You can’t assume that your small business is not a target for hackers. As many as three-quarters of smaller businesses are at risk, according to the latest Government Security Breaches Survey, with the worst breaches costing up to £300,000.
Small companies face attack from multiple angles. “Like [larger] enterprises, they face targeted attackers who are interested in intellectual property and other confidential data, as well as using smaller organisations as a way into larger ones,” says David Emm, principal security researcher at Kaspersky Lab. “And like consumers, they face random, speculative attacks that make up the bulk of the threat landscape and are distributed indiscriminately by cybercriminals.”
That’s problematic for SMEs, which are less likely to have a dedicated IT department staffed with security professionals. “SMEs typically don’t allocate resources to cyber security, and they allocate very few resources to IT,” says Andy Patel, senior manager for technology outreach at F-Secure. “This leaves them open to attack in a variety of ways. A cyber security incident is likely to cost an SME proportionally more to recover from than a well-prepared company.”
Improving the security situation at your small business doesn’t need to be expensive, and it could well save you money in the long run. We asked experts across the security industry for their tips on how small businesses can stay secure without breaking the bank.
Adopt two-factor authentication
Take security into your own hands and enable two-factor authentication on any service or device used by the company for email accounts, social media feeds or more sensitive systems. Anyone using these accounts will need an extra credential to gain access from a new device, or to change profile settings, which stops hackers from breaking in even if passwords are leaked.
“Multi-factor authentication reduces the risk of a compromise, since a password alone is not enough to gain access to an online account,” says Mr Emm. “At the very least, multi-factor authentication should be mandatory for changes to account settings.” He adds that it’s essential for companies to shut down accounts, or change login credentials, when someone leaves employment.
Two-factor authentication does add steps to employees’ login procedures, so avoid frustrating them by taking it one step at a time. “Start with the critical accounts and scale up from there as it becomes a habit,” advises F-Secure security advisor Sean Sullivan.
Get smart with email
Email is a weak point for smaller enterprises, with criminals targeting companies with malware via phishing attacks. This is where an email is crafted to look like it’s coming from a trusted source, such as a supplier or bank, but is loaded with dodgy attachments or links to malicious pages, says Trustwave’s threat intelligence manager, Karl Sigler. “Our research has found that the vast majority of companies have been targeted with a phishing attack at least once over the past year, and the number is set to increase over the next 18 to 24 months.”
Phishing messages can be sent to any email address at random, but clever hackers can also use information gleaned online – from social networks, data breaches, or even your company website – to make attacks more effective (a trick called spear phishing).
To avoid becoming a victim, Mr Patel says staff should be trained to pay attention when reading an unexpected email. “Check the sender address carefully. Don’t open attachments you weren’t expecting. If you’re unsure, ask the sender. Be suspicious of certain file types – most people don’t use zip files nowadays. If you are asked to ‘enable content’ on an office document, don’t.”
Mr Sullivan takes a different approach. “Almost everybody can spot phishing during training,” he says. “Phishing works when people are distracted – and people are distracted by tools they don’t use well. Pay for productivity training and you will end up with better email hygiene.”
Avoid ransomware threats – and don’t pay up
Ransomware is where hackers gain control of your data, encrypt it and demand a payment to hand over the key. Research by Kaspersky Lab found that 49pc of SMEs believed such “crypto-malware” was one of the most serious threats they faced , with two-thirds of SMEs reporting complete or partial data loss from such attacks.
To mitigate the threat, follow the the email security tips above, as malicious messages are a common delivery method for crypto-malware, says Mr Emm. And, ensure your company has up-to-date, secure backups, so you aren’t forced to pay criminals to get your data back.
Beyond these steps, control access to files to those who need them, to help limit the spread of malware, and ensure staff don’t have administrator rights, as that makes it easier for malware to spread more widely across your network.
If you don’t have a backup, should you pay the demand? Mr Sigler says: “We would advise against paying the ransom as there’s no reason for the attacker to keep their promise and restore the system. Communicating with cyber criminals also provides them with more information, such as IP or email addresses, which can be used in future attacks – very likely if a company is willing to pay up.”
Undertake regular assessments
It’s an industry cliché, but the weakest link in any network is the people – and this applies to company leaders, as well as the IT department. “Security assessments should not be treated as a one-time event. It’s vital to perform regular testing to keep track of the fast-moving security landscape, especially if the business expands or implements new technology,” notes Mr Sigler, adding that Trustwave research revealed that one in five companies hadn’t done any testing in the past six months, “leaving them blind to new vulnerabilities and threats”.
So, what new threats are looming on the horizon? Kaspersky’s Mr Emm warns SMEs to keep an eye on the Internet of Things (IoT), which includes everything from smart CCTV cameras to connected children’s toys. “The IoT is bringing not only risks to privacy, but also the danger that connected devices will be used as a weak link to gain access to other systems,” he warns. Perhaps think twice before buying that web-connected coffee machine for the office kitchen.