Cyber security: What small businesses need to know

Here, Shaun McKay, managing director of LeadingEdge, discusses how businesses can improve their cyber security.

Did you know that 27 per cent of SMEs believe that they are too small to be of interest to cyber attack? Despite the fact that almost 60 per cent of UK SMEs have been victim of an attack. No one is too small to go untargeted. So if you’re starting up a small business, you need your security to be prepared to defend yourself against cyber attacks.

Cyber attacks on SMEs have increased year on year. In 2015, 50 per cent of cyber attacks on businesses in the UK were targeted at smaller firms. Small businesses are an attractive target for cyber criminals.

Not only are they notoriously easy targets, they can also open the door to bigger prizes. Many small businesses are partnered with larger firms and are connected through their IT.

Cyber criminals can exploit these links to get under the much more robust defences of large multinationals. This is exactly what happened to TalkTalk in 2015 and they ended up with a record £400k fine.

When TalkTalk bought Tiscali UK, they inherited the firm’s weaker and vulnerable infrastructure. Part of the IT assets included three webpages that were vulnerable to an SQL injection. From Tiscali’s web page, the hacker gained access to TalkTalk’s customer database and stole the lot. While it was TalkTalk that was burned by this attack, it was the smaller firm that was exploited.

Why are SMEs businesses so unprepared?

Small businesses have different priorities to big organisations. Maintaining a decent cash flow, bringing together the best talent and generating leads often take precedent over cyber security.

When pressure to produce results is high, taking the time to write and implement security policies seems like a waste of valuable time. Small businesses don’t take cyber security seriously until it’s too late.

Another problem is simply education. Technology solutions are effective, flexible and inexpensive, but it’s often the people that are the weakest link in the chain. Almost all cyber attacks have an element of human error involved somewhere down the line.

What do you do if your business is hacked?

If you’re struck by a cyber attack, the important thing to do is act quickly. Depending on the kind of attack you’ve suffered, there will be different things you need to do to restore order.

But some things are universal. Firstly, inform your customers and prevent others from being affected by the attack by bringing down your site and keeping new devices off the network.

Next you’ll need to search your whole network for malicious files and remove them. This will also reveal how the attack was successful so you know which leaks to plug. Before bringing everything back online, make sure your system is protected with new security software and all passwords have been reset.

  • Pull the plug to stop the attack
  • Inform your stakeholders
  • Identify how the attack happened
  • Fix the problem
  • Make sure that no latent vulnerabilities exist
  • Improve security before considering going back online

Remember, you might feel like a victim, but it’s your customers that are more at risk. If their personal data is stolen, the consequences could be far reaching. So while the natural response would seem to be keeping it under wraps to protect your reputation, resist this urge.

What can small businesses do to defend against cybercrime?

There are lots of ways small businesses can defend themselves from cyber attack. For example, it’s estimated that only 41 per cent of SMEs have a secure Wi-Fi router, so odds are your business needs to password-protect your Wi-Fi. Here are 5 more ways small businesses can defend themselves.

Anti-Virus

Even free anti-virus software protects you from a huge amount of malicious cyber attacks. For businesses, it is of course better to have a more robust antivirus solution. Business-specific antivirus software can be licensed to a number of devices and managed in a centralised position. As updates to the software are released, every copy can be managed and updated with ease.

Cloud

Cloud services provide reliable offsite backup solutions. In the event of an attack or catastrophic loss of data, a cloud-based disaster recovery plan can get you back on your feet quickly. Storing information on the cloud gives you an extra layer of security, as well as the peace of mind in knowing that someone can’t just walk in a physically take your documents. Remember to encrypt your files before sending them to the cloud for extra protection.

Training

Nearly all (95 per cent) of cyber attacks feature human error somewhere along the line. This can range from leaving doors unlocked to accidentally giving away a password. Make sure your staff is fully trained on best practice password management and safe use of the web and email. The more your staff know about the dangers, the more conscious and alert they will be.

Bring Your Own Device (BYOD) Policy

Employees of SMEs are bringing their own devices to work on more than ever. This is particularly common in startups trying to keep costs lean. BYOD might be convenient and cost-effective but the lack of a clear BYOD policy will open the door for hackers to access your systems through unprotected devices.

A BYOD policy should ensure that any non-work devices that are used conform to the same security measures as any business device.

Exercise Access Control

Admin access to your systems should only be granted to select individuals. This can help limit the amount of damage a hacker can do if they gain access to an unprivileged account. Similarly, keep sensitive data, like payroll, out of the hands of anyone who doesn’t need it to do their job.

These are just a few ways SMEs can easily protect themselves from a cyber attack. Today, a cyber attack for any business is not a question of ‘if’, but ‘when’ are you going to be attacked. The key thing to do is find out what the threats are and how you can defend yourself. Knowledge is power, after all.

Written by LeadingEdge’s managing director Shaun McKay.

Further reading on cyber security

Related Topics

Cyber Security

Leave a comment