Cyber-crime continues to increase throughout the world, and is approaching 50% of all recorded crimes in the United Kingdom. According to the Federation of Small Business, two thirds of small UK businesses were recently attacked by hackers over a two year period. Each incident can cost thousands of pounds and waste substantial amounts of employee time to rectify, so it’s crucial that small businesses mitigate this risk. Every start up needs to take some steps to prevent cyber crime. Some areas to prepare for are:
- Phishing. Everyone now knows they should not click on strange links in strange emails. But the real risks come from more sophisticated attacks: emails that simulate those sent by regular business contacts, companies, or institutions with whom you have dealt in the past. Employees need to have a health scepticism for any email they receive. Key “tells” that an email is phish-bait and need further investigation are:
a) The display name for the email does not match the email address: a display name can be easily manipulated while an email address cannot be copied.
b) The email address it is sent from contains an additional letter or character in the user name or domain: e.g. firstname.lastname@example.org might be simulated by an additional letter “s”: email@example.com.
c) Spelling errors: if a corporate email is automatically generated, it will have been carefully checked for errors. Phishers often have less time for this.
d) The email unexpectedly requires you to open an unexpected link or attachment. Don’t.
e) Strange or impersonal salutation: “Valued Customer” is an obvious one but anything out of the ordinary should be checked.
- Updates. Security and general software updates are crucial as sophisticated cyber attacks are constantly changing and identifying new vulnerabilities. The WannaCry ransomware targeted systems which had not been updated to the latest version of MicroSoft. The NHS had cut its spending on IT systems over the preceding years and was crippled for weeks: a small business that ignores such a basic business function is likely to end up paying dearly in the long run.
- WiFi. You may be surprised to learn that WiFi routers straight of the box are not always secure, and traffic from the router can be monitored remotely by a hacker with the right equipment. Ensure the WiFi is secure and encrypted, using a strong password known only to IT administrators and WPA2 encryption. Similarly, be selective about the Internet-of-Things devices you connect to that WiFi: in some cases these devices have been found to store the WiFi password in an unencrypted format!
- BYOD. In a nutshell, BYOD is extremely difficult to monitor, and increases the need for cybersecurity training. The problem with BYOD is the need for the employee to avoid infecting their device out-of-hours, so it’s best to keep some firewalls or limitations between what is and is not a work device. Consider the need to implement some restrictions on how the employees use their devices, and whether you can’t afford to have the company pay for and monitor a device instead. Once again, it may pay off in the long run.
- Encryption. It’s a technical word, but this may be crucial for sensitive files, and not as hard to implement as you may think. Fortunately the internet provides with a plethora of introductions and tutorials, but for starters check out Microsoft Bitlocker or Apple FileVault and decide whether this would be worthwhile for your business to implement.
- Contingency. All of the above steps are fairly sensible. But protection is never guaranteed, and cyber-crime needs to be viewed as a business cost to be controlled rather than eradicated entirely. That is why the most important thing to do is know what you will do when an attack gets through. Think about how problems should be reported, who takes charge, how you can shut down your internet exposure at short notice, and what sources of external help you can reach out to.