How to Protect Your Small Business from Cyber Attacks

cyber protection SME

When asked whether SME businesses need to protect themselves from cyber attacks, the response is easy: 43% of cyber attacks are aimed at small businesses.

If you are a small business and aren’t protecting yourself, you need to review this and put suitable protection in place. Mike Ianiri, Redsquid explains what you should do.

Cyber attacks are aimed at everyone. Consumers are frequently targeted, as are businesses, both large and small.

Consumers and micro businesses may have some protection from the new agreement the banks are signing up to, but, with a recent BBC article saying some banks still haven’t signed up to the voluntary agreement around payment scams, they need to ensure they protect themselves as much as possible.

Let’s look at what you can do to protect your business;

1. The Human Element

Unfortunately, it is still the case that the weakest link in any cyber security protection plan is human. Every member of your team is busy. They need to get a huge amount done during the day and so simply do what they believe is the right thing.

With impersonation emails being one of the biggest cyber threats aimed at small businesses, most people will do what it says in the email.

Examples of this can be seen every day. We know of companies who have lost £100,000 because a supplier, reputedly, emailed them with a change of bank details.

Big businesses can fall foul of these attacks too. Lazio, the Italian football club, recently reportedly lost £1.75 million when they believed they were making a final payment for a new player.

2. Training

The key to reducing the threat is training. By training your team what to look out for you can help them to help you protect the business. Here are a few ‘red flags’ to look out for:

Check email addresses carefully

The fraudsters use addresses and URLs that are very similar to the legitimate person.

Query requests for large, or urgent, payments

It’s not in our nature to query senior management, for example, but it will protect your business if your team is trained to do this.

Emails from Finance Directors requesting an immediate payment is made are a common form of cyber attack.

Don’t open emails you don’t recognise

Don’t open emails from sources you’re unsure of, or if the topic is worrying.

Cyber criminals want to worry you – that’s how they get you to act. They will say your website has crashed, your emails aren’t getting through or you’ve run out of Microsoft licenses, for example.

All are fake and are looking for you to open attachments or click on links designed to infect your machine and your network.

Be sure of contractors

Be watchful of any new contractors, even if they say they are from your IT company. Whilst most will be legitimate, some cyber criminals will simply walk in off the street and try to infect your machines. So, if you are not sure, or the visit is unexpected – stop and check.

These are just some examples of the threats you face. By making sure your team know what to look out for, and have permission to query/challenge things, you are protecting your network and your business.

A good way to check how well your team is absorbing the training is by using simulated phishing attacks. Regular, controlled, attacks can identify just who is following their training and who needs a little more.

When we did this internally at Redsquid and we reduced click-throughs from 54% to just 4% in only three months.

3. Protecting your network

Your network protection can come in many guises:

Firewalls

A robust hardware firewall with intruder prevention capabilities needs to be in place.

If your firewall is a few years old, we recommend you update it. Its ability to protect your network needs to be upgraded as the threats to your network will have increased. Sophos is an example of a good provider of such devices.

Patching

Keep your PCs fully patched. Your operating system provider regularly publishes security updates to protect against the latest cyber threats. By not patching, you run the risk of not being protected.

We know you don’t want to lose the time it takes for the patches to be installed (usually not more than 10-15 minutes, unless you’ve not done it for a while), but surely it’s better to lose the time and be protected? It will take you far longer to recover if you are attacked.

Windows 7

Microsoft stops supporting Windows 7 on January 14th 2020. If you are still running Windows 7 after that date, you are seriously risking your network and your business. You must upgrade to Windows 10.

We recommend you upgrade your hardware too, to benefit from the physical security and performance enhancements built into new machines.

Vulnerability and Penetration Testing

There are many different ways to get into your network and the data it contains.

Vulnerability Scanning is the intelligence driven deployment of scanning engines, updated with information from the latest threat intelligence feeds. These help to ensure the security of your systems, services and applications from a number of common attack vectors, exploited by both automated and manual attackers.

Vulnerability testing should ideally be done continuously, but at least every month.

A penetration test is an authorised simulated cyber attack on a computer system, performed by a suitably qualified third party. It is designed to evaluate and ultimately to fortify the security of a target system through the identification of security vulnerabilities.

We recommend these are done at least once a year. The investment, in an independent body (not your IT provider) is worth it for the peace of mind it provides.

These tests also mean you are properly ticking the GDPR box. You need to be able to show you are protecting Personally Identifiable Information (PII) you hold on your customers and staff.

If a breach does happen and you cannot prove you have taken reasonable steps, the Information Commissioners Office (ICO) can fine you up to 4% of annual global turnover.

Gateway Prevention

Email gateways are a great way to reduce the opportunity for people to make mistakes. By passing all your email through a gateway, such as Cyren’s email security, you block the malware, phishing and spam emails that threaten your network.

APIs and Web Applications

Most businesses are using multiple web applications and APIs to streamline productivity, but have you checked whether the ones you use have been tested for intruder prevention? They can easily become a back door into your network for cyber criminals.

Multi-factor Authentication

Multi-factor Authentication (MFA) uses multiple devices to protect your network. Your phone, which isn’t more than a metre away from you right now, can act as confirmation you are who you say you are, when you are logging into your laptop or into an application.

By using multiple layers of security, you make it harder for unauthorised users to get into your network.

Cyber Insurance

Protecting your network is always the first step, but we also recommend you insure your business against cyber threats. Whilst it cannot replace what is stolen, cyber insurance will help you recover.

In the event of a ransomware attack, for example, they may consider which is more beneficial – paying the ransom or paying the costs of getting you back running. Some may even pay any ICO fines. As with all insurance, we recommend you take advice on what you should have and you read the small print carefully.

Final thoughts

By protecting your SME business from cyber threats, you are not only protecting your livelihood, you are protecting your reputation. Even if the cyber security breach doesn’t damage your business, any damage to your reputation can be equally, if not more, disastrous.

If you do become a victim of a cyber threat, remember your GDPR obligations and report the crime. Whilst it may not help the police catch the attackers, it will help prevent others from being attacked in the future.

About the author

This guide has been written exclusively for ByteStart by Mike Ianiri, Sales Director at Redsquid, one of the UK’s leading independent providers of business Voice, Data, ICT, Cyber Security and IoT Solutions. Redsquid is not tied to a single supplier but rather helps clients boost productivity, reduce costs, and protect and grow their business by creating bespoke solutions from the best technology available in the marketplace.

More from ByteStart

ByteStart is packed with help and tips on all aspects of running your business. Check out some of our most popular guides;

Technology

Funding Your Business

Image: DepositPhotos.com

Bytestart Limited info@ByteStart.co.uk