Protect your business with a cyber security mindset

In our previous article, we looked at why small businesses should take cyber security seriously. From loss of revenue, reputation damage and lost productivity, the consequences of being hit by a cyber incident can be severe.

But how do you go about protecting your business if you don’t have a budget of tens of thousands or access to a dedicated cyber security expert to help?

The first step is to understand the risks and common threats that you will face and then develop a plan to address these.

Adopting a security led mindset will raise your protection levels against current and evolving cyber threats.

Phishing since the '90s

According to csoonline.com, ‘Phishing is a cyber-attack that uses disguised email as a weapon’. Phishing emails aim to trick an individual into believing they are receiving a genuine email from the likes of Paypal, Microsoft, your bank, or even from a colleague. They can look ultra convincing and are hard to distinguish from the real thing. Emails may have links that lead to the download of malicious software or other ransomware which encrypts the content of your computers.

You can stop most Phishing attempts by following two simple steps according to this useful guide from Digital Check:

Firstly, ignore what an email looks like. Secondly, verify any links are genuine before clicking them. You can do this by letting your mouse or pointer hover over a link to reveal its true web address. This will not match up to the sender’s real website.

Above all, use common sense and listen to your instincts, for example, don’t open attachments that you were not expecting to receive. If something doesn’t seem right, question it, and seek your own confirmation any instructions within the email are genuine.

There are many other types of cyber-attack which you can read about in this handy article by networking specialist CISCO. These include compromised websites that can infect your computer to interception of data that you thought was secure.

Don’t use public wifi

Encourage all employees never to use public wifi if they are working remotely. Most smartphones can create its own wifi ‘hotspot’ which you can use to connect your laptop or other devices to the internet.

A Virtual Private Network (VPN) can create a safe and encrypted connection for your data to travel over even when used over a less secure network. If someone is able to intercept the data, they will not be able to make sense of it due to the encryption.

Don’t forget about internal threats

Malicious action by employees, even trusted employees can pose as much of a risk as the external threats discussed above.

Another type of Phishing that is increasingly common is Business Email Compromise (BEC). Criminals use sophisticated social engineering and psychological tricks to get users to take action that they might not usually take.

One example might be to use personal information gleaned from social media in the creation a Phishing email which appears to be from a director requiring a payment to be made immediately or else there will be a consequence such as losing a major contract.

Secure your payments

It is therefore important that you have strong controls over who can make payments, how they are made and who needs to sign them off. Any system that allows a single employee to both initiate and approve a payment represents an area of potential risk.

This is what happened when a manager of a lighting company defrauded it of more than £2million by making payments to a fictious supplier over the space of six years.

Thinking specifically about your payments system, you should have robust controls in place such Multi Factor Authentication (MFA) to ensure secure system access, payment approval workflows and Segregation of Duty.

Also, your payment system should be able to scan for any potentially suspicious transactions, e.g. where multiple payments are being made to the same account, or where payments are made to accounts of ex-employees.

Education is your first defence

Educate all employees so they understand best practice and what to do if you suspect a Phishing attempt. Periodically test your defences to see if there are any gaps. As new employees join your team or when best practices are updated, provide additional or refresher training sessions.

Consider implementing an anonymous reporting system if any employees suspect a colleague is not following best practice.

Another tip is to introduce cyber security advocates. This can help keep awareness of cyber issues high in different parts of the business.

Who takes the lead on cyber?

What you need is a clear leader on cyber – so appoint one. If you don’t have the right skills in-house, consider outsourcing this to a specialist managed security service provider.

Your staff are only human and mistakes can and do happen, so plan for failure. Make sure you have daily or real-time backups of your data. Ensure laptops and mobile phones are handed back by employees when they leave and change any passwords they would have had access to.

Have an incident response plan ready so that you know what to do should the worst occur. This will help to minimise the operational impact on your business as well as get you back up and running should your systems fall prey to a ransomware attack for example.

Conclusion

Small businesses are attractive to hackers as they more less have the same digital assets and potential opportunities and weaknesses to exploit but are protected by less security than a larger company.

In order to minimise the risk of a potential disruption business owners need to see cyber security as investment rather than a cost, and blend a number of different approaches, from technical solutions (firewalls, anti-virus software, system and software updates), controlling access to specific systems such as banking and payments using MFA, as well as on-going staff awareness and education.

*A good place to start for further reading and tips for staying safe is the National Cyber Security Centre, and this introductory article.