Small businesses have had a vast amount to contend with in recent years. On top of everything else, there is cyber security. How much should you worry?
I set out to find out and spoke to the wonderful James Bore of Bores Security Consultants. I asked him what had amplified the dangers of cyber security threats. James explained to me that with nearly everything connected now, it also means almost everything is subject to remote attacks. He tells me that, unfortunately, devices and software are also rarely manufactured with security as the highest priority. This problem is especially true of cutting-edge and commodity tech, where speed of delivery is all that concerns the marketplace.
Companies having to scramble to work remotely in the pandemic have been using online solutions they were unprepared for, which has only magnified the attack surface. Finally, of course, the impact of the pandemic globally has created the ideal economic circumstances for a surge in threats targeting organizations and individuals.
What sorts of cyber threats are there?
James explains that there are several different forms of criminal attack for SMEs to contend with and take steps to ensure cyber security. Ransomware and extortionware are designed to encrypt and hold to ransom data or steal it and threaten reputational damage. Many threat actors will carry out both. The remaining attacks tend to fall into the realm of social engineering, with Business Email Compromise, invoice fraud, return fraud, and whaling all being effective and successful vectors for criminals.
a. Business Email Compromise (BEC) – spoofing an email address associated with the company or a company with a relationship, usually someone senior, to encourage payments fraudulently. The classic example starts with a fake message from the CEO with something like, ‘Are you at work? Have something urgent I need you to do.’ It can develop and evolve. There have been cases of millions of pounds being transferred in one of these attacks.
b. Invoice fraud involves a spoofed email from a supplier asking for a change of bank details. While it would seem simple to prevent this by verifying any requests, a recent legal case in the US revealed that Google and Facebook were targeted and impacted by a long-term invoice fraud attack that netted 100 million dollars.
c. Return fraud has become far more common with the increase in online shopping through the pandemic, backed up by payment processors trusting customers more than vendors when it comes to refunds. There are various forms. Wardrobing involves buying items, using them for a short time, and returning them. Bricking involves purchasing expensive electronics, carefully stripping them for parts, and returning the worthless shell as ‘faulty”. Another is empty box fraud, claiming that an “empty box” has been received instead of the order. And there are many more.
d. Whaling is the targeted phishing of senior members of an organization and is similar to business email compromise. The difference is that this is often a much more personal attack, crafted to compromise someone senior in a business, usually for financial gain.
How worried should we be?
Many businesses are thinking of other priorities than cyber security right now, and I asked James much cyber security should worry us.
He says that a ransomware attack can render a company incapable of continuing to operate for months at a time and cost tens of thousands to pay for the return of data. It is an attack that can bankrupt a small or medium business in short order.
Other attacks can be just as damaging. The biggest problem James encounters with businesses in dealing with cyber security is a lack of awareness of basic precautions that can be taken together. There is also a feeling that it is a problem beyond the control of any small business.
James says that sadly the problem is made worse by many business organizations offering what he describes as “cookie-cutter cyber insurance together with audits by IT companies. These companies don’t always understand the individual threat profiles of a business, not take the time to work with them to improve things. Pay-out offered are too often around £10,000 when the actual cost of an incident can run to hundreds of thousands.
Putting cyber security into place
James advises that the best thing to do is to be open to the option of speaking with small cyber security businesses – they have less incentive to take a cookie-cutter approach.
But there are still risks involved. Unfortunately, too many individuals latch onto the cyber security topic as a way to make money. They may not have the understanding of the issues themselves or be willing to put in the work. Finding one that you can trust is challenging, James says.
Here are some basic steps that everyone can take in cyber security. Make sure your staff is trained and you have the right processes in place for financial transactions. Ensuring backups are available and up to date will help against ransomware, and many cloud storage providers are effective for basic attacks if set up correctly. Beyond that, ensuring systems are patched, up to date, and protected by antimalware tools will also help.
James says that most attacks against businesses (estimated around 90%) begin with a phishing email. Therefore, making sure staff know what to look for in genuine and phishing emails is vital. This point was something that had come up with other experts I have spoken to. Because the emails can look so similar to something or someone the recipient would expect to have an email from, it is incredibly easy for someone in a hurry to be taken in. Drumming the danger home to people could make a massive difference to your cyber security.
James also says that communicating with and working with other businesses locally or in the same sector on cyber security is hugely worthwhile. This is a great tip because a small business is unlikely to be able to afford a dedicated security team, but having one shared between multiple related companies is a better option than either having none or paying the premium that larger MSSPs used to working with large enterprises demand.
Passwords are critical, and password length is more important than almost anything else to do with them. I, for one, am so used to the automatically generated random eight numbers that I have been under the impression that this is safe. However, James says that instead of the random eight characters, it is vastly better to have a sentence with punctuation of 20 characters.
While it might seem an irritation in the short term, bear in mind the long-term threat and, wherever possible, turn on 2 factor or multifactor authentication, and use the option of an app for the second factor rather than text messages or emails.
James’ next piece of advice is that if you are using small business suites such as Office 365 or Google Suite, take the time to read through and understand the security options. The available tools are pretty effective, but many are not turned on by default and often never get switched on.
Several of the most significant worldwide cyber security attacks in the last year have been down to lack of security, not on the part of the companies directly affected, but their security or management software supplier. Choose carefully, and consider carefully. There are some advantages to the much larger suppliers, but they are also a much bigger target for profit-minded attackers as they allow thousands of companies to be attacked through one entry point.
Reverting to the concerns around insurance, James says that while cyber insurance may be worth considering, you need to be sure of what you need and what you are buying. It is still a developing field, and insurance companies have not yet got a handle on it.
I am hugely grateful to James. His tips for self-help on cyber security given here are highly actionable, and I hope they will save many a business from a possible threat.
If you want to read all our series on digital marketing, this is the first one here on how to achieve it on a budget.
