Small business cyber security: An essential guide

Cyber attacks can be a massive upheaval for small businesses. In this piece, we speak to company owners who were hit by malware and share top tips for mastering small business cyber security.

A recent government survey estimated that the average cost of a small business’s worst cyber attack is between £65,000 and £115,000. However, according to specialist business insurance broker PolicyBee, 74 per cent of small businesses haven’t put any money aside to deal with an attack.

Cyber crime recovery potentially involves many measures, including identifying and fixing the problem, replacing damaged software and hardware, hiring specialist IT security consultants, hiring a PR firm to manage a damaged reputation, and hiring a solicitor to deal with clients who’ve had their own business compromised as a result of cyber crime.

It is clear that an attack would be a massive upheaval for most small businesses. As well as following its cyber protection advice, the Federation of Small Businesses has stressed the need for smaller companies to put in place specific cyber protection solutions to guard against this significant risk.

The new victims of ransomware

When even healthcare trusts, leading universities, and cyber security specialists are becoming victims of ransomware attacks, it’s a troubling trend for businesses of all shapes and sizes.

It’s simply no longer the case that only large businesses are at risk, with UK SMEs targeted on average a staggering 230,000 times each during 2016, according to a study by technology company Beaming.

A study by PolicyBee finds that one third of SMEs believe that a cyber attack is a matter of ‘when’ and not ‘if’; however, nearly three quarters have not set aside any budget to deal with the aftermath. So while the threat of cyber crime is at the forefront of small business owners’ minds, cyber recovery is not.

Hiscox data finds the average cost of a cyber attack to an SME is an eye-watering £25,736, so this lack of preparedness is of concern. The quoted figure would be a drop in the ocean for a multinational, but for SMEs, micro-businesses and sole-traders, it could be the difference between being able to continue trading and not.

With hackers’ techniques constantly shifting and evolving, it’s ambitious to think that businesses can keep up and keep them out. Even cyber security specialists are not immune to the threat, so how can a small business owner protect themselves without a crack team of IT specialists on hand?

How to prevent, and recover from, a cyber attack

Eddie Whittingham

Eddie Whittingham, managing director of the Business Fraud Prevention Partnership, discusses the malware threats that small businesses face and what it means to make a full recovery from an attack.

There is hardly a day that goes by without yet another cyber attack being reported in the news – the NHS, Yahoo, TalkTalk, to name but a few of the huge household names we’ve seen attacked in recent times. Yet, it is with these publicised reports that both the sheer scale of cyber crime is both highlighted and also commonly disregarded.

‘It won’t happen to us’, ‘We’ve got some IT measures, so we’re covered’, ‘It only affects large organisations’. These are typical responses heard by many working in the field of cyber crime when speaking with SMEs.

However, then there are the incidents which go predominantly unreported – the waves of attacks being targeted at SMEs hour after hour, day after day and, worryingly, with increasing success.

While these attacks don’t make the headline news, that isn’t to say they carry any less impact. The statistics speak for themselves. Nearly half of all SMEs were the victim of a cyber attack last year, according to a study by Barclaycard, with the impact of such attacks making for very concerning reading. In a recent report published by the government’s Cyber Streetwise campaign and KPMG, SME victims disclosed that:

  • 89 per cent felt that attacks impacted upon their reputation
  • 30 per cent reported a loss of clients
  • 25 per cent received negative reviews on social media
  • 26 per cent were unable to grow in line with previous forecasts
  • 93 per cent of businesses suffered operational limitations.

This makes for worrying reading, but rest assured there is a lot that SMEs can do to help protect their business, especially in the face of one of the most predominant forms of cyber attack – malware.

Why malware is one of the biggest threats to business

When I spoke recently with Neil Walsh, head of global cyber crime for the United Nations, he referred to malware as being ‘the biggest risk to businesses at the moment’. He went on to explain, ‘Businesses can have the best technology available in an attempt to prevent fraud, but the weakest link in any business is the human element.

Where new threats emerge, technology is not able to respond quickly enough to prevent them, and this is why employees must be educated as they are typically the route in for criminals to expose a host of issues for businesses.’

Cyber criminals continue to use malware (a term for malicious software) as a tool to compromise businesses, predominantly because the deployment is a low-risk and high-reward tactic. Typically delivered by phishing emails, malware results in very little risk of being identified as an attacker, coupled with an extremely rewarding hit rate on end users.

Malware is, in the large part, so successful because of users within a business and their lack of awareness. Malware comes in all shapes and sizes, but there are some types that are commonly used against SMEs:

Ransomware: Ransomware is software which typically infiltrates computers when a user clicks on a link or document within an email. The software then blocks access to a vital computer system or folder containing business-critical information, demanding that payment be made in order to regain access.

Keylogger: Keyloggers are a monitoring tool used by cyber criminals to record the keys typed by an end user, including information entered such as emails, documents and passwords. This is commonly used by cyber criminals to obtain the passwords of users to enable them to gain access to email accounts or company networks, in order to conduct a further attack.

Rootkit: Rootkits are a particularly sneaky form of malware, as they provide cyber criminals with access to administrator-level permissions to a computer, from which they can
then record user activity, access confidential information and change other users’ permissions.

Trojans: Derived from the term ‘Trojan Horse’, Trojans present themselves as legitimate pieces of software which, once installed, provide cyber criminals with access to data or permit the cyber criminal to compromise the system or network even further.

Worms: Worms are a form of malware designed to systematically spread between systems or networks, and which compromise data, steal information or assist other forms of attack.

Malicious mobile apps: Mobile apps are often overlooked when it comes to considering security within a business; however, as more and more businesses permit the use of personal devices while at work, the risk of using apps rises. Google Play and Apple’s App Store can contain malicious apps masquerading as legitimate ones, which can monitor user information or spam the user with adverts.

With ever-evolving threats, it is important that owners of companies of all sizes seek to protect their business but also begin to change their mindsets from ‘it won’t happen to us’ to ‘it’s not if, but when’.

There are two key elements to helping your business thrive in the face of cyber crime, and malware in particular: your ability to prevent and your ability to recover.

Preventing cyber attacks

Most organisations have, at least, got some basic IT measures in place, yet incidents of fraud and cyber crime are growing by the day. Such basic measures help prevent some instances of cyber crime (including malware), but with such attacks evolving day by day, businesses need to do more to sufficiently reduce their risk.

Fraudsters recognise that the majority of businesses have basic measures in place, and prey on the fact that very few businesses do anything above and beyond these basic measures. So much so that over 90 per cent of cyber-related incidents are caused not by a lack of basic IT measures, but because of user interaction. That’s right, you, me, our employees – we’re the cause of the overwhelming majority of such incidents.

Cyber criminals continue to evolve the ways in which they attack SMEs, which, when combined with a lack of employee awareness and an inability to recovery from an incident, means that cybercriminals have a recipe for success, while for SMEs it can spell disaster.

It’s all a question of awareness, or a lack of it, both for the employees and the board. Do your employees know how to spot a phishing email? Are you confident that your colleagues could spot one? Do you know the ways in which fraudsters target businesses through invoice scams, bogus boss emails and social engineering?

It is great having a technical firewall on a network, but it’s becoming ever more important to have a ‘human firewall’ to help prevent incidents within each and every organisation.

Creating a ‘human firewall’ can be achieved by undertaking security awareness training and can significantly help to bolster your company’s preventative measures.

Recovering from cyber attacks

While seeking to prevent incidents is a must, it has to be highlighted just how crucial a business’s ability to recover is. This is where the awareness of the board needs improving.

Is your SME prepared to respond in the event of an incident? How would you respond to losing your clients’ data? Could your business afford the downtime? How much would it cost for you to instruct a specialist to recover your lost data? Much like implementing additional cyber security measures can be equated to installing fire alarms in your home, you’re unlikely to be content without the comfort of having insurance in place should the worst-case scenario hit. Only, with cyber crime, the likelihood of the worst-case scenario is higher than ever.

In the immediate aftermath of an incident, cyber insurance can help you to get your system and website back up and running, as well as providing you with access to equipment to ensure your business remains operational. Over the longer term, the insurance can help to compensate any customers who may have been adversely affected by the incident, as well as helping you manage your reputation to keep your brand intact and retain those precious customers.

In light of the ever-increasing threat, now is the time to protect your business against cyber crime. Increase your ability to prevent cyber crime within your SME by adopting best practice and awareness training, and increase . your ability to recover by adopting cyber insurance. Neither are costly, but could save your business.

Case study: Willbox

Chris Williams

Chris Williams, director of container supplier Willbox, reveals how quick thinking from the company’s external IT support meant a ransomware attack on his company could have been so much worse.

Willbox is a container hire and sales company based in Southampton. The brand is owned and operated by Williams Shipping, a family business founded in 1894, which provides marine and logistics services across the UK and Western Europe. Willbox has 18 regional depots around the UK.

Our one and only cyber attack happened at 2.15am on 29th September 2016. Luckily, we were prepared and had a backup server in place, with a remote backup located in an off-site server house. Otherwise, it could have been catastrophic. As it was, it turned out to be merely frustrating and time-consuming.

Our main server was attacked with CryptoLocker, which is a type of ransomware that encrypts all the files on the server to ‘CRYSIS’ files. You then receive a message from the ransomware that informs you that if you do not pay a certain amount of money (in the form of bitcoin) your files will be deleted. You usually have 24 hours to comply before the ransom amount is doubled, then after a further 24 hours the files are deleted. The hackers were able to infiltrate our server by locating the port to our RDS server, and using an old username that had a generic password.

Taking quick action

Fortunately, we were swiftly alerted to the attack by our IT management company, which then set to work restoring all the infected files back to their original state using the backup server. All of our main software programs were also rendered useless and had to be reinstalled.

We lost roughly a day during the restoration process, but it could have been so much worse. The backup server enabled us to roll back one day, effectively costing the business in lost time. Without a backup server, however, we would have been stuck with a tough reality – starting from scratch with our shared network environment and IT infrastructure across the group of companies. It’s hard to place a number on damages, but for a combined office team of 35 this could have taken a number of weeks to get back to where we started.

Luckily, we use a number of apps and software packages to manage the business, all of which have their own backup systems in place. Some assets, such as historical photos and documents, may have never been recovered.

Make it difficult for cyber criminals

All of our ports have now been changed to make it virtually impossible for the hackers to identify which port is our RDS server. We have implemented a strict username and password policy, which includes longer passwords with many symbols and characters, which are then refreshed randomly and at least every 90 days. We have also locked down the number of users who can connect to the RDS server remotely from their home PCs. I would suggest to other businesses to make sure you have a backup server, and make sure you don’t skimp on the quality of this server.

Although you can get a cheap backup server, in the event of a system shutdown, your business will be running on that server. If it’s not powerful enough to run your day-to-day tasks then it’s not much use.

Have a strong password policy, and make sure that all users are aware of the ways in which you can be hacked (infected attachments, etc). Keep your hardware and software up to date. Your IT infrastructure is only as strong as its weakest link – that old dusty Windows 98 PC in the corner of your office could be a hacker’s dream!

Case study: The Profs

Leo Evans

Here, Dr Leo Evans, co-founder of tutoring business The Profs, discusses how his company recovered from a cyber attack that aimed to damage the business’s Google ranking.

The Profs is a peer-to-peer tutoring service that connects students with professional educators around the world. In two and a half years of operation we have helped nearly 3,000 students in more than 50 countries in subjects as diverse as accounting, medicine, coding, languages and the arts. In the autumn of 2015, at the beginning of our second year of operation, we suffered a little-discussed and impossible- to-prevent type of cyber attack called negative search engine optimisation (NSEO).

It is not a breach of security systems or protocols as such, but rather where someone – likely to be a competitor – pays for thousands and thousands of spam links to be directed towards your website in a very short space of time. Basically, a bot trawls the internet adding huge numbers of bad links to your website from low-quality and/or compromised websites, forums and comment boxes on other sites. The idea is to make you lose rankings in Google and, in its most extreme form, lead to Google removing you from its search results altogether.

What NSEO does is make Google think that you are trying to use their algorithms to rank your site highly in searches and so they automatically penalise your site, and hence your search rankings fall. For a digital business like ours, where around 50 per cent of all our customers come from Google searches, if this attack had succeeded and Google had ‘de-indexed’ us, we would have suffered catastrophic revenue losses as people would have struggled to find our business and would have gone to competitors’ sites instead.

The importance of responding quickly to a cyber attack

Luckily for us, because we have software that tracks our Google rankings, we saw in our daily alerts over a few days that our rankings were plummeting as Google penalised us, and so hired an external SEO consultant to investigate what was going on.

He discovered, using simple diagnostic tools, that thousands of links had been directed to our site. He then set about ‘disavowing’ them manually – around 10,000 malicious links in total. Still, in the five days the attack was going on, our website lost many months of search engine ranking progress, which had cost thousands of pounds and countless hours to achieve.

It probably took three or four months for our Google rankings to fully recover from the attack, and the damage that it caused to our business is hard to quantify as we will never know who and what opportunities we lost as a result of being knocked off page one of Google search results. Nonetheless it is easy to conclude that the damage was tangible and significant.

While the attack didn’t derail us, it did slow us down. However, we came back stronger, due to the new skills that we acquired with the addition of an SEO expert. We are currently tracking 100 per cent year-on-year revenue growth and have a multimillion-pound turnover, with much of our business continuing to be driven by the success of our Google rankings.

A cyber attack on cash flow

So how can you protect against this type of attack? In short you cannot prevent it, but rather monitor for it and then fix it by removing the links once it has occurred. In effect, our systems were not compromised directly, but by ‘gaming’ Google’s algorithms they had tried to destroy our client acquisition channel, which is an indirect, yet extremely effective, attack on the cash flows of a company.

Sadly, it probably only cost the perpetrator a few tens or hundreds of pounds at most to enact and is entirely untraceable so we will never know who did it, although we have our suspicions given the level of technical know-how needed for someone to even conceive of such an attack.

Needless to say, we were furious when it happened, and hurt as we have never created any enemies as such within our industry. It seems that success attracts attention, both positive and negative. Still, we are grateful that our monitoring systems picked it up quickly and we were able to deal with it effectively.

Case study: Axelisys

Ethar Alali

Ethar Alali, founder of IT company Axelisys, discusses the range of cyber attacks that his business has managed to thwart, and what damage might have been incurred had they succeeded.

I set up Axelisys in 2011 to help businesses of all sizes make better use of their IT investment. If there’s one thing we definitely know, it’s that cyber crime is a continually evolving threat – a cat-and-mouse game between attackers and defenders. As IT specialists across the spectrum of technology, we’ve had to consider securing our business and our clients’ businesses from multiple attack vectors.

Over the years, just like every IT provider out there, we’ve seen several attempts to gain access to our infrastructure or dupe our staff. These have included phishing emails purporting to be from PayPal, RBS and NatWest asking to clicklinks in the email; emails from scammers claiming our Amazon account has been suspended; helpdesk phone scams claiming our PCs are infected; malware email attachments; distributed denial-of-service attacks on our servers, hitting our website with millions and millions of requests to block out, gain access to and/or take down our presence; brute force hacks to gain access to our infrastructure services; SQL injection attacks to take down our databases; and even impressions on our Google Analytics accounts telling us to vote for Trump. The list goes on. None of these have been successful, especially the latter.

The damage that could have been caused by the cyber attack

If we were like most other small businesses and the attacks had got through, we’d have been at the same risk. Monetary loss from bank accounts, losing credentials for our content platforms and server infrastructure, client information, PayPal funds and worse. This would have been the end of the business.

We monitor all our systems, including the client services we host, and receive alerts by email and text when things go awry. Our systems also self-heal. We designed our platforms to assume failure is going to happen, including cyber crime.

Like a lizard that can shed a limb and grow another, we cut off compromised systems and just carry on, growing another clean one in the process. Unlike the NHS incident, which affected services for days afterwards, our platforms can be back up and running in a matter of minutes.

Perhaps uniquely, we also have decoy systems, otherwise known as ‘honeypots’ that we sacrifice to bot attacks, keeping them away from our mainservers and, crucially, collecting
information that may be useful to law enforcement agencies.

Our practices are not just technical but strategic too. As much as possible, we also don’t store any credit card information. Hackers won’t get any bank details from us. We also use best-of-breed encryption mechanisms to store information in transit and at rest. Even we can’t get at passwords and sensitive information, and customers can’t get at the raw data by themselves.

As much as possible, we use mathematical hashes to validate information, and these hashes are used to validate communication received. Indeed, no information is regularly sent back and forth unless it absolutely has to be.

How cyber insurance can help

We definitely think that it’s worth considering cyber insurance. These new policies insure against any losses relating to damage, or loss of information from IT systems and networks under the company’s remit, as well as management of the incident itself.

Like car insurance, the policies fall into third-party or first-party risks and can include business interruption, ransomware, theft, privacy breaches and the like.

However, also like car insurance, requiring the ability to drive, these policies require you to adequately manage and secure your business against such risks, specifically evaluating IT system and network risks and events that could impact your systems, and continually reviewing controls to assess the potential for further improvements in cyber security protection.

Ben Lobel

Ben Lobel

Ben Lobel was the editor of SmallBusiness.co.uk from 2010 to 2018. He specialises in writing for start-up and scale-up companies in the areas of finance, marketing and HR.

Related Topics

Cyber Security