A Guide To Protecting Your SME From Cyber Crime
Reported cyber attacks cost the UK economy an estimated £29 billion per year, and unreported crimes could amount to far more. Fortunately, the efforts that criminals invest into cyber crime are more than matched by individuals and organisations fighting back.
Whilst combating cyber crime remains a burden for SMEs, it need not be excessively expensive. Employing sensible habits and “best practices” go a long way to protecting small companies from attacks.
The Importance Of Cyber Security For SME’s
Technology has redefined the way we communicate and do business. Nowadays, companies of all sizes heavily depend on the smooth running of their IT systems. So it’s imperative that business leaders assess the impact cyber crime could have on their organisation, take measures to prevent falling victim to it, and learn how to recover.
The majority of cyber attacks exploit basic vulnerabilities in IT systems and software. DDoS attacks, ransomware, phishing scams and data dumping are examples of some of the most renowned crimes. While there may be no obvious motivation to target your SME, cyber attacks aren’t necessarily directed at specific victims. Rather the attacker might target multiple — tens, hundreds, even thousands of — people or organisations in hope to maximise the chance of ‘success’. Therefore the risks remain the same for any organisation.
It’s estimated that small-medium sized enterprises have a 1 in 2 chance of experiencing a cyber security breach of some kind. On average, this costs SME’s £1,400 and, in the worst case scenario, the company closes down as a result of the losses, disruption and downtime incurred.
As a result of cyber crime, the government is tightening up on data protection requirements for SMEs. From May 2018, fines will be issued from the Information Commissioner’s Office on companies failing to comply with General Data Protection Regulation (GDPR). This means SMEs may be punished for not protecting data on customers, suppliers and staff. Learn more here.
Essentially, the responsibility is on small-business leaders to invest shrewdly in both cyber security and staff education. Through the remainder of this guide we aim to make it easier for you to assess the controls and risks within in your small organisation, and to encourage you to take preventative measures going forward.
Cyber Crime Prevention — Where To Begin
There are simple, effective steps you can take to reduce the likelihood of a cyber attack within your SME:
- Activate firewalls on all computers and devices connected to the internet
- Use a reputable anti-virus service and ensure it automatically updates on a regular basis
- Maintain strong passwords, and enforce strict rules where possible
- Activate two-factor authentication for hosted services
- Remove unused user accounts (previous staff members, for example).
- Ensure only administrators are granted full administrative access to computers/systems
- Regularly update the software on all systems
These steps won’t protect your business against every attack, but it will plug the most common security breaches.
Keep in mind that all IT systems become more vulnerable with age. Yesterday’s technology isn’t as as efficient or secure as it once might have been. Be sure to regularly update your systems.
Assess The Needs of Your Business
If you have the basics covered, then you should look to protect your business against more specific cyber attacks and security vulnerabilities. The first step is to identify the potential threats, and learn what solutions are at your disposal. Your business will have very different needs to other SMEs; it depends on your line of work, and what role technology plays in that.
We recommend SMEs refrain from spending a fortune on tightening their security, and firstly use the government’s cyber essentials questionnaire, which was launched in 2014. This highlights ways you may have undermined your own security without realising. It helps to guard against the most common cyber threats, and also demonstrates your organisation’s commitment to cyber security.
In the next section we provide advice for preventing the most common cyber threats.
Preventing Common Cyber Threats Within Your SME
Whilst there can be no such thing as security perfection, with the right tools and mindset, you can defend against the majority of cyber crimes. So what exactly are the most common cyber threats to SMEs, and how can they be dealt with without loss of productivity?
Malware (Spyware, Adware, Worms, etc)
Malware — short for malicious software — is software that was created with the intention of infiltrating, damaging or disabling computers. They’re commonly referred to as “viruses”, as they an often spread through a host computer and network. They can be planted on a computer through email attachments, downloads or file transfer.
There are two main types of malware:
- Software viruses: executable files installed on your computer with or without your knowledge.
- Macro viruses: uses facilities found in existing software (e.g. office applications) to execute itself.
Some malware aims to steal information about your activity (e.g. your bank details) — this is known as “spyware”. Other types of malware produce screen popups with adverts, and is referred to as “adware”. Malware that spreads or replicates itself is colloquially known as a “worm”. You could easily have one or more forms of malware without even realising — it’s not always obvious.
Malicious software attacks aren’t anything new. They have existed for decades, and according to the Department for Business, Innovation and Skills, more than 25% of UK SMEs suffered a virus or other malicious software attack in 2013.
- Be self-disciplined and diligent. Always exercise caution before clicking on links in emails, opening attachments, or visiting unfamiliar websites.
- Use antivirus software to detect when an infection is about to take place and prevent it before it spreads.
- Ensure your system software (e.g. the operating system) is up to date with all the latest security patches. Malware is designed to exploit known flaws — updates address those vulnerabilities.
Cyber Fraud & Scams
The same scams in everyday life take place online. Cyber fraud often starts in the form of spam emails or messages, sent to a large volume of recipients in the hope that some people will respond and fall victim. These are commonly known as “phishing scams”.
Most scammers claim to provide a product or service. They’ll often pose as an official source (e.g. a bank, insurance company, financial service, or individual person). Cyber fraudsters’ aim is to trick victims into buying a non-existent product or service from them, or to obtain their payment details.
Some types of fraud are particularly suited to cyber attackers:
- Fraudulent payments: ordering goods or services with someone else’s personal or business payment details, false payment details, or stolen details.
- Impersonation: illegally and deceitfully posing as someone else to benefit from another individual or organisation.
- Social engineering: gathering confidential information, either to give credibility to a conventional fraud attempt, to discredit your business, or to sell details on to others.
- When trading online, use the same protocols you would when placing or accepting orders offline.
- Know your customers or clients – it will prevent trickery. Use the URL, email address, telephone number, physical address and other details to investigate third parties. Remain guarded of customers or suppliers whose details you cannot verify.
Encryption is the process of coding data in order to hide information and prevent its unauthorised use.
Most SMEs already use encryption to some degree. Mobile telephone transmissions are encrypted, as are most modern wireless network transmissions. Some tablet computers and laptops also incorporate data encryption as a standard feature.
In theory, encryption is a great way to go. But basic mistakes can render it useless. Suppose an attacker can easily find or guess the encryption key — the data is no longer concealed, as desired.
- Always keep all encryption capabilities turned on. Follow the recommended configuration settings outlined by the supplier of your software.
- Don’t attempt to modify encryption software, or protect your SME using your own encryption method. It’s highly complex, and best left to the experts (software providers, for example).
- For devices without built-in encryption, consider installing a third-party encryption product to protect important data — such as financial records.
Unfortunately, you can’t assume that everyone surrounding your business will be honest and well intentioned. Trust remains an issue in any sized organisation.
Unauthorised users must be prevented from using IT equipment and gaining access to privileged or confidential data. This applies to current staff, those that have left the company, and especially those outside of the company.
Most small-business security breaches are caused by failure to control access.
- System users must be required to identify and authenticate themselves with usernames and passwords.
- Ensure passwords are regularly changed. This can be enforced every 3 months, for example.
- Prevent low-level users from using unnecessary system functions and data. Reserve those rights for privileged administrative accounts.
- Use two-factor authentication where necessary. For example, passcode generators (popular with internet banking).
- Regularly backup important data to a separate location. It might be necessary to restore your system if your data is deleted or modified without authorisation. Having a backup copy is crucial for the recovery process.
Physical Theft & Vandalism
Computer theft or vandalism is highly disruptive to any business reliant on IT. Replacing expensive stolen or damaged equipment is one matter; crucial data falling into the wrong hands is another.
The Office for National Statistics reveals that computers are now the most commonly stolen item in UK burglaries. This comes as no surprise, as most modern devices are small, portable and have a relatively high resale value.
Worth noting is that more sophisticated criminals are able to set up electronic ‘back doors’ into your devices to remotely access unauthorised data without anyone realising. Thus not every data security breach is set up electronically. Physical factors still play their part in some cyber crimes.
- Treat IT equipment as any other physical assets owned by your business. Install robust locks on all doors and windows. Secure PC’s to desks and the floor.
- Control visitors that enter your premises. Access cards, security cameras, and a check-in/check-out log book all help.
- Encrypt data on all devices so that if equipment is stolen it’s difficult to extract private information.
- Store valuable portable devices in a secure, fixed cupboard or drawer. Take them home with you if it’s safer to do so.
Security On Remote Devices
Around 90% of UK SMEs allow their staff to connect remotely to their IT systems. Many equip their staff with privately owned devices, such as smartphones or tablets. Whilst this helps to make the business more flexible and location independent, remote access technology brings additional security issues.
Unlike office computers, physically fixed to the desk within a building, portable devices are small, easily transported — attractive to thieves. They’re often used to connect to various networks, and to interact with other devices. The chance of infection or data interception, compared with wired systems, is much higher.
Despite this, an estimated one in five SMEs do not protect remote devices used by employees.
- Educate staff on the risks involved in using their portable device. If possible, control how they configure their devices before connecting to networks.
- To make infection more difficult, SMEs should enforce a company policy on connectivity and the applications that can be installed on portable devices.
- For take security one step further, install malware protection on all portable devices.
Traditional wired networks are difficult to connect to without anyone knowing. A wireless network, however, is a more attractive proposition to an attacker. An outsider may be able to connect to the WiFi, beat the encryption, and gain sensitive information — such as the details of your clients.
Wireless networks are typically protected by encryption and strong user authentication. The WPA2 protocol is the modern standard. Using it should be a priority for SMEs and individuals alike.
- Ensure that WPA2 is in use. Outdated WEP encryption protocols or unencrypted networks need to be replaced or reconfigured — they’re insecure and leave your wireless network open to attacks.
Cloud computing involves the online delivery of IT services through the internet. It brings many benefits to SMEs including scalability and data loss protection.
There are three main forms of cloud computing:
- Software-as-a-service (SaaS): software accessed online. For example, office applications.
- Infrastructure-as-a-service (IaaS): a service in a remote data centre accessed over the internet. For example, website hosting.
- Platform-as-a-service (PaaS): a remote platform used to develop and deploy new software applications.
Cloud service providers usually share their resources between many customers. Their physical locations may vary, too. Therefore the downside to using them is that they reduce transparency, control and protection within your SME.
Note that businesses are still responsible for data protection whether or not it’s stored in the cloud.
- Follow the guidelines for cloud computing using the Information Commissioner’s Office guide here. This helps to ensure that personal data held in the cloud complies with the Data Protection Act.
Firewalls & Secure Networks
Firewalls regulate information that flows between networks. They examine data and decide if it should be permitted to pass on to its destination. Many of the routers provided by Internet Service Providers (ISPs) for broadband connections have built-in firewalls.
Any business with an internet connection is susceptible to network intrusions. Thus a firewall is the a must-have.
- Block services you do not require using a network or personal firewall.
- Block unauthorised access to the programs you do need to use. Most PC security packages have an Intrusion Prevention System (IPS) capability to do this.
- Follow the government’s cyber security advice for businesses here.
Additional Cyber Security Resources For SMEs
The Data Protection Act
By law you are required to protect data you hold and process about your customers, suppliers and staff. For advice on how to keep personal information secure read the
Cyber Security Training
Staff managers and business owners can utilise the free online cyber security resources from the government: Cyber security Training for Business
Victims of Cyber Crime
The Take Five Stop Fraud website provides advice on how to prevent and deal with cyber fraud. It elaborates on several of the topics we’ve touched on in this post.
You can report cyber crimes to the police via Action Fraud.