Cybersecurity tips for small business owners

22nd Feb, 2022#14

Reality check: most cyberattacks and privacy infringements are not a result of sophisticated hacking done by malicious adversaries who want to hold your system hostage or steal all your data. They result from the victim falling into a criminal's trap by clicking on “interesting” malicious links or (re)using weak credentials all over their online accounts.

Most people who aren’t in tech won’t even know their device was attacked or their credentials stolen.

In fact, a majority of infringements on users' privacy and security are not noticeable at the moment they occur. You only perceive it later, when you get bombarded with unwanted emails, tracking-enabled newsletters, and targeted ads on your timeline, among others.

The good news is there are a few basic steps you can take to significantly bolster your security posture across all your devices and digital footprint. 

If you are a business owner, this would substantially increase the protection of your business assets, including your clients’ valuable data. It’s also an opportunity to practice empathy towards those who are a critical part of your business. (We’ll show you how.)

Inspired by our experience in the field of cybersecurity, privacy, and the technology we use, we share some tips you can implement to increase your business’ safety.

In this episode, we break down common beliefs business owners have over the issues of privacy and cybersecurity. You’ll also learn how a password manager and two-factor authentication can reduce the risk of your accounts being illegally accessed. Additionally, we’ll explain why you should only collect the data you absolutely need from your clients.

In this episode, you will learn:

  • Misconceptions many business owners have around privacy and cybersecurity (03:42)

  • Three principles that will lead to a safer and more ethical behavior (08:55)

  • Why you should get a password manager (13:16)

  • The importance of two-factor authentication (15:01)

  • Why you should avoid collecting more data than you need (24:21)

Connect with Dave:

Connect with Andra:


[00:41] Andra Zaharia: For this very practical episode, we thought we'd share some tips for small business owners and freelancers who care about keeping their businesses safe, but also keeping their customers safe, and having that empathy towards them that everyone expects to be protected and to have their data protected. But it's not necessarily a priority for small business owners unless the law or regulations compel us. So, we thought we'd share what has worked for us, and then just try to focus on the doable, practical, relatable things that you can try for yourself. So, Dave, when in setting up your business did the question of cybersecurity and privacy come up? Do you remember?

[01:32] Dave Smyth: I think it was pretty early. The way that Colin and I came together with Scruples, it was always something that we thought about. And I think maybe we didn't even really discuss it because we knew we were both quite aligned on it. But one of our principles is we try to make things privacy-focused. I think, at some point, we decided that, actually, that was going to be one of our principles that we would take this approach because…

[02:02] Andra Zaharia: Because not many other people do it, do they? I mean, I haven't seen other companies as focused and vocal and coherent about this as you are. I mean, people promise things, and there's the cliche of “We care about your privacy,” which makes me a little bit sick because when I read that, I know that that's probably 90% not true. So, you decided to take a stand on this, which I think is very bold and very brave.

[02:31] Dave Smyth: Well, Paul Jarvis, before he deleted himself from the internet, he tweeted a thing: “When you see the words ‘we respect your privacy,’ a lot of times it goes on to say how they're actually going to abuse all your data.” So, yeah, I think, we were aware of some of the issues, and we knew that a lot of clients – or a lot of the businesses that we were already dealing with – benefited from a simpler approach. They didn't need everything that they thought they needed. They were confused by data protection laws. And I think we realized it’s not just a good thing to do, but there are actually lots of business benefits to our clients if they take a more privacy-focused approach or if things are built in a way where there's data protection by design. We're not experts in this but we know a bit about it, and we just try and take this approach to building and developing and designing things that has lots of positive knock-on effects.

[03:42] Andra Zaharia: You're very modest when you say, “We know a bit about it.” You know a lot about it, and you walk the talk. These are things that you do for your own business that you do for other people's businesses, which I think is a huge thing – it is leading by example, and that leads to a deeper understanding of how things look like for a small business and what is realistic, and what is achievable, and what is not; which other people don't have this understanding simply because, as Seth Godin says, “They do things how they've always done things.” And you decided that people like us do things like these, people like us who believe in privacy do things like this; they build a different set-up, they use alternative options to make the business, not just compliant with laws and regulations, but also make it as scalable, as high-performance as a regular setup would, except that it's not a regular setup, and it has this positive butterfly effect on the entire ecosystem. And I've seen you at work for the Cyber Empathy website, and I saw how fast it can be and how great it feels to know that you're making healthy choices for your business, safe choices, and that you're also supporting other businesses who are building things with privacy and security in mind. So, we're all helping each other, and I love that feeling, I feel that's a personal reward as well, that's involved in this. Do you think that your clients, the small business owners that you work with – smaller or bigger – feel the same? What kind of reactions have you seen in them when they choose to focus on this?

[05:25] Dave Smyth: Like I said, lots of them are confused by what they can do, what they can't do. The example I always talk about is analytics and cookie bars and things. Lots of them don't like that but they feel like they have to use Google Analytics, that's what they've been using, or they feel like their cookie banner is pointless and they hate having it. There are all these concerns and things. And I think when people are shown the alternatives and see the benefits of them, almost always the response is positive. Now, we're starting to see people coming to us because they know that we want to help them do things in a privacy-focused way. And the answers to these things, or the alternative routes aren't always obvious, but we're starting to see people come to us, who want help, to try and do things in a better way that doesn't rely on some of the tracking and tech stuff that lots of common tools rely on. And often, there's a way, it's just not the way that is written about in every business book or course or whatever. And we feel very strongly as well, that it's not the clients responsibility to know this, so it's not a case that we think that they're acting maliciously on purpose, it’s more that we're all working together to try and get out of these invasive ruts that we're in and devices that we need to use, that we're told that we need to use. Yeah, it's interesting.

[07:00] Andra Zaharia: It definitely is. And I think that you were, basically, generously sharing your competitive advantage with your clients, and they're making it their competitive advantage. Everyone wins, because it's not a battle for attention; this is good for everyone. And this is such a generous act. Basically, it's creating trust signals and showing people alignment. I truly believe that as customers to any business, we always pay attention to the gap between what people say and what they do. Often, there is a big gap in the middle, there's a big rift in the middle between these two things. And when you see companies who actually do what they say they do, and they do that in a good, ethical way that supports other people, that's generous and transparent; that just makes you want to support them more, it makes you an advocate, it changes and deepens your relationship with that business. This is one of the fundamental things that you want to have, one of the fundamental relationships that you want to have, as a small business owner, with your customers. You want to send out those trust signals, and to make sure that those trust signals lead the customer to a source that is truly valuable and there for them. So, businesses like Fathom – we use Fathom Analytics for the Cyber Empathy podcast, I use it for my website. So, it is the kind of business that I will continue to support, not just advocate for it, but actually pay money for it because I believe in their mission and what they're doing – speaking of Paul Jarvis and his general awesomeness.

[08:35] Dave Smyth: Yeah, and there's a wider benefit. If everybody starts taking these steps and exploring these different options, then actually, we can all contribute to changing the status quo and changing the advice or steps that are considered what everybody should do when they run their business.

[08:55] Andra Zaharia: I totally agree. And speaking of getting practical, perhaps we might start sharing some of the actual things that people can do, and that we use, and that we encourage others to do as well for their business. I wanted to start with the three core principles that I've identified as being very helpful to making choices about tools and solutions and people to work with, that will lead you down this path of safer, more private, more ethical behavior as a business and as an individual. The first principle is to prioritize. So, as a small business owner, you're not an IT or security specialist, you shouldn't need to become one but you do need to have a minimal education around these things, just as you need to have a minimal education around financial matters and fiscal stuff and things like that, because it comes with the territory, just what it is. Principle one, prioritize your most important assets. You should know, at all times, what the crown jewels are; it's your email address, it might be your cloud storage account, it might be some sort of intellectual property that you have or a competitive advantage. You want to make sure that that is secured, that you have all the layers in place that you can have, while also staying as productive as you can. The second principle would be to, obviously, protect. So, now that you've prioritized what you need to protect, you need to keep that safe. And that usually  requires initial investments in products and services and a little bit of time with setup. But once you've done this initial work, this is like 80% of the work, then the rest will be much easier to maintain and improve over time. I'm not talking from books or articles, this is from my personal experiences and something that I've done over the years over and over. And the third principle is to monitor. So, you need to set yourself up for success with as many automated things as you can, things that have your back for you without you having to actively do something about it. Because obviously, as the business grows, you're going to have less time – hopefully, more money to invest in these things. So, in the beginning, you'll have less money, more time – so, it's worth dedicating a bit more time. But as your available time decreases, having those things that can monitor the internet for you and your security for you, that's going to be instrumental. So, have I left anything out, Dave?

[11:34] Dave Smyth: Not particularly. But I'm reminded of an analogy that a friend of mine made frequently, which was particularly for online businesses. I think these steps are sometimes skipped, or we take the easiest route here because the barriers to getting set up are really low. Particularly, the businesses are largely online or largely digital. So, he said that if we were setting up a physical shop or something, we would have to rent the shop, we'd have to invest in signage, rent, utilities, furniture, business rates, all these things that you have to do to get the building and set it up and all of this stuff. And of course, you might have some of this if we rent an office or something. But if it's largely a digital thing, it feels like we can do everything free or very, very cheaply or with low effort. And some of these things are really worth investing in, and they don't really cost that much money or there might be alternatives. And this isn't something where if we make a choice at the beginning of our business, based on advice that we'd been given, we're just doing the best that we can. So, we should invest time and money in these things when we can. And when we know that there are alternatives to some of the common things or that there are good practices that we can take on board, then when we have the time and energy and money and space to do it, then they're definitely positive things to do.

[13:10] Andra Zaharia: And they have a compound effect, something which we love.

[13:13] Dave Smyth: Yes, of course.

[13:16] Andra Zaharia: So, diving into the actual tips. So, if you're a small business owner or a freelancer, you should start with, first of all… Dave, over to you.

[13:28] Dave Smyth: Well, we've talked about this before, but I would say a password manager if we don't already use one – an absolute requirement.

[13:38] Andra Zaharia: Yes, this is one of the key security layers that maybe your local regulations or laws might ask you to have. This is particularly important and I wanted to mention this, because I know that this is an important thing. As you grow as a business, you might want to take on bigger clients. Bigger clients come with security requirements because they have to abide by laws and rules that apply to them as well. And since they're bigger and their responsibility and potential risk is bigger, they have to make sure that their suppliers fall in line with these things. So, if you want to catch bigger, better clients that pay you more, having the setup that makes sure that your bases are covered in terms of cybersecurity and privacy is going to give you a competitive advantage over businesses who have to scramble and get their stuff together in the moment. Because if you already have them, you can act faster, you can go through their process faster, so you can just increase your chances to actually close that deal, which is what you want to do as a business. So, yeah, I also say that a password manager is huge, it makes it easy to onboard, offboard people, to share access to assets without sharing your password. That's one of the best things about a password manager, in my opinion, sharing passwords with others – they can use it but they can’t see it, you can delete access anytime. I'm going to take this next one. So, along with your passwords, please, please, please enable two-factor authentication wherever you can. That means getting either a code via SMS that you have to fill in, or getting a code from an authenticator app. And I know that you have a recommendation here, Dave, that you want people to know. And I support you.

[15:24] Dave Smyth: Yeah, it's Authy, that's what I use and lots of people use. Google Authenticator is very popular. I don't know if it's the same as it used to be, but I'm pretty sure that it used to be that if you lost your device, you can reset it up on another device – there was some weird quirk with it like that. So, Authy works in exactly the same way, basically, but it's portable and you can sync it up to your desktop and have an app on the go. Two-factor authentication can feel like a bit of a hassle to set up. So, it's one of those things, going back to perfect versus good-enough security, I feel with this, it's something where you want to make sure that you have two-factor authentication on your really important stuff like your email for sure. But also maybe where you store your files and if you store a lot of stuff in the cloud, you may not be too bothered about it on your Spotify account. But for those core things, it's really worth having, even if it feels like a hassle to set up and to need it every time you log in.

[16:30] Andra Zaharia: But it is definitely worth separating things, having a dedicated email address and dedicated cloud storage, not mixing things up, personal with professional, not just because it keeps you out of trouble and looking like doing good. A full PA in front of your customers, sharing a document that shouldn't have ended up in their email address. But it also makes it easier for you to find information to also look professional and to make sure that you can also leave work when you want to pause because you're not going to be overwhelmed with emails and things like that. So, it's empathy for everyone; it's for yourself, your customers, and everyone else.

[17:16] Dave Smyth: And actually on email, highly recommend not just using a Gmail account, which is really common for totally understandable reasons. But it's possible to get a Fastmail account, for instance, where they don't scan your email because Google will scan your Gmail account, which means they're also scanning your clients’ emails and their information as well. So, definitely get an account with somebody other than Gmail. And by the way, if you pay for Google Workspace, they don't scan those emails; it's only Gmail, the free ones, that they scan – important to make that distinction. But for the same money or possibly even less, use Fastmail. You can set up as many custom domains as you want on there. You get that separation you're talking about, looks professional. It's a really simple straight swap between the two. And there are other companies as well, but Fastmail is well-known and pretty solid.

[18:11] Andra Zaharia: And do you have another tip or two about keeping things separated, which keeps them contained, which makes them easier to manage, which gives you more control over them? And it was one about your phone number, something which I was not as wise to do in the beginning, and I wish I had.

[18:30] Dave Smyth: Yes. Not everybody will be in the position to do this, but if you have an old phone, it's really worth checking an old, cheap Pay As You Go SIM in there or something, and then using that as your work phone number. And I say this from my experience, both with email and with the phone number. At the very beginning, when I was starting out, I used my personal emails. And then for years, I would get emails to my personal email account about work stuff; for years after working with clients, something would come up occasionally. And the same for my phone number, I used to just use my personal phone number because I couldn't be bothered to have a second phone; I felt like I had to carry it around with me all the time, even though barely anybody hit it. I don't do that anymore. It's just in the office. It's just really good for your own privacy. Yes, it might look more professional. But I remember once getting a phone call at 2 AM from a client who was from Britain, but he was on holiday in Australia, so he knew he was calling in the middle of the night. And I didn't pick up the phone, he didn't call back the next day. I have no idea what he wanted but it can't have been that important, but it was important that he woke me up. And you don't want to be dealing with that, especially if you're working with clients abroad or in like different time zones who may not have the consideration to think about what time it is for you when they call.

[19:56] Andra Zaharia: Yeah, that's so very true. And the next one, around the use of email address pre-GDPR, some legislations require you to have your contact data publicly exposed in your country's financial body somewhere. And what they used to do pre-GDPR is create all of that information and the moment new companies popped up, you’d get super spammed with emails for all sorts of services, and it was a horrible experience. So, you do not want to have that in your private email account, in your personal email account, which is probably tied to other things like your bank – really sensitive stuff that shouldn't be mixed together. So, yeah, totally worth separating. I know that you have another tip here about contact details and how to use them safely.

[20:48] Dave Smyth: Yeah, I guess all of these things are related, actually. So, now, in the UK, most small businesses have to be registered with the Information Commissioner's Office, the ICO, and I'm sure that there are regulators like this in lots of countries. So, often, you have to publish your company's business address. It might have to be published on the regulator's database online, it might have to go on your websites, almost certainly has to go in an email and newsletter footer to comply with that anti-spam thing. So, for all the obvious reasons, and some reasons that may be less obvious, you probably don't want your personal address there. So, lots of accountants will let you use their address, but there are also services that will let you register and use a PO box somewhere or an actual address that's like a virtual address. So, that's really, really worth doing if you're having to register these things anywhere. You may even just have to do it to register your domain or something. And if there's a way for people to see that information somehow, or if, for instance, GDPR was repealed or laws change and thing – so it's a good proactive step to take to stop your address being printed all over the internet for eternity.

[22:10] Andra Zaharia: Perhaps. Imagine just this brief scenario, since you're listening and you're here with us: A cybercriminal might use your contact information and your logo to create a fake invoice to send to one of your clients so they can get the money instead of you. And although that's not technically your fault, that's not going to look good for your relationship with the client. Although, again, technically, it's not your fault. So, having the ability to protect these things into playing that you are who you think you say you are, these things have a lot of value, and a lot more value than then you realize until you end up in a situation like this. And speaking of malicious software and all kinds of cyberattacks, please, please install an anti-malware solution on all your devices. Most of them are super easy to use. No, they do not slow down systems, that was an issue that we had 20 years ago – we’re long past that. Anti-malware suites are now very easy to use, you barely notice them, they auto-update, auto scan. They're set and forget, just put it on autopilot, you don't even need to customize anything. They're really well optimized, especially the top five ones. They're really well-optimized for both performance and protection, and they will keep you safe, and they will block most stuff. Even in your browser, they will check the links before you click them without adding delays. And that's going to be of huge help to you to prevent 99% of all of the bad stuff that can happen, so you can then focus your attention and resources and energy on paying attention to that 1% that can get by simply because they rely on manipulating you as a person, not manipulating the technology that's on your devices. So, anti-malware definitely a must. I cannot imagine living without it, honestly.

[24:10] Dave Smyth: And Macs aren't impenetrable, just remembered that. There's a myth that Macs cannot be infected, and that is absolutely not the case.

[24:21] Andra Zaharia: That's true. So, a couple of tips from us also around protecting your customers, because they expect things from you by default. They never may request this specifically, like I mentioned in the case of bigger companies trying to work with you and give you money. But your customers, small, big doesn't matter, they will expect that you will protect their stuff. So, one of the key things: don't collect more data than you need to. If there's no data, if you don't have to protect data that's less effort for you, better for everyone, easier to manage. And if you could share, Dave, because you have a lot of experience with this, what that means; what does it mean to not collect more data than you need to? What kind of data can you avoid collecting without it damaging your business?

[25:15] Dave Smyth: So, a good example of this would be a mailing list. So, on lots of mailing lists, people collect name, surname, email address. You almost certainly don't need the surname unless you're addressing everybody personally by their surname in the emails, which, in many cases, might be weird. The first name, maybe that's okay. But think about whether you really need it, does it suffice to just have the email address? Because in many cases, that's all you actually need. Speaking purely for myself here, I don't care if an email says, “Hello, Dave.” If it says that, I don't feel like, “Oh my goodness, this has been written just for me.” And I suspect that many people feel the same way. It might create some personalization. But that's a consideration for every business, just think about, like, “Do I want the level of personalization?” Another thing would be contact forms. I've just been changing the email address on loads of services recently. In more cases than this should be, I haven't been able to change the email address through my account, I've had to contact support to change it. The number of contact forms that require your first name; require your second name; require a phone number; in some cases, require a date of birth for something that's completely irrelevant, and that data is just going to be stored somewhere. Unless there's a really good reason to collect it, don't collect it. There's a really good primer on data protection that we will add to the show notes. It's not that expensive, but we would totally recommend it for freelancers and small business owners. This stuff seems complicated, and it seems like GDPR is like, “What a nightmare.” It feels like a big burden, especially the first time you come across it. But actually, these principles don’t need to be really complicated. So, just spend an afternoon or a day thinking through this stuff, thinking through the implications for your business; how you can reduce your collection, how you can be more secure. If you don't collect it, it can't be exposed if you're hacked.

[25:15] Andra Zaharia: Exactly. And again, they expose your customers in any way, and so on and so forth. And to your point about personalization; working in the cybersecurity industry, you get to see a lot. So, obviously, people are privacy and security-oriented. So, if they are forced to fill in their name and surname without having reason, they will fill that in with all sorts of mumbo jumbo or other sorts of things that are, let's say, less elegant. And you do not want to get an automated email calling you “Mr. Ass” or something – I don't think anyone wants that, and that can happen. So, please, personalization is very 2015. Let's leave that aside, just make that email valuable and talk to the person like an actual human, and that'll take you much further than some sort of things like this. And I've seen this happen, you don't want it. And yeah, very good point. And again, we've talked about this in previous episodes, but we want to mention again the value of using privacy-focused analytics, which make it easier for you to understand what people are doing on your website without tracking their every move. And yes, this is possible, and the technologies here, and it's not that expensive, and it comes with all sorts of things that are built into it. So, again, we're mentioning to use Fathom Analytics because that's what we use, and they do a really great job at setting the standard for this industry. And they come with things like gating for Europe, for GDPR countries, and all sorts of things. You don't even need to add that very annoying cookie banner on your website – how great is that? I mean, how much better does it make it for the experience as it's entirely legal to do that? So, to me, that is a major benefit. One less annoying thing for your customers, who doesn't want that?

[29:20] Dave Smyth: Yeah. And without dating the moment that we're recording this, just yesterday, I think the Austrian Data Protection Authority wrote that using Google Analytics was actually illegal from the GDPR perspective. It seems like lots of other European states are going to be making similar rulings soon.

[29:40] Andra Zaharia: It's a big precedent, I agree. And, again, the less things that you actually do and collect, the easier it will be for you in the future. It's like technical depth; if you don't have any, you're going to have so much more time and resources to build the things that you actually want to build and to do the things you want to do, instead of sitting with lawyers and dealing with all sorts of things that pop up along the way. Because it's simple, you're compliant and safe from the beginning. And taking care of that is so much easier than having to do it at a critical point in time when your business is growing and you have to take care of so many other things at once. So, I hope that these tips helped you. And if you have requests for specific things that we didn't cover, or if you have questions and you still feel lost and you're not sure how to go about things, just send them over and we might do a dedicated Q&A to cover them.

[30:38] Dave Smyth: One last thing, actually. I was thinking, lots of business books and things, they talk about using tracking things. And there are things like accounting software that can tell you if your clients have read your invoice, and it's probably at least a 50% chance that it's wrong, whether it's told you, whether they've actually read it or not. But I think as a business, you can do really easily sniff test on a tool that you're using, which is, “Would I want to be tracked or surveilled in this way? If I was, would I want to know that that was happening? Would I want to opt in or be told that the person who sends this email can see where I was when I opened it?” If the answer to that is no for yourself, then it's probably also a no for your clients or your customers or their customers. If you're passing that test, that will get you a long way with the tracking side of things as well.

[31:36] Andra Zaharia: That should be called the empathy test. That is an actual empathy test, really, I think is a perspective changer. So, you framed that perfectly. So, we'll be back with more tips in there, and we'll drop a bunch of things in the show notes so you can use them and make your life easier as a business owner, so you can do what you set out to do with your business, no matter how big or small it is. So, we're rooting for you over here.