A practical guide to cyber security for small businesses
Because small business owners often have less cyber security controls, they are just as likely to be targeted by cyber criminals as their multinational counterparts.
This guide (first published by FreeAgent) aims to help you understand the world of cyber security and how it can affect your small business. We’ll provide practical steps that you can take and some useful advice on how to maintain good security practice.
Let's have a look at the various types of attacks small businesses face on an almost daily basis:
Phishing emails: Cybercriminals use phishing emails to pose as genuine organisations with the hope of tricking users into giving away information such as passwords. These mass emails will often urge users to sign in or click through to a fake webpage that looks perfectly normal when in reality, it’s attempting to steal information.
A favourite approach of scammers is to pose as HMRC, and target small and medium-sized businesses with seemingly urgent messages about important topics like tax and more recently the COVID support grants.
It’s estimated that 91% of cyber attacks start with a phishing email, so the need to protect yourself can’t be overstated.
Spear phishing emails: With spear phishing, attackers are looking to achieve the same objectives as standard phishing; however, their methods are sometimes trickier to spot. While standard phishing scams use mass emails to target large numbers of email addresses, spear phishers will focus their communication selectively on specific targets. They may research their target in advance and pretend to be someone who their target trusts.
For example, a spear phisher could pretend to be someone you deal with at an outsourced IT company. They may ask you to click on a link and sign in to a fake system, which they then use to steal your information. Security specialists often refer to manipulative tactics such as these as social engineering.
DDoS: DDoS (or Distributed Denial of Service) is a method of attack in which criminals attempt to damage your system or website by sending lots of traffic to it. DDoS attacks are carried out by hackers with ‘BotNets’: armies of devices and computers that they’ve previously compromised. Hackers use BotNets to send large traffic numbers to a business’s system or website, which can then overload its servers and disrupt critical business operations.
The motivations behind DDoS attacks vary considerably, from demanding ransoms from victims to taking down business competitors. A recent example of the latter was when a British hacker built a BotNet powerful enough to take down some of Liberia’s communication infrastructure.
Malware: Malware is short for “malicious software”, and you’ve guessed it, it’s software with malicious intent! Those intentions could be to steal personal information like bank account details or secretly tracking your internet browsing history. Cybercriminals trick users into accidentally downloading malware via untrustworthy links online or from compromised USB devices. Once downloaded, the malware communicates information it finds on the user’s computer, such as bank details, back to the attacker.
Ransomware: With ransomware, cybercriminals prevent access to your systems, encrypting all files unless a ransom is paid. In previous attacks, cybercriminals have locked computers down, extorting ransom payments as time goes on and deleting files later if the ransom isn’t paid. Many of these attacks also use the digital currency BitCoin in an attempt to remain anonymous and transfer money quickly online.
FreeAgent’s Head of Information Security, Richard Grey, also adds “it’s doubtful whether many of the attackers are able to decrypt your files even if you do pay a ransom!”.
A ransomware attack on the NHS in 2018 cost the organisation £92m and resulted in 19,000 medical appointments being cancelled.
Insider threats: While many common threats to cyber security come from outside a business, some threats can come from within, such as rogue employees maliciously leaking data. A famous case of this occurred when a senior auditor at supermarket chain Morrisons leaked bank details, names and salaries of roughly 100,000 employees.
It’s not just big businesses that are at risk of insider threats. If you’re self-employed, anyone who has permission to access your systems and data could present an insider threat, so it’s vital that you choose your contractors, agencies and other third-party service providers wisely - and give careful consideration to the level of access you want to grant them.
Five cyber security best practices for small businesses
1. Be vigilant with emails
Check email addresses carefully: if an address doesn’t match with the corresponding organisation’s website address, there’s a high chance it’s not legitimate. Look out for spelling mistakes as well, as these can often be a red flag in an email that’s purporting to be an official communication from an organisation.
If the email encourages you to click a link, hover over it with your mouse to reveal the link’s address. If the address isn’t what you’d expect it to be, don’t click it.
Lastly, consider other ways you can verify the information provided in the email — this might include calling the organisation or looking the sender up on Google or LinkedIn.
2. Diversify your passwords
Using the same password across different services leaves you vulnerable to being caught out by cybercriminals. Knowing that people will often reuse passwords across services, scammers are able to sell databases of hacked passwords to other cybercriminals for huge profits.
It’s best practice to use different passwords across different services. This will stop your account being compromised for multiple services if there is a security breach. You can check if a password is known to have been breached here.
Passwords should be long, difficult to guess and should contain a mixture of uppercase and lowercase letters, special characters and numbers. A good approach would be to construct your password out of a seemingly random phrase with a meaning that’s easy for you to remember — this is known as a passphrase.
Password managers are nifty online tools that store all your usernames and passwords in an encrypted database. As well as storing passwords, these tools also generate unique and random passwords, so you don’t have to create new ones for every service you use. The number of passwords you have to remember also reduces drastically: the master password for the password manager is the only one you need to memorise.
3. Enable 2-Step Verification
2-Step Verification (sometimes referred to as 2SV) is a method where you use two different methods to prove your identity and access to an account. This usually involves you proving that it’s you trying to log in with an additional piece of information that’s linked to your account. This could be a number generated by an authenticator app like Duo or Google Authenticator, or a code which is texted to a phone you’ve linked to the account.
Even the strongest passwords can be cracked or exposed in a data breach. Having 2-Step Verification installed gives you and your business an extra level of security against cybercriminals.
Many of the services you use are likely to include 2-Step Verification as a feature.
In FreeAgent, you can activate 2-Step Verification easily in your account settings. You will then be given a QR code, which you can scan with an authenticator app.
If 2-Step Verification is available on any of the other systems you use, it’s a good idea to use it! Other services may refer to the feature as ‘2-Factor Authentication’ or ‘2FA’.
4. Install trusted anti-virus software
While Windows 10 now comes with its own internal software, Windows Defender, anti-virus software is still essential to prevent against the latest strains of viruses and malware.
Traditionally, Macs have been considered less vulnerable to viruses than Windows PCs. However, this doesn’t mean that Macs are completely safe from malware. Even if you’ve got a Mac, it’s best practice to install anti-virus software. To find a trusted product, try using this comparison guide.
5. Avoid using public Wi-Fi where possible
Cybersecurity professionals often warn about the dangers of public Wi-Fi. Public Wi-Fi networks are those available to the public in places like coffee shops, airports, malls and on public transport. It differs from private Wi-Fi, which is most commonly found in homes and offices (which are likely to be more secure).
Without passwords and with more people able to access it, with public Wi-Fi there’s a far greater risk that your browsing and personal or sensitive information can be intercepted by hackers. It’s not uncommon for cybercriminals to establish a network that’s pretending to be a nearby coffee shop’s Wi-Fi in the hope that people will connect to it.
With so many small business owners spending much of their time on the move, it can be a challenge to avoid public Wi-Fi altogether. However, try to be cautious whenever you are using public Wi-Fi: don’t access confidential documents or your online bank account when you’re on public Wi-Fi
If you’re working regularly from public Wi-Fi, perhaps it’s worth investing in a Virtual Private Network or VPN) - a service you connect to which keeps your connection private while still letting you connect to public Wi-Fi.
Putting all of this advice into action - and remaining vigilant against potential attacks - should help you keep your small business cyber secure.