So much of modern work is now done on personal computers, smartphones and tablets, and while we embrace the advances in technology and the ease with which tasks can be completed, it’s easy to forget that technology brings its own risks too.
In the last three years there’s been lots of news about data breaches affecting large companies, but the reality is that just about anybody can be targeted by a cybercriminal.
Research from the Federation of Small Businesses (FSB) shows that a staggering seven million cybercrimes are committed against smaller businesses in the UK every year – that’s 19,000 a day. On average, a cybercrime incident costs a small business victim almost £3,000 in damages, and it can take over two days for the business to be back up and running.
Cybercriminals and how they operate
Cybercriminals are foremost concerned with increasing their financial gain. They seek to do this by stealing private financial information, personal details and account login credentials, so that they can go on to commit fraud, data theft or extortion.
This can include anything from stealing a customer’s information to commit identity fraud with other services, to selling stolen credit card numbers or account profiles on the dark web for cash.
But some hackers are playing for higher stakes – if they can infiltrate a company and trick employees into thinking that a fake email comes from an actual customer, supplier, business service or a superior, then there’s a chance they can trick employees into sending huge amounts of funds to a bank account owned by the cybercriminal.
Malware, DDoS attacks and phishing emails
There are several methods cybercriminals use to attack businesses:
- Malware – a software program written by cybercriminals to steal information from a computer or network once it is initiated
- Phishing emails – fake emails that imitate customers, suppliers or services known to the individual. These emails can trick the user into opening attachments containing malware, or trick the person into clicking on a hyperlink to a fake website where the user is asked to enter their login details.
- Ransomware – a new type of malware that was used to attack the NHS in 2017. Ransomware locks computers and demands a ransom in bitcoin. If the ransom is not paid, the program deletes crucial data from the PC, or prevents the victim from using the machine again.
- DDoS attacks – Distributed Denial of Service (DDoS) attacks happen when a hacker floods a company’s website with traffic to take it offline. The true aim of the attack is often to find vulnerabilities in the website’s defences so that the cybercriminal can access the website’s database of customer information, or to gain access to the company’s internal computer network.
How to protect your business
You don’t have to wait for the bad guys to come calling – there is a lot that businesses can do to avoid becoming victims.
Here are some tips that all small businesses should follow, as recommended by the National Cyber Security Centre and FSB Cyber Protection advice line:
- Back up all your data
Make sure that all important information pertaining to your business – such as customer details, quotes, orders, payment details, document templates, financial records – is backed up safely and regularly, so that it can be restored in an emergency.
A key tip is to make sure that the backup is stored in a secure place that other employees cannot access, and that the backup device is not connected to any computer or network. A good place to store backups is the cloud.
- Use passwords to protect your data
Make sure you switch on password protection on all devices, and use two-factor authentication on all user accounts where you are given the option.
- Keep all computers updated
It’s crucial that you make sure all IT equipment (computers, servers, smartphones, tablets) is kept up to date with the latest software updates. It’s good to set all your equipment to automatically update when patches come available.
- Install antivirus software and firewalls
Ensure all PCs have antivirus software installed and always on, and that your internet router and servers have firewalls installed.
- Prevent your staff from installing dodgy software
All PCs, smartphones and tablets should only contain software and apps from reputable services you work with, or manufacturer-approved app stores. Staff should be prevented from downloading any third party software from unknown sources, which might contain malware. A good way to do this is to remove admin privileges from their user accounts.
- Educate your employees about phishing scams
You can’t stop cybercriminals from sending phishing emails, but you can educate your staff to spot the signs. As a rule of thumb, employees should be suspicious of any emails that are not directly addressed to them, and avoid opening email attachments in emails from an unknown origin.
A good pointer to remember is: Are you expecting an email from someone? If an invoice comes through from a supplier for a service that you haven’t had, it’s probably a scam. It’s also a good idea to look at the email address that the email orginated from – is it the same domain as the service you use?
And in particular, if an email is ever sent to the finance department requesting a transfer of funds, the employees concerned should always check in person with the superior who sent them the email.
FSB members have access to a data and cyber advice line run by cyber security experts, along with basic cyber insurance of up to £10,000 cover for third party claims - covering legal liability for damages and costs following a claim brought against them for a cyber attack, data breach or e-media issues such as libel, slander and defamation.