Security Practices for Small Businesses

Person sat at a desk with a laptop, typing code, wearing headphones. Programming
Photo by Jefferson Santos on Unsplash

Many small businesses may, at some point in their lifespan, go through the detriment of having their social media, personal information or websites hacked or leaked. It is absolutely vital that you secure all information and accounts – such as your social media logins, employee information and other important details. This post will go through methods you should take to secure yourself and your business online.

The process of attempting to secure your digital information and accounts can be daunting and if you’ve stuck your head in any digital news article, you’ve probably seen that even some of the biggest companies have been “hacked” and employees “socially engineered” but as a small business, you shouldn’t worry about this. These companies are normally hacked due to the level of publicity they have. These companies also use custom tools and apps which have security flaws. If you’re the typical high street small business, those things won’t apply and we’re just going to focus on how to secure your social media, emails and your website.

Securing Your Website

Securing your website can be handled through a number of different measures. This will vary depending on how your website is built. If you have a static generated website – meaning it is coded or compiled into HTML documents with no link to databases, it is most likely already as secure as it can be as HTML documents aren’t able to be hacked or manipulated without access to your server. If your website is built on a content management system such as WordPress, Drupal or Joomla, these technologies work on the server-level and get content through databases with user accounts for the management system, giving any potential intruders a place to target.

Securing your server

If your website is hosted on a cloud hosting provider, such as Namecheap, GoDaddy or Krystal Hosting, there are most likely already security measures in place to make sure that your website is secured from the server-level. If you are on a server that you own and manage, it is recommended to install firewalls, disable any known ports and connections, and keep all passwords for the server protected and strengthened. MailChannels has an in-depth article on how to protect your server.

Securing WordPress

WordPress is the most used content management system (CMS) and by being the biggest CMS, it is often subject to targeted attacks through plugins, themes and sometimes the core infrastructure it runs on. Aside from securing the server and the database that WordPress runs from, there are also some steps you can take during installation, and while your website is running, to harden the security. The easiest method to keep your installation secure is by only using known themes and plugins — most paid themes and plugins are notably secure as these are normally created by trusted design agencies. You should also keep your WordPress version up to date, consistently patching any bugs or security issues in the version your website is running on. Another way you can protect your WordPress is by using reputable security extensions. As with anything relating to security, some plugins may do more harm than good, so it’s vital that you look at the reviews and if you can, fork out for the premium version of plugins. WP Forms has written an article about the 7 best security plugins, which they go over the best features and the prices of reputable plugins.

Content Management Systems Market Share (WordPress holding the top)
Content Management Market Share from Wappalyzer

The 3 plugins I endorse for securing WordPress is Jetpack Security – which is maintained by Automattic, the creators of WordPress, and has features such as site backups, account authentication and email notifications if your website goes down. Initially Jetpack is a free plugin, with a premium version available £15.92 a month (if billed annually). The next plugin is Wordfence. This is a completely free plugin, with high-level features such as full-time protection, intrusion logging and protects WordPress and your server from brute-forcing attempts. The only downside to Wordfence is that it runs entirely on the server your website is hosted on, which could slow down the performance of your website – especially if there’s a lot of attempts to log in to your website. The last notable plugin is Google Authenticator which allows users on your website to enable two-factor authentication on WordPress accounts. Although this may just add frustration to logging into your blog/website, the extra step protects your website from having your content and themes ruined on a live (production) website.

Securing your social media profiles (protecting your brand)

Everyone who has a personal social media account knows how precious their photos are. Not only do they store memories, they can also be a good method of contact with friends and family, and the same goes for online businesses. Your social media profiles can be a key location for your customers to request support, make enquiries or even find out about your business through advertising.

If a malicious user got access to your social media profiles, private customer information, advertisements and your brands social following could be ruined by promoting unsafe websites or just by straight up deleting the account which in some cases can lead to not being able to re-use the username, impacting the continuity of your brands identity.

In addition to private customer information being leaked, it would also open your business up to potential lawsuits if data was held for more than necessary for the purpose for which the personal data is processed.

Using two-factor authentication across all social media profiles

If you take any recommendation or action from what is in this article, this should be the one you do. Wherever possible, two-factor authentication should be enabled on all your accounts – not just social media.

Two-factor authentication (also known as 2FA) is a type, or subset, of multi-factor authentication. It is a method of confirming users’ claimed identities by using a combination of two different factors: 1) something they know, 2) something they have, or 3) something they are.


Most commonly, two-factor authentication is set up through SMS verification. When you enter your password to log in to an account, before you are logged in, you will be sent a text message with a code, usually numbers (PIN) which you will enter into the app/website to confirm your identity. In other cases, this can be an email you get sent, but you can choose what methods you use to authenticate yourself per platform.

Google Verification Code through SMS
Google Verification Code (HowToGeek)

Although SMS is not the safest measure for 2FA, having any secondary step to log in to an account ensures that your account will be that bit harder to break in to. You should always have at least 2 different methods of 2FA for your email as this is “the home” to all your accounts and if someone gets access to your inbox, they technically have access to all your accounts just by resetting your password.

Using a password manager

You’ve probably heard that you shouldn’t have the same password for everything and up till now you probably have used the same password or a slight variation of it and haven’t had an issue – but if you’re a business and your password is your businesses name backwards with a symbol on the end, it won’t take a rocket scientist to figure it out. Especially if they’re using spiders (programs that test multiple passwords at once to brute-force/break in).

Password managers can store your passwords safely, using the strongest available levels of encryption and provide convenient access methods, through apps, websites and desktop program.

Using a password manager can allow you to have random passwords (like qX2,cFvq5’Zm”[Lc) without you having to memorise, or even type it in! Most password managers come with password generation and autofill features so you can just press a few buttons and everything is done for you.

Which password manager you use is entirely down to personal preference, just like what cloud storage provider to use, Apple or Android, or who you get to build my website (it should definitely be me by the way!). There’s hundreds of articles out there, like this one from Wired, going over the features and pricing of different password managers and you should give each one a try before deciding on who will hold the keys to your brand.

I personally recommend both Dashlane and 1Password as they are both great value-for-money, extremely secure and have beautifully designed websites and apps, along with having a plethora of features! Dashlane comes with a built in VPN for safe browsing, and 1Password comes with support for adding a whole range of items to your “vault” such as security numbers, passwords, server information and so much more!

As technology evolves, there will be more and more possibilities of getting hacked so it’s important to keep up with the ways that security can be achieved. Just through what I’ve mentioned in this article, you can worry less about your brand being taken from you overnight.

And please don’t make your password Ilovefootball123… it’s not a good idea.

No companies or products mentioned in this article were endorsed but I have personally used all of them and can comfortably promote them. Thank you for reading.

Thank you for reading my blog post, if you have any feedback or questions, please email me and I'd love to have a conversation with you! This article was written on September 27, 2020.