The fact that 43% of cyber attacks are aimed at small businesses is a salutary reminder that entrepreneurs need to make sure their businesses are protected.
Cyber attacks are widespread. Consumers are frequently targeted, as are businesses of every size. Consumers and micro businesses may have some protection from the new agreement the banks are signing up to, but, with a recent BBC article saying some banks still haven’t signed up to the voluntary agreement around payment scams, they need to ensure they protect themselves as much as they can.
Here are some tips for entrepreneurs to help ensure their businesses have the necessary protection:
The People Issue
Unfortunately, it is still the case that the weakest link in any cyber security protection plan is human. A busy team has to get a huge amount done during the day and so people simply do what they believe to be the right thing.
One of the biggest cyber threats aimed at small businesses are impersonation emails and most people will do what it says in the email. For example, we know of companies who have lost £100,000 because a supplier, reputedly, emailed them with a change to their bank details.
Train your staff
The key to reducing the threat is training. By training your team in what to look out for you can help them to help you protect the business.
- Check email addresses carefully. The fraudsters use addresses and URLs that are very similar to the legitimate person.
- Don’t open emails you don’t recognise or if the topic is worrying. Cyber criminals want to make you feel worried. They will say, for example, that your emails aren’t getting through or you’ve run out of Microsoft licenses. These are fake claims. The fraudsters want you to open attachments or click on links designed to infect your machine and your network.
- Be careful with new contractors. Some cyber criminals will brazenly walk into your premises and try to infect your machines. Check if you have any concerns.
- Double-check requests for large, or urgent, payments. It’s not in our nature to query senior management, for example, but it will protect your business – as an email claiming to be from, say, a Finance Director is a common form of cyber attack.
An effective way to check how well your team is absorbing the training they receive is by using simulated phishing attacks. With regular, controlled attacks you’ll be able to identify who is following what they’ve learned and who needs a little more training. We’ve done this at Redsquid and, in only three months, click-throughs reduced from 54% to just 4%.
Your network needs to be protected in a number of ways:
If your firewall is a few years old, we recommend you update it. Its ability to protect your network needs to be upgraded as the threats to your network will have increased. Sophos is an example of a good provider of such devices.
Keep your PCs fully patched. Your operating system provider regularly publishes security updates to protect against the latest cyber threats. By not patching, you run the risk of not being protected. It’s worth taking the time to do this as it will take you far longer to recover if you are attacked.
Microsoft stops supporting Windows 7 on January 14th 2020. If you are still running Windows 7 after that date, you are seriously risking your network and your business. You must upgrade to Windows 10. We recommend you upgrade your hardware to, to benefit from the physical security and performance enhancements built into new machines.
Vulnerability and Penetration Testing
There are many different ways to get into your network and the data it contains.
Vulnerability Scanning is the intelligence driven deployment of scanning engines, updated with information from the latest threat intelligence feeds. These help to ensure the security of your systems, services and applications from a number of common attack vectors, exploited by both automated and manual attackers. Vulnerability testing should ideally be done continuously, but at least every month.
A penetration test is an authorised simulated cyber attack on a computer system, performed by a suitably qualified third party. It is designed to evaluate and ultimately to fortify the security of a target system through the identification of security vulnerabilities. We recommend these are done at least once a year. The investment, in an independent body (not your IT provider) is worth it for the peace of mind it provides.
These tests also mean you are properly ticking the GDPR box. You need to be able to show you are protecting Personally Identifiable Information (PII) you hold on your customers and staff. If a breach does happen and you cannot prove you have taken reasonable steps, the Information Commissioners Office (ICO) can fine you up to 4% of annual global turnover.
Web Applications and APIs
Most businesses are using multiple web applications and APIs to streamline productivity, but have you checked whether the ones you use have been tested for intruder prevention? They can easily become a back door into your network for cyber criminals.
Email gateways are a great way to reduce the opportunity for people to make mistakes. By passing all your email through a gateway, such as Cyren’s email security (https://www.cyren.com/products/email-security-gateway), you block the malware, phishing and spam emails that threaten your network.
Multi-factor authentication (MFA) uses multiple devices to protect your network. Your phone, which isn’t more than a metre away from you right now, can act as confirmation you are who you say you are, when you are logging into your laptop or into an application. By using multiple layers of security, you make it harder for unauthorised users to get into your network.
As an entrepreneur protecting your network should be the first step, however we also recommend you insure your business against cyber threats. Whilst it cannot replace what is stolen, cyber insurance will help you recover. As with all insurance, we recommend you take advice on what you should have and you read the small print with great care.
Every entrepreneur needs to keep their network protection up to date and their staff (and themselves) fully trained. These are essential business routines which also protect your business reputation and your brand.
ABOUT THE AUTHOR
Mike Ianiri is Sales Director at Redsquid, one of the UK’s leading independent providers of business Voice, Data, ICT, Cyber Security and IoT Solutions. Redsquid is not tied to a single supplier but rather helps clients boost productivity, reduce costs, and protect and grow their business by creating bespoke solutions from the best technology available in the marketplace.