What are the latest cyber threats and how can you protect your small business against them? We look at the emerging and common digital threats facing small businesses at the moment – and throughout 2023 – and provide some guidance on how you can keep your company safe from scammers and attackers.
Helen Barge,
Managing Director,
Riskevolves
Episode transcript
Jon Watkins: Welcome to this latest edition of the FSB podcast, the go-to podcast for news tips and important information for small businesses and self employed. In this episode, we will look at the emerging and common cyber threats facing small businesses at the moment and throughout 2023, as well as providing some practical guidance on how you can keep your small business safe from scammers and attackers. Cyber crime and cyber attacks are threats we hear about all the time, and in this increasingly digital and tech-driven world, are not likely to go away any time soon. In fact, latest statistics show that more than 80% of UK businesses experienced at least one cyber attack in 2022, up by nearly 10% compared with the previous year. So what are the latest threats? And how can you protect yourself against them? To tell us, I'm joined by Helen Barge, managing director of Riskevolves, a risk consultancy that helps businesses evade the dangers of malicious or accidental risks from cyber. Helen, hi, thanks for joining us.
Helen Barge: Hi. Great to catch up.
Jon Watkins: It's good to have you here. I mentioned a stat right at the beginning there in terms of 80% of businesses facing some kind of cyber attack last year, just how big a threat is this to small businesses in particular Helen, do they face specific challenges compared with the bigger counterparts?
Helen Barge: That's a great question. And small businesses are certainly as eligible for this type of crime as as any other type of business, or in fact any other type of organisation, there's probably some key differences that smaller businesses have got to those larger organisations, and some of them are obvious. For example, budget, the majority of our small business owners do not have the type of resources available to fight cybercrime in the way that the large organisations have got. And that's just fact - we never will have that type of budget. The majority of small businesses don't have the skills within the organisation to understand the threats that their organisation may face on a day to day basis, we've seen an increase in attacks, for example, following the invasion of Ukraine. And that is absolutely pertinent to all businesses, regardless of size or shape. So we need to make sure we've got the right skills, they may also be targeted, because they're a particular business within a particular supply chain that may be of pertinent interest to a criminal. There's all sorts of different reasons why we may be targeted. And our recommendation is always to look for great partners to work with. In the same way as we're not expected as small businesses to all have the same skills as an accountant or a lawyer or, or somebody who's got lots of professional qualifications, we shouldn't all be expected to have the same sort of qualifications and skills as a good managed service provider. And I'd encourage every small business to think about this in exactly the same way as they do when they think about accountancy skills and so on, is to go and look for a great provider that's got some really good credentials. There are a Microsoft partners, for example, who can help you in a cost effective way manage that risk to your business.
Jon Watkins: Right, bringing the expertise as you as you need it. Yeah, we've all heard about sort of phishing attacks and things like that, Helen, but can I ask you to run us through some of the more common threats facing small businesses right now?
Helen Barge: Yeah, certainly. So So phishing attacks, most of us are very familiar with phishing attacks. This is when you receive an email, typically an email into your inbox get that's encouraging you to do something very, very urgently, to click a link. I received one just last week, which was offering me an air fryer - who knew that air fryers even existed 12 months ago, but I was encouraged to click a link because the sale of air fryers was out there, but behind that there was malicious software. So in addition to those phishing attacks, what we're also seeing now is smishing attacks. So the IT industry, ever capable of adding more and more jargon on - a smishing attack is a message that you may have received to your mobile phone, again, with a link in it encouraging you to do something quickly, urgently, and so on. Last year, towards the end of last year, we saw a huge increase in the number of smishing attacks coming through encouraging you to click on a link to go and claim the energy credit the £400 energy credit that we're all entitled to that that was there to gather information about you that the criminal could then use for other other means and other purposes. Right. So I mean, he's saying, Helen, that we've kind of seen a shift in the way that fraudsters and scammers work to access our data and our information, for example, you know, the entry points changing into our businesses, certainly, so what we're seeing is that is the critics of climate becoming even more creative, not just using phishing, not just using smishing. We're also seeing as well perhaps where they may be getting into a dialogue with you over email, trying to try to engage you trying to gain your trust and your your relationship with them. So that at some point in the future, you don't click on a link or you then click on an email. So our message is always just be cautious. In the same way as you be cautious with anybody coming randomly to your front door. Just be careful about anybody randomly emailing you or sending you links or sending you attachments. Just take five seconds and think, Do I really need to click this? Do I know who this person has come from? Who this email has come from? Has it come from somebody with the right email address? So check the content and structure that email address before responding before clicking that link before opening that attachment.
Jon Watkins: Yeah, I think one of the issues, one of the things we're all guilty of is thinking that, you know, this sort of stuff won't happen to us. Do you have an example of a, an attack on a small business and just how that impacted them as a kind of example for just how these things kind of can impact small businesses?
Helen Barge: Yeah, certainly. So as you're aware, we work with a number of small businesses across a different range of different variety of compliance services. One of our latest clients came to us about 18 months ago, 12-18 months ago, they had suffered an initially, really quite innocuous phishing attack. They, the receptionist who clicked on the link, malicious software was downloaded. And actually going back to this point and having really good technical people working with you. It was the technical team that recognised that something wasn't quite right. Something wasn't quite right within the organisation, cut a very long story short, they lost some data. The company did all the right thing. They reported it to the Information Commissioner's Office, or the Information Commissioner's office decided to take no further action. That company had done all the right things. They had the right controls in place, they responded correctly. They informed their users and so on and so forth. Very sadly, what's been happening since then, is we're seeing claims coming through from those organisations for compensation for individuals that have been impacted by that breach for compensation. So it's a slightly different view, we often hear about the big ransomware attacks that might have attacked large organisations that have been in the news and the headlines. But this is very much around the the claims culture that we're beginning to see coming in through phishing emails and data breaches.
Jon Watkins: Yes, that is a big impact, isn't it? You've alluded to some of the things that small business owners can do, you know, to start protecting themselves. But what are the sorts of basics what are the absolute musts when it comes to cybersecurity for small businesses?
Helen Barge: Cyber Essentials is something that we would recommend to every organisation now cyber Essentials is the UK Government and National Cybersecurity centre supported initiative to, as the name suggests, ensure that all organisations follow the essentials on cybersecurity. Now, even if you don't want to go through and certify for cyber essentials, and that costs around £300 pounds to do, we recommend that you do all the absolute musts that that scheme suggests and imply so is the basics, such as making sure that your device is always up to date with the patches. And we know we always know that those patches want to be installed on your device at the most inopportune moment, most inconvenient moment. Don't delay, they are there to make sure that your systems are safe and secure. Make sure you've got a good strong password, the National Cybersecurity Centre recommends that you have what you three words, for example, three random words for that for that password. And I don't know about you, Jon, I can't remember passwords for toffee. And there's some really good stats that we use probably about 20 passwords a day on 20 different systems. So my recommendation, my personal recommendation is get yourself a password manager. But you've only got to remember one password, keep that one password safe. And that password manager will manage your passwords for you. Make sure that you've got a good antivirus on your machine. So that makes sure any viruses coming into the machine are captured, make sure you use multi factor authentication. So multi factor authentication, there we go, There's another bit of jargon from the industry! Just something different something in addition to using that password, we're really familiar with using them for our banking accounts where you have to perhaps use a biometric as well as putting in a code. The same is available on the majority of systems and is an absolute must for email. There's a number of other things that you can do, but I would recommend going and having a quick look at the National Cyber Security Centre (NCSC) website. Or alternatively, the IASME that spelled IASME website who administered the cyber essentials scheme on behalf of the NCSC.
Jon Watkins: Yeah, brilliant. You're also I know you're running an FSB Bootcamp on this topic later in the year. What are some of the other things that you'll be covering on that?
Helen Barge: Absolutely. So I've been challenged by the FSB to deliver my top 10 tips in 10 minutes. I think that's going to be a bit of a tall order for me. So what I've done is I've asked a couple of our our friends and colleagues, one from Warwickshire police, James. James will be joining us and we also have Vanessa joining us as well from the West Midlands cyber resilience centre. So that's the FSB bootcamp. which is to be held on the 27th of March at Coombe Abbey hotel on the outskirts of Coventry. I mentioned there about the West Midlands cyber resilience centre; one of the other resources that every small business has access to, and every small business with less than fewer than 50 employees can join for free, are the cyber resilience centres. So we have 10 Cyber Resilience Centres around the UK, if you Google Cyber Resilience Centre, you will find one that's that's close to you. Being in the West Midlands, strangely enough, I'm associated with the West Midlands Cyber Security Centre. And they are there, their only reason is, to try and provide businesses and charities with top tips on how they can make sure that they do not become a victim of cybercrime. They're funded by the police, and supported by government. And each of the CRCs also has a FSB representative working alongside them as well. So if you do nothing else coming from this, call Google cyber resilience centre, it will probably take you to the national homepage, and from there, you'll be able to identify which is the cyber resilience centre, and the contact details for the one closest to you.
Jon Watkins: That's brilliant. And just one final area that I wanted to touch on is the sort of much talked about post pandemic issue of people working increasingly from home or remotely, does that create its own risks? And how can firms you know, small businesses, make sure they're protecting themselves when they have people working remotely?
Helen Barge: Yeah, it's exactly the same. I think one of the things you know, I'm a small business, I have people working remotely, one of the one of the key differences is just the ability to say, 'Hey, I've got a really unusual email has anybody else received it?' So some of it is around the communication. Some of it is around whether or not you've got other users in the house using the laptop. So for example, have you got a child that's potentially looking something up on the internet to see in support of their homework, that could potentially take you to a website that's got some viruses that that you don't want on your laptop. So again, I would always recommend, go back to that first top tip, get yourself a really good managed service provider to work with. They are some really great guys out there and gals out there who deliver fantastic services for small businesses, which are really, really cost effective.
Jon Watkins: That's brilliant. Thanks, Helen. That's a really good walk through the current cyber issues and challenges facing small business owners and how they can tackle some of those or protect themselves against them. I'd also like to thank our audience for listening to this episode. And to remind you that you can subscribe to the FSB podcasts to receive regular updates and guidance on the big issues affecting small businesses. And do please also remember that you can find a whole host of additional webinars, podcasts and other content at the First Voice website at firstvoice.fsb.org.uk And on the FSB at fsb.org.uk. Thanks very much for listening.
Small business news on the go
Stay in the know as a small business owner with the latest episodes of the Federation of Small Businesses' podcast, covering small business news, advice and more.