“For SMEs, we see a high volume of quite basic, opportunistic attacks. The most common things we’re seeing are:
- Phishing attacks. These are scam emails sent en masse. They might ask for personal information like bank details, or encourage you to make a payment or visit a fake website via a malicious link. We’re still seeing high numbers of these attacks. To counter them, make sure you help your staff identify and report suspicious emails, and turn on two-factor authentication where possible. Lastly, if in doubt about an email, discuss it with a colleague or initiate a call-back to verify, using a number you trust.
- Ransomware. That’s malicious software that makes data or software unusable until the victim makes a payment.
- Insider threat. This is the potential damage that can be done either maliciously or accidentally by a legitimate user of your technology. To reduce this risk, we recommend using administrator privileges, so making sure that people only have the right level of access to systems they need to do their job.
“We’re finding that SMEs are vulnerable to untargeted attacks. Small businesses commonly don’t see themselves as at risk, and therefore they’re not implementing the basic controls. A key goal of ours is to raise awareness and to help businesses improve their resilience just by implementing the basics, so they can take themselves out of that easy target zone.”
What advice would you give to businesses looking to better protect themselves?
“As a starting point, follow the five simple steps which are set out in our Small Business Guide:
- Make sure you’re backing up your data. This should be to a physical hard drive that isn’t connected to a network. You can also consider backing up to the cloud.
- Protect your business against malware by using antivirus software and keeping it updated, and keeping your firewall turned on. Also, make sure you’re running all your software updates, as these contain fixes for identified vulnerabilities.
- Keep your tablets and smartphones safe. A lot of smaller businesses don’t necessarily have an office; they might be working on the move, perhaps in a coffee shop or on the train. So make sure you’ve got a password and a PIN on your device, and if you’re out and about using the internet, consider tethering instead of connecting to public wifi.
- Only use strong passwords. Cybercriminals use loads of different combinations of the most common passwords to break into accounts with weak password protection. We suggest creating passwords that are strings of three random words. This creates a long complex chain that’s hard to crack, but easy to remember.
- Build a culture of awareness. This is particularly important to combat phishing attacks. It’s about fostering an open culture within your organisation that says it’s OK to speak up if you think you’ve received a phishing email or clicked a suspicious link. The sooner people know, the better. It’s about training and awareness, making sure employees know the signs to look out for.
“It’s also important to make full use of the security options your bank provides to protect you online. If you’re a Bankline customer, for example, take the time to set dual user controls and payments limits. There are webinars and support pages to help you with this.”
If a business does fall victim to a cyber attack, how can they limit the damage?
“Sadly, sometimes it’s not a case of ‘if’, but ‘when’. The best way you can limit the impact of a cyber breach is to be prepared. Preparing your response and planning your recovery will help you react and recover quickly.
“We’ve recently produced a Response & Recovery guide to help with this. It covers things like how you identify a cyber incident and making sure you’ve got a business continuity and recovery plan. Depending on your business, this could be as simple as a sheet of paper with a list of people you’ll need to contact in a cyber incident.
“One key piece of advice. If you’re ever involved in a live cyber incident, call Action Fraud immediately. If you press 9 on your keypad, they’ll deal with your call as a priority and triage your incident over the phone. The number’s 0300 123 2040, and this could form part of everyone’s continuity plan.”
Where can businesses go for more support?
“On our website, there’s bespoke advice and resources for business of all sizes. If you’re looking to implement basic cyber-security controls, start with the Small Business Guide and the small business actions list. If you’re looking to take things further, you can seek certification under the Cyber Essentials scheme. And if you’re a larger business or you’re at greater risk of cybercrime, then we’d point you to our Ten Steps to Cyber Security.
“There’s also our free ‘Exercise in a Box’ product, which is designed to help you and your colleagues with incident and recovery planning. It’s full of scenarios to help you test your business’s preparedness, including an easy-to-use simulation exercise for more technical people. It gives you all the tools you need to run the exercises yourself, and you get a feedback report at the end.
“Lastly, I’d mention our Cyber Security Information Sharing Partnership (CiSP) platform, a live threat intelligence platform. You can join your regional or sector node, and people use it to share intelligence about recent threats and the latest mitigation techniques.”
Is there cause for optimism about cyber security?
“Absolutely! We understand cyber security is a fairly new concept for a lot of businesses, but protecting your organisation really doesn’t have to be daunting. Many cyber threats are preventable by implementing the basics. Most attackers are opportunistic – they’ll go for the easy target – so what you need to do is take yourself out of that easy-target zone.
“It’s about making cyber security part of business as usual, and not that extra task you need to worry about that’s going to take up loads of your time and money, because it really doesn’t have to.”
