A large and scary number of small businesses don’t think they need to worry at all about cybersecurity on their websites. Are you one of them? This thinking actually makes small businesses much easier targets for hackers. They know you aren’t worried and they know this means easy pickings.

When companies come on board with us we take their current website through some much-needed security measures before we ever allow the site on our servers. Here are a couple of the worst things hackers have done.

Hackers are going to hack where there is the least resistance

How in the world would one not know if illegal pornography is on their website? For hackers, it’s easy once they have access to your site and server. They store images and files that you don’t see, but if caught still leave you vulnerable to prosecution. Several years ago there was an incident of a teenager that had his computer hacked and arrested for this very thing. His computer was being hijacked to download child sexual abuse materials. Just think how much worse this is when it’s on your web server. Server highjacking is more common than you might think.

Another trick we have seen is called web shell or unauthorized data storage. We found thousands of car and truck photos stored on the backend of a new customer’s website eating up storage. The hackers were able to upload, download, and execute files, including photos, without the owner’s knowledge. It was another one that we had to clean up before it could come over to our web hosting servers.

No. 1 Common Mistake: Thinking it won’t happen to you

Once someone comes on board we go through an extensive discovery process that includes getting current passwords in order to access critical systems and accounts we will need to use in the course of our work. We give companies detailed ways to give us these once they have them gathered. Once we get them we are often blown away by how bad they are. You’d think everyone would know that “plumber1” is not a good password and yet this is consistently one of the most used (or similarly bad) in service businesses that we see. Every time we see “Hvac1”, “chimney1”, “roofing1”, etc. a small part of us dies a little more. Kidding, but not kidding.

We’ve had occasions where one email and password have given us unfettered access into all their accounts. It’s important to understand that cracking your email account password is the top way hackers access your accounts, including bank accounts. It’s also one of the easiest things you can correct to protect yourself and your business from hackers.

We believe every business should use a password client or manager to store passwords. These tools are very easy to use and very secure as long as you have a whopper password as your master login. What is that? Well, we advise people to have passwords with at least 16 characters, among other easy-to-follow guidelines. While this seems like it’s a lot, this alone will protect you from the most common things a hacker will try.

If you use and reuse any simple passwords, go here and view a list of vetted password managers and get that done sooner rather than later. You will want to go in and replace all your current passwords with the suggested ones that these managers can produce. If you need to share passwords with others, make sure the tool you choose has a team plan that has a way to share passwords securely without actually showing them. That way if someone leaves the company, you don’t have to change passwords, which we hope you are doing now in those cases.

No. 2 Common Mistake: Weak passwords

Speaking of passwords, are you using two-factor authentication? Yeah, we know it’s a pain. It’s also another way to guard against cybersecurity breaches in your small business.

Every roadblock you can put in place reduces your chances of being hacked. If you have none, your chances increase, and let’s face it, an ounce of prevention is worth a pound of cure.

Making sure you are using multi-factor authentication tools to keep hackers at bay is a good thing even though it means setting up some guardrails in your company. Here’s a list of two-factor authentication apps you can choose from.

• Google Authenticator: A widely used app that generates time-based one-time passwords (TOTP) for 2FA.
• Authy: Provides 2FA and allows for cloud backups and multi-device synchronization.
• Microsoft Authenticator: Integrates well with Microsoft accounts and services, and also supports other platforms.
• LastPass Authenticator: A companion app to the LastPass password manager, offering 2FA and one-tap push notifications.
• Duo Mobile: Developed by Duo Security, it supports push notifications, TOTP, and integration with various services.
• 1Password: Another password manager with built-in support for TOTP codes.
• FreeOTP: An open-source app from Red Hat that supports both TOTP and HMAC-based one-time passwords (HOTP).
• OTP Auth: Available on iOS, it supports TOTP and has features like Apple Watch integration.
• andOTP: An open-source 2FA app for Android that supports TOTP and allows for encrypted backups.
• Yubico Authenticator: Works with YubiKey hardware tokens and generates TOTP codes.

No. 3 Common Mistake: Not keeping everything up to date

Don’t you hate getting all the notices to update your software? It’s on all your devices too. It’s awesome if you can put them all on auto-update but some of them you just can’t. And then there are the browsers — Chrome, Explore, Yahoo, Firefox, etc. You have to update those as well and it’s always when you are busy or when you need to start your day, right?

Most but not all of those updates include patches for security risks discovered since the previous update. It’s those holes in software that are the second way hackers are able to get into your online systems, platforms, etc.

Our advice is to look and see what you can automate to update, and make sure for those you can’t that you do it as quickly as possible. You will want to stay on top of any holes that a hacker can squeeze through and get them patched ASAP.

No. 4 Common Mistake: Not training your staff and holding them accountable to security protocols

Now that you, the owner or manager, know what to do, what about everyone else in your company? Do you have a policy around password requirements to prevent hackers and cybersecurity breaches? Is it in your employee handbook and has everyone read it and signed off on it?

At FutureNow Marketing, not following our security measures is grounds for immediate termination. That may sound harsh but if you have ever been hacked or had to help clean up a company’s hacking issue you quickly see it’s a huge time suck and expense. And it can all be avoided by following some very simple rules.

No. 5 Common Mistake: Knowing what to do but still not doing it

To wrap this up so you can go do the work to protect yourself and your company from cybersecurity issues, here are the things you can do right now.

• Understand this can happen to you and your business.

• Strengthen your passwords and get a password manager ASAP.

• Set up two-way authentication everywhere you can.

• Auto-update software where you can and make it a policy to do it every time you are notified.

• Train staff to do the same.

Here’s to keeping your business safe and up and running at all times!

About the Authors

Carter Harkins and Taylor Hill are the authors of Blue Collar Proud: 10 Principles for Building a Kickass Business You Love and co-owners of FutureNow Marketing, a "home services marketing company specializing in human-centered AI that will optimize your business and generate leads." They’re trusted thought leaders in the industries they serve, which is why you’ll find them regularly speaking at service industry trade shows and conferences and writing for trade magazines. Visit www.futurenowmarketing.com.