Looking at the news, cyber threats seem to be everywhere. Whether it’s hacks of major film studios, NHS meltdowns, or overseas election meddling, cyber crime and the consequences of poor cyber hygiene are on the rise. But how does this impact on your small business? Why would cyber criminals try and target a landscape gardener in Leeds, for example? The unpleasant truth: because small business owners often have less cyber security controls, they are just as likely to be targeted by cyber criminals as their multinational counterparts.
This guide aims to help you understand the world of cyber security and how it can affect your small business. We’ll provide practical steps that you can take and some useful advice on how to maintain good security practice.
Cyber security issues for small businesses
Cyber security encompasses the processes and procedures your business uses to mitigate against threats to your IT systems. A survey conducted by the Department for Culture, Media and Sport recently found that a staggering 38% of microfirms (defined as those with 10 or fewer employees) had suffered a data breach of some sort. These cyber threats can come in a number of forms, the most common of which include:
Phishing emails: Cyber criminals use phishing emails to pose as genuine organisations with the hope of tricking users into giving away information such as passwords. These mass emails will often urge users to sign in or click through to a fake webpage that looks perfectly normal when in reality, it’s attempting to steal information.
A favourite approach of scammers is to pose as HMRC, and target small and medium-sized businesses with seemingly urgent messages about important topics like tax.
It’s estimated that 91% of cyber attacks start with a phishing email, so the need to protect yourself can’t be overstated.
Spear phishing emails: With spear phishing, attackers are looking to achieve the same objectives as standard phishing; however, their methods are sometimes trickier to spot. While standard phishing scams use mass emails to target large numbers of email addresses, spear phishers will focus their communication selectively on specific targets. They may research their target in advance and pretend to be someone who their target trusts.
For example, a spear phisher could pretend to be someone you deal with at an outsourced IT company. They may ask you to click on a link and sign in to a fake system, which they then use to steal your information. Security specialists often refer to manipulative tactics such as these as social engineering.
DDoS: DDoS (or Distributed Denial of Service) is a method of attack in which criminals attempt to damage your system or website by sending lots of traffic to it. DDoS attacks are carried out by hackers with ‘BotNets’: armies of devices and computers that they’ve previously compromised. Hackers use BotNets to send large traffic numbers to a business’s system or website, which can then overload its servers and disrupt critical business operations.
The motivations behind DDoS attacks vary considerably, from demanding ransoms from victims to taking down business competitors. A recent example of the latter was when a British hacker built a BotNet powerful enough to take down some of Liberia’s communication infrastructure.
Malware: Malware is short for “malicious software”, and you’ve guessed it, it’s software with a malicious intent! Those intentions could be to steal personal information like bank account details or secretly tracking your internet browsing history. Cyber criminals trick users into accidentally downloading malware via untrustworthy links online or from compromised USB devices. Once downloaded, the malware communicates information it finds on the user’s computer, such as bank details, back to the attacker.
Ransomware: With ransomware, cyber criminals prevent access to your systems, encrypting all files unless a ransom is paid. In previous attacks, cyber criminals have locked computers down, extorting ransom payments as time goes on and deleting files later if the ransom isn’t paid. Many of these attacks also use the digital currency BitCoin in an attempt to remain anonymous and transfer money quickly online. FreeAgent’s Head of Information Security, Richard Grey, also adds “it’s doubtful whether many of the attackers are able to decrypt your files even if you do pay a ransom!”.
Insider threats: While many common threats to cyber security come from outside a business, some threats can come from within, such as rogue employees maliciously leaking data. A famous case of this occurred when a senior auditor at supermarket chain Morrisons leaked bank details, names and salaries of roughly 100,000 employees.
It’s not just big businesses that are at risk of insider threats. If you’re self-employed, anyone who has permission to access your systems and data could present an insider threat, so it’s vital that you choose your contractors, agencies and other third party service providers wisely – and give careful consideration to the level of access you want to grant them.
Five cyber security best practices for small businesses
1. Be vigilant with emails
Check email addresses carefully: if an address doesn’t match with the corresponding organisation’s website address, there’s a high chance it’s not legitimate. Look out for spelling mistakes as well, as these can often be a red flag in an email that’s purporting to be an official communication from an organisation.
If the email encourages you to click a link, hover over it with your mouse to reveal the link’s address. If the address isn’t what you’d expect it to be, don’t click it. Lastly, consider other ways you can verify the information provided in the email — this might include calling the organisation or looking the sender up on Google or LinkedIn.
2. Diversify your passwords
Using the same password across different services leaves you vulnerable to being caught out by cyber criminals. Knowing that people will often reuse passwords across services, scammers are able to sell databases of hacked passwords to other cyber criminals for huge profits.
It’s best practice to use different passwords across different services. This will stop your account being compromised for multiple services if there is a security breach. You can check if a password is known to have been breached here.
Passwords should be long, difficult to guess and should contain a mixture of uppercase and lowercase letters, special characters and numbers. A good approach would be to construct your password out of a seemingly random phrase with a meaning that’s easy for you to remember — this is known as a passphrase.
Password managers are nifty online tools that store all your usernames and passwords in an encrypted database. As well as storing passwords, these tools also generate unique and random passwords, so you don’t have to create new ones for every service you use. The number of passwords you have to remember also reduces drastically: the master password for the password manager is the only one you need to memorise.
3. Enable 2-Step Verification
2-Step Verification (sometimes referred to as 2SV) is a method where you use two different methods to prove your identity and access to an account. This usually involves you proving that it’s you trying to log in with an additional piece of information that’s linked to your account. This could be a number generated by an authenticator app like Duo or Google Authenticator, or a code which is texted to a phone you’ve linked to the account.
Even the strongest passwords can be cracked or exposed in a data breach. Having 2-Step Verification installed gives you and your business an extra level of security against cyber criminals.
Many of the services you use are likely to include 2-Step Verification as a feature.