businesses have not yet invested in the appropriate protections. Many small security teams believe that attackers only go after huge, multinational organizations. On the contrary, attackers are well aware that those companies, unlike the smaller ones, are resource rich and thus likely well protected online. SMEs are the attacker’s ideal target.

What Happens on Social Doesn’t Stay on Social

This is a challenge that you can’t run or hide from. Many businesses are inclined to throw up their hands and claim that since they don’t own the infrastructure, it’s not their problem. The social networks should be solving the problem, not me. Companies have floated the idea of simply blocking social media, never with any success.

Unfortunately, and to put it frankly, it doesn’t matter what you think. It only matters what your customers think. If your customers expect to engage your brand on social media, they’ll blame the company when they get scammed by an impersonator. They’ll blame the company when misinformation spreads on social networks. It will be your brand’s reputation in the woodchipper if your profile gets hacked. Put simply, using social media is non-negotiable because that’s what your customers expect. Long gone are the days where the website is the sole point of truth.

The Search Engines are Coming

The final nail in the coffin is search engines. The vast majority of customers will not type in your website’s URL character for character, especially when there is so much competition for unique, simple URLs. Many businesses are now using non-traditional higher level domains like .io or .xyz, and they rely on shorter monikers or acronyms to make up a URL, ostensibly making it easier for a user to directly search in the address bar.

The truth is, most users will simply Google the company name. When this occurs, your website will likely be near the top, but will be surrounded by your company’s social media accounts, which almost always make up the top 10 search results. This is because Facebook, Twitter, LinkedIn and more have very strong general link ratings, making them rank highly in search engine searches. If a user is trying to go directly to your website, there is a very good chance they will at least be exposed, in some degree or another, to your company’s social media presence. More often than not, these users will navigate to your social profiles, effectively “out-of-bounds” from a security perspective but well within the scope of a company’s modern brand presence.

In conclusion, small and medium sized businesses have not invested in security relative to where they gain value. There’s oversized investment in website security despite the fact that the majority of brand value actually comes from social media. This is no one’s fault; the landscape has fundamentally changed around these businesses. Cybercriminals and scams have long since noticed the gap. It’s now to up to SMEs to level the playing field.

ZeroFOX Recommendations for Small Businesses

  • Work with marketing to gain access to social accounts and secure them with two-factor authentication.
  • Invest in a social media protection tool to help protect corporate social media accounts for cyber threats.
  • Blacklist/block malicious URLs and IPs found of social media.
  • Establish workflow for dealing with social media cyber crime targeting the organization.
  • Takedown malicious and fraudulent posts and profiles.
  • Train employees on safe usage, best practices, and what to do in the event of an attack.
  • Work with marketing to keep a close eye on social media initiatives and campaigns.
  • Follow our easy ten step guide to building a social media protection program, task force and policies. Or, download the free Social Media Protection for Dummies ebook.