Has your business, or a business you know, suffered from a cybercrime? As 43% of cyber-attacks are targeted at small businesses, you need to take action to protect your business now and on an on-going basis.
Cyber-attacks are happening every day. Not only are individuals a target but so are businesses, from the small to the large. Consumers and micro-businesses may have some protection from the new voluntary agreement around payment scams that the banks are signing up to. However, a recent BBC article says that some banks still haven’t signed up.
Given all of this what steps you can take to get your business protected? Here, Mike Ianiri from Redsquid highlights how small businesses can protect themselves.
The weakest link
When it comes to any cyber security protection plan the human element is still the weak link. When staff are busy meeting their deadlines they tend to simply do what they believe to be the right thing, at that particular moment.
One of the biggest cyber threats aimed at small businesses is impersonation emails. Most people will do what is requested in the email. For example, we know of companies who have lost £100,000 because a supplier, reputedly, emailed them with a change to their bank details.
Big businesses can be a caught out too. The Italian football club, Lazio, reportedly lost £1.75 million when they genuinely thought they were making the final payment for a new player.
Training is essential
The key to reducing the threat is training. By training your team in what to look out for you can help them to help you protect the business.
- Check email addresses carefully. The fraudsters use addresses and URLs that are very similar to the legitimate person.
- Don’t open emails you don’t recognise or if the topic is worrying. Cybercriminals want to make you feel worried. They will say, for example, that your emails aren’t getting through or you’ve run out of Microsoft licenses. These are fake claims. The fraudsters want you to open attachments or click on links designed to infect your machine and your network.
- Be careful with new contractors. Some cybercriminals will brazenly walk into your premises and try to infect your machines. So, if the visit is unexpected, or if anything makes you suspicious, stop and check.
- Double-check requests for large, or urgent, payments. It’s not in our nature to query senior management, for example, but it will protect your business – as an email claiming to be from, say, a Finance Director is a common form of a cyber attack.
An effective way to check how well your team is absorbing the training they receive is by using simulated phishing attacks. With regular, controlled attacks you’ll be able to identify who is following what they’ve learned and who needs a little more training. We’ve done this at Redsquid and, in only three months, click-throughs reduced from 54% to just 4%.
Multiple approaches to protecting your network
You need to protect your network in a number of ways.
Keep your PCs fully patched. Your operating system provider regularly publishes security updates to protect against the latest cyber threats. By not patching, you run the risk of not being protected. We know you don’t want to lose the time it takes for the patches to be installed (usually not more than 10-15 minutes, unless you’ve not done it for a while), but surely it’s better to lose the time and be protected? It will take you far longer to recover if you are attacked.
If your firewall is a few years old, we recommend you update it. Its ability to protect your network needs to be upgraded as the threats to your network will have increased. Sophos is an example of a good provider of such devices.
Vulnerability and Penetration Testing
There are many different ways to get into your network and the data it contains.
Vulnerability Scanning is the intelligence-driven deployment of scanning engines, updated with information from the latest threat intelligence feeds. These help to ensure the security of your systems, services and applications from a number of common attack vectors, exploited by both automated and manual attackers. Vulnerability testing should ideally be done continuously, but at least every month.
A penetration test is an authorised simulated cyber attack on a computer system, performed by a suitably qualified third party. It is designed to evaluate and ultimately to fortify the security of a target system through the identification of security vulnerabilities. We recommend these are done at least once a year. The investment, in an independent body (not your IT provider), is worth it for the peace of mind it provides.
These tests also mean you are properly ticking the GDPR box. You need to be able to show you are protecting Personally Identifiable Information (PII) you hold on your customers and staff. If a breach does happen and you cannot prove you have taken reasonable steps, the Information Commissioners Office (ICO) can fine you up to 4% of annual global turnover.
Web Applications and APIs
Most businesses are using multiple web applications and APIs to streamline productivity, but have you checked whether the ones you use have been tested for intruder prevention? They can easily become a back door into your network for cybercriminals.
Microsoft stops supporting Windows 7 on January 14th 2020. If you are still running Windows 7 after that date, you are seriously risking your network and your business. You must upgrade to Windows 10. We recommend you upgrade your hardware too, to benefit from the physical security and performance enhancements built into new machines.
Email gateways are a great way to reduce the opportunity for people to make mistakes. By passing all your email through a gateway, such as Cyren’s email security, you block the malware, phishing and spam emails that threaten your network.
Protecting your network is always the first step, but we also recommend you ensure your business against cyber threats, (taking professional advice and always reading the documents very carefully). Cyber insurance will help you recover if you are targeted. In the event of a ransomware attack, for example, your insurers may consider which is more beneficial – paying the ransom or covering the costs of getting you back running. Some insurers might even pay any fines from the ICO.
Multi-factor authentication (MFA) uses multiple devices to protect your network. Your phone, which isn’t more than a metre away from you right now, can act as confirmation you are who you say you are when you are logging into your laptop or into an application. By using multiple layers of security, you make it harder for unauthorised users to get into your network.
If you fall victim to a cyber-attack remember to report the crime and fulfil your GDPR obligations. However, we hope that with the right protections and training in place you won’t find yourself in this situation.