Small businesses and cyber crime at Christmas: Stay vigilant

In this piece, in association with Federation of Small Businesses (FSB), we look at why companies must keep a keener eye out for cyber crime in the festive season.

UK retailers are expected to see a dangerous spike in online criminal activity in the run up to Christmas 2016. According to recent data from digital security specialist ThreatMetrix, more than 20 million cyber attacks are expected to target online retailers and shoppers in the UK alone, across the last quarter of the year.

With this in mind, in the run-up to Christmas and with the attendant surge in online payments, it vital for smaller businesses to increase their vigilance against cyber crime.

Douglas Crawford, cyber security expert at VPN comparison site, says that smaller businesses are a prime target for cyber criminals. ‘This is because small businesses are low-hanging fruit which typically do not have the time and/or resources that large companies do to secure their systems.’

As ever with security, passwords are a major vulnerability. Crawford advises small company owners to train staff to pick strong passwords and to change them fairly regularly, but not too regularly.

It is also worth considering using two-factor authentication to improve staff login security, such as hardware authentication devices like YubiKey, he adds.

A vulnerability through multi-tasking

Crawford notes that a problem with SMEs is that financial activity is often performed on the same PC used for general internet tasks such as responding to emails, surfing the web, and maintaining your social media presence.

‘This can make a business very vulnerable to attacks via phishing and malicious code in webpages, which can infect the entire PC. It is therefore a good idea to use a separate PC purely for financial matters, and which is not used for more general internet use,’ he says.

It is vital that those with an online retail presence take all reasonable steps to ensure data integrity is maintained, says Stuart Reed, senior director at NTT Security. This includes ensuring only those who require the data have access to it (enforcing appropriate data privileges for example) and enforcing good practices for data management.

‘While there is likely to be someone in place to ensure IT systems remain secure and up to date with the latest security patches, maintaining standards, good practice and vigilance should be seen as collective responsibility and this culture should be encouraged throughout the organisation,’ Reed says.

‘At the most basic level, this could be in the form of ongoing training and awareness education.’

Be wary of email

Businesses should be extra wary of suspicious emails, says Hannah Sang, business development manager at Datcom. Such emails are designed to appear from a trusted organisation and one which you may have a relationship with already, such as a bank. ‘These emails may contain links or attachments which, when clicked on, download a virus or take you through to a fake website,’ she says.

Reduce the risk of cyber crime by educating your employees and raising awareness within the team. Also, as a necessity to a secure business set up, make sure you have your files backed up in some way and that the backup is tested. This means that, in the event of a virus, the system can be restored with the last backup and files.

As Reed of NTT Security says, there is no one quick fix that will ensure against a breach. A layered and balanced approach is required, and this needs to be wrapped up in a thorough and well-communicated plan so that, should the worse happen and a breach occur, the impact can be kept to a minimum and business continuity maintained.

‘First and foremost, it is critical that businesses are fully aware of their risk profiles and what data is stored and used where,’ he says. ‘A risk insight service can help achieve this as it discovers and evaluates a business’s current risk profile against agreed metrics and proposes a prioritised list of activities to address any identified vulnerabilities.

‘This might involve a blend of technology and processes that help prevent an attack being successful (such as anti-virus), along with other technology and techniques that identify advanced threats that may reach critical systems, such as sandboxing, which is used to test unverified programs that may contain a virus or other malicious code, without allowing the software to harm the host device.’

Another reason for small businesses to be targeted by cyber crime is because they can be seen as a hacker’s way into a larger company, says David Navin, corporate security specialist at Smoothwall.

‘Taking a proactive stance against hackers – such as complying with regulation and building layered security defences spanning encryption, firewalls, web filtering and ongoing threat monitoring – is the only way to protect themselves now and in the future,’ he adds.

Top tips to help mitigate cyber risks

  • Understand your risk – conduct an annual risk insight to understand the current risk exposure and to keep the board engaged with cyber risk.
  • Secure configuration – keep hardware and software protections up to date. Stay on top of basic protection.
  • Educate and train employees – ensure they know company policies and incident response processes.
  • Incident response – establish, produce and routinely test and communicate incident management plans.
  • Monitoring – continuously monitor all systems and associated logs to spot potential attacks and minimise risk.

FSB memberships starts at just £130 per year, plus a £30 registration fee in year one. This gives the member access to comprehensive support and a suite of compelling services. Visit to discover more.

Further reading on internet security

Ben Lobel

Ben Lobel

Ben Lobel was the editor of from 2010 to 2018. He specialises in writing for start-up and scale-up companies in the areas of finance, marketing and HR.

Related Topics