Just because you run a small business, doesn’t mean you are immune to cyber-attacks
Name any cyber crime movie where the actual cyber crime bits are exciting – said Nick Knowles … never. And who could blame him, it’s not as though typing on a keyboard is as thrilling as Michael Caine & co racing through Turin in Mini Coopers (aided by some proto-cyber crime – not a lot of people know that). But a different type of Italian job in 2018 did do its bit to make cyber crime a little more sexy.
Fraudsters hacked their way into the transfer of former Feyenoord centre back Stefan de Vrij and reportedly had Lazio pay their final payment (£1.75 million) into a bank account that had nothing to do with the Dutch side. And if a Serie A club can be caught out by cyber criminals, so can you. According to the 2019 Data Breach Investigations Report, 43% of cyber attacks are aimed at small businesses.
Here’s what you can do to protect your SME.
We are the weakest link
The greatest vulnerability in even the most sophisticated cyber security protection plan is always the same: people. Your team is busy (that is what you pay them for) and part of their efforts to be as efficient as possible is following procedures. But if your processes are hacked, those procedures can turn hard-working staff into unwitting collaborators.
One of the greatest cyber threats aimed at SMEs are impersonation emails, and the key to shrinking their threat is training your team. If they know what to look out for, your business will be better protected.
Email addresses should be checked carefully. Using addresses and URLs that are similar to legitimate ones is a favourite fraudster trick.
Your procedures should include the querying of requests for large and/or urgent payments.
Always be wary of emails from addresses you don’t recognise. Also be cautious if the subject line or the content is alarmist: for example, the company website has crashed, emails aren’t being received or there’s an issue with Microsoft licenses. Fake emails are designed to encourage you to open attachments or click on links that will infect your computer and your network.
Making sure everyone in your team knows what they should be looking out for isn’t enough. They need to have permission to challenge and query things that raise their suspicions. You want to have potential threats dealt with speedily.
You don’t want to wait until you come under a cyber attack to evaluate the effectiveness of your team’s training. That’s where simulated phishing threats are useful. Regular, controlled attacks can identify which parts of your processes need a boost.
Protect your network
There are a variety of ways you can boost your network protection:
Robust hardware firewalls are essential. These should have intruder prevention capabilities. Update your firewall if it’s a few years old. Sophos is an example of a good provider of such devices.
Operating system providers regularly publish security updates to protect against the latest cyber threats. Do not ignore these. Keep your PCs fully patched. If you don’t, you risk exposure. Yes, it’s irritating when you lose 15 minutes while patches are installed, but recovering from a cyber attack can take much longer than a quarter of an hour.
Microsoft stops supporting Windows 7 on 14 January 2020, and your network and your business will be at serious risk if you are still running Windows 7 after this date. Upgrade to Windows 10. Upgrading your hardware is also strongly recommended – you’ll benefit from performance enhancements in addition to increasing your computers’ physical security.
Vulnerability and Penetration Testing
Vulnerability Scanning is intelligence driven deployment of scanning engines – these are updated with information from the most up to date threat intelligence feeds. Their purpose is to ensure the security of your systems, services and applications, to protect you from common attack vectors. Ideally, vulnerability testing should be done continuously, but at least, monthly.
A penetration test is an authorised simulated cyber attack on your computer system, which is performed by a suitably qualified third party. It is designed to identify security vulnerabilities. Recommended frequency of penetration tests is at least once every twelve months.
These tests also help keep you keep the right side of GDPR. You’ll be showing you’re protecting the Personally Identifiable Information (PII) you hold on your customers and staff. Remember, if a breach does happen and you’ll need to prove you’ve taken reasonable steps to avoid that breach. The Information Commissioners Office (ICO) can fine you up to 4% of annual global turnover.
Email gateways are a great way to reduce the opportunity for people to make mistakes. By passing all your email through a gateway, such as Cyren’s email security (https://www.cyren.com/products/email-security-gateway), you block the malware, phishing and spam emails that threaten your network.
APIs and Web Applications
If you use multiple web applications and APIs to streamline productivity, check if they’ve been tested for intruder prevention? If not, they could easily become a back door to your network.
Multi-factor authentication (MFA) uses multiple devices to protect your network. Your phone can act as confirmation that you are who you say you are when you log into your laptop or into an application. Using multiple layers of security, you make it harder for unauthorised users to get into your network.
Insure your business against cyber threats – it can help you more quickly recover if you’re the victim of an attack. As with all insurance, it’s recommended that you take advice on what best suits your business. And read the small print carefully.