Cyber security is the hot topic in every sector right now, and with good reason – insurer Hiscox found that 55% of UK firms had faced a cyber attack in 2019, up from 40% last year. The same report found that almost three quarters of companies were ranked as ‘novices’ in terms of cyber readiness. The reality is that companies of all shapes and sizes struggle to keep up with keeping the hackers out.
The difference for small companies is that they may not have the resources, be it time, budget or personnel to deal with the growing threat. This article is for you, the busy business owner who simply doesn't have the time or the deep technical knowledge to get to grips with all the nuances of cybersecurity best practice in 2019. Instead, we'll cover the essentials you need to know to have adequate cover.
Many small business owners assume that they will not be targeted by a cyber attack. After all, if there are banks or large firms with far more sensitive data to go after, then why on earth would a hacker target my business? Unfortunately the answer is, simply and frustratingly: because it’s easy.
While the data you hold may not be of much use to others financially, both your data and your systems are useful to you – a breach can affect your relationship with partners, suppliers and customers. The subsequent damage could, if you're extremely unlucky, seriously harm your business.
Meanwhile, if the data is useful to you, the cyber criminal may hold you to ransom for it via ransomware. And on top of that, the fact is small businesses have to comply with certain regulations surrounding data protection and an attack could jeopardise this. Quite a nightmare, right?
There are some basics to implement for any business that will give you a good base to work from. Rob Bamforth, an independent IT analyst, suggests using strong passwords, and ensuring that you don’t use the same password more than once. “Make them all ‘recognisable’ – in case one is hacked and comes back to you, at least you then know where the breach came from,” he says.
Bamforth isn’t wrong, a recent NCSC survey found that 23.2 million email accounts worldwide that were hacked used 123456 as a password, while millions of other victims were using the word ‘password’ or their favourite football team as their passwords. Caitlin Smith, a senior consultant in the cyber risk team in Deloitte suggests implementing a strong authentication policy as a ‘free’ way to help prevent unauthorised access to devices and data. “Ensuring that multi-factor authentication is required, for example a password plus an authentication code, will add a robust layer of security,” she says.
Creating a policy for cyber security is a great start, but you should also ensure all employees understand this policy, as well as regularly updating it to account for any changes in the market – such as new threats, or new systems being implemented. For example, AT&T Cybersecurity recently found that the biggest threat currently troubling companies are phishing (29%) and cloud security threats (27%), so it is worth making sure your employees understand what both of these are, and how they could be impacted by either.
Bamforth also suggests that businesses should have anti-virus software in place for PCs and Macs and this software should be up-to-date – simple advice in theory, although it has a habit of dropping to the bottom of people's to-do lists. Fight the urge!
“It’s becoming easier for small business to outsource key cyber security services without cutting corners,”
One of the advantages of being a small business is that you will generally have less data to manage than larger companies. This means it’s also easier to identify sensitive and confidential data.
“Prioritisation is essential here, and building in stronger defences for those specific ‘high-risk’ datasets, as opposed to securing all data in its entirety, is easier and more efficient for smaller businesses,” Smith explains.
Meanwhile Bamforth says that organisations should ensure they have auto update patches for software to minimise your vulnerability to attacks. In addition, he adds that ransomware should be taken into consideration too, either with specific protection or at the very least, having regular automated back-ups to non-mounted storage.
It’s worth also understanding what certain attacks are and whether or not you could be affected, and how you would react in case of an attack. AT&T Cybersecurity found that only 17% of smaller enterprises are very confident in defending against DDoS attacks compared to 29% of large enterprises, while only 15% of smaller enterprises are very confident in defending against IoT attacks compared to 21% of large enterprises – but while this may be a concern to some small businesses, it may not be for yours if you don’t use IoT devices.
Finally, both Smith and Bamforth suggest getting some external help. “It’s becoming easier for small business to outsource key cyber security services without cutting corners,” says Smith.
“This could include data backups, hiring a part-time CISO (chief information security officer) to provide strategic guidance, or even bringing in a cyber security SME in for employee awareness training. If you’re unable to do it yourself, there are no lack of external resources that can provide support and insight on cyber security,” she adds.
Cybersecurity can be tricky to get your head around, but there are basics that you can get right to start with, and thereafter you can rely on a number of government help guides or even external sources. It’s worth getting this right.
The UK government’s NCSC has a small business guide for cybersecurity, which was updated last year to include an actions list. www.ncsc.gov.uk/blog-post/you-askedwe-delivered-small-business-guide-now-has-actions-list
The government also has a certification to prove that you have the basics right – it’s called Cyber Essentials, and it’s a good fit for those who want to get clued up about cybersecurity www.cyberessentials.ncsc.gov.uk/
The NCSC’s findings of most hacked passwords is here: www.ncsc.gov.uk/news/most-hacked-passwords-revealed-as-uk-cyber-survey-exposes-gaps-in-online-security
The AT&T Cybersecurity report, can be found here: alienvault.com/resource-center/analyst-reports/perception-reality-cybersecurity-threats