Small business cybersecurity guide
A version of this article was originally published in November 2020.
It feels like barely a week goes by without news of another high-profile cyber-attack or data breach, affecting millions or even billions of people. Attacks happen so often that we may be desensitised to the numbers, but the cost to individuals and businesses is staggering, with cyber attacks costing the UK economy approximately £27 billion every year.
We all hear about it when big businesses are hit — Disney, British Airways and the NHS are prime examples — and it's easy to think that start-ups and small businesses are less of a target.
But no business, big or small, is 100% safe in this era of cyber warfare. Statistics from Salford University show that 43% of cyber-attacks target SME businesses and of those victims, 60% go out of business within six months.
We're often asked by founders of small businesses why they should be concerned about cybersecurity. Sometimes they believe their operations are either too small or their data is not theft-worthy. Unfortunately, this couldn't be further from the truth.
What makes your business vulnerable?
You're busy — and hackers know it
Running a startup or small business can be stressful. With long days and sleepless nights, who has time to think about data security? Let's face it, you have a lot on your plate and maybe you haven't spent much time making sure you're protected.
Lack of cybersecurity expertise
Small businesses often don't allocate enough resource to deploy strong firewalls and updated security patches. If you're attacked, this can result in loss of important information that could keep your business running.
Cybersecurity is a complex issue that requires the right technology and the right policies and processes in place.
Lack of specialist legal expertise
Unlike large organisations, which have the budget to hire an entire legal and compliance department, you probably don't have any dedicated internal expertise. As a result, you may be overlooking your responsibilities around handling data.
Your data grows with you
It can be easy to lose track of the amount of data you've generated over time. Your customer database may be small in the early stages but it can grow to a thousand or more pretty quickly.
Mishandling this data could leave you exposed to attacks and fines from the Information Commissioner's Office (ICO).
Unsecure internet connections
Many startups and small businesses have freelancers or remote workers accessing their systems from local coffee shops or coworking spaces. Hackers can easily infiltrate your systems through unsecured Wi-Fi connections.
Your data is an entry point to the big guys
It's a common misconception that hackers won't be interested in attacking a business with little money or data. And while they may not care about the £80 order you took yesterday, your unprotected systems could give them a 'back door' into larger clients or suppliers — which is exactly what they're after.
What are the biggest cyber threats for small businesses?
Cyber-attacks and data breaches are often clumped together, when in fact there are various culprits that access and attack your systems in different ways.
What's more, they're constantly evolving, so it's important to stay vigilant to new threats.
In the spirit of knowing your enemy, here's a rundown of some of the major cyber risks facing startups and small businesses:
Phishing, spear-phishing and whaling
One of the most common modes of attack, phishing involves the attacker sending out emails to multiple recipients, posing as a reputable company.
The email will either contain malware in a link or attachment or will prompt the recipient to enter sensitive account or password details, enabling cyber criminals to hack into their computers or accounts.
While many of these emails may look and seem suspicious, some are surprisingly convincing and when sent on mass, usually catch someone unawares eventually.
Varieties on phishing include spear-phishing, whereby attackers target a specific company or individual. Or whaling, where senior executives are specifically targeted. Both can be hugely damaging if successful.
Ransomware
As the name suggests, ransomware infects your computer and holds your data for ransom, demanding significant sums for its release.
Ransomware usually accesses your computer through a phishing email sent to unsuspecting employees, although tactics have seen ransomware hijack adverts on popular news sites, with the New York Times, BBC and AOL hit in the past.
One click on an infected link or attachment and it's in your system. Without paying up it can be almost impossible to get rid of.
The crime rings that perpetrate these attacks are growing more intelligent and sophisticated by the minute and small businesses are often a soft target, with less protection and cyber awareness than larger companies.
Worms
A type of malware, worms have been around for many years, with the first one famously created in 1988 as an innocent way of testing computer networks. They have since been used to devastating effect, penetrating vulnerable computers, before replicating and spreading within a network.
One of the most famous worm attacks was on MySpace in 2005, which spread to over one million computers in 20 hours.
Worms are often used to steal confidential information or turn computers into remote-controlled 'zombies' or 'bots', which are then used to attack more systems. It's estimated that at any moment there are several million 'zombie' computers on the internet.
New types of worms are emerging all the time, including 'headless worms', which target so-called 'headless' devices like smartphones, smartwatches and medical hardware.
Machine-to-machine attacks
With smart devices like speakers, TVs, fridges, cameras and even cars, the Internet of Things (IoT) is growing bigger and more complex. Yet these devices are often overlooked when it comes to cybersecurity.
This can leave them especially vulnerable to attacks and being used as a part of a botnet to attack other systems.
As the IoT grows more prolific, this is a potential back door route to accessing valuable data and whole networks could be affected this way.
Ghostware
As spooky as it sounds, ghostware is a type of malware designed to penetrate networks without detection. It will steal confidential data, then cover its tracks before it leaves.
This means you may not realise your business has been compromised until it's too late and it's often impossible to find the source of the breach.
Blastware
Similar to ghostware, but this time the malware completes its task and then destroys the system it has infected.
It can potentially be much more damaging for this reason, however, you will at least know that your system has been compromised.
DDoS attacks
This type of attack has taken down some major websites in the past, including Twitter, Netflix, Reddit, and Airbnb.
DDOS (Denial of Service) attacks are on the rise, with DDoS for hire services making it easier and cheaper for cybercriminals to strike, bringing down websites and affecting businesses across the world.
They work by flooding a company's servers with requests, so they are unable to cope and shut down. That leaves the business unable to trade for minutes, hours or even days, with potentially catastrophic long-term impacts.
And it's not just big businesses that are affected — small firms are often more vulnerable due to their website architecture.
Trojan virus
Again, the clue's in the name, as this type of malware is like a Trojan Horse which enters your system under the guise of a legitimate piece of software.
Once there, it can perform a number of functions, including deleting, modifying or stealing data. Unlike worms and viruses, they cannot replicate themselves — but they can be just as damaging.
Human error
Malicious or not, human error is the most common reason for cyber-attacks and data breaches, with one Stanford study showing it's responsible for as many as 88% of incidents.
A breach can be caused by anything from employees accidentally sending sensitive information to the wrong email, losing their company smartphone, using default passwords or occasionally with criminal intent.
Yet despite the risks, many small companies don't have the necessary controls, training and communication in place to mitigate against breaches of this kind.
How to keep your business cyber-safe
Carry out a risk assessment
First things first, a cyber risk assessment helps you understand the areas you need to protect and those where you could be most vulnerable.
Start by auditing the data and information you hold that is most valuable. This will give you a good idea of where you need protection.
Then look at how you store this data, who has access to it and how it's protected, to understand where you could be most at risk. If you're not confident carrying out a risk assessment, then you might want to consider hiring an expert to do this for you.
Implement strong network and workstation controls
Once you've identified your most valuable data assets, cover all bases to secure it with the appropriate technology. This includes adding firewalls, anti-malware and anti-virus software to all your computers and devices.
Here are some of the controls that can make a big difference to your cybersecurity:
- Install security software on your company website and keep all its scripts up to date
- Implement a properly configured firewall through a dedicated resource
- Apply current and up-to-date patches on everything, including the gadgets owned by employees
- Implement SaaS-based security services, which are often less expensive than traditional software
- Use secure cloud-based applications
- Implement solutions like VPN (Virtual Private Network) so remote access is secure
- Implement a disaster recovery site that can take over in case of a DDoS attack
- Have a static page to keep your customers informed if your order page goes offline
- Access controls, so that employees only have access to information they need
If you don't have any dedicated IT expertise in-house, it's probably best to consult a cybersecurity expert.
Communication and training
The right technology is of course important, but getting your people and processes up to speed can perhaps be even more key. Yet this is an area that is often overlooked.
Your communication should begin with a cybersecurity framework. This outlines your key processes and procedures, what staff should and shouldn't do and the potential repercussions if the guidelines aren't followed.
The exact issues covered will vary from business to business but potential topics could include:
- Guidance on handling sensitive information
- Stipulations regarding password security
- A policy covering remote working and the use of personal devices
- How to look out for, report and respond to a security issue
- Required checks on suppliers to ensure they are complying with security best practice
You should ensure your cyber policy is easily accessible to all employees, is updated regularly and that staff are also given training around the issues at least every 12 months.
Build a security-centric culture
It's easy to overlook the fact that sensitive information follows your employees inside and outside your business premises on laptops or other devices. But this information should be protected at all times.
Here's some mandatory rules that will keep your data safe when your employees are on the move:
- Make employees use complex passwords — see top five cybersecurity tips
- Introduce passwords that automatically expire and need to be renewed
- Block access to certain websites that pose risks to the security of your data
- Encrypt all smartphones used for business purposes
Monitor your vendors
Many small businesses aren't aware of the amount of information that their vendors have access to and this can also pose a serious security risk. Checking third-party security controls should form part of the vetting and onboarding process.
Things to look for include:
- How your data will be stored
- Access controls for the vendor's employees
- Frequency of vendor risk assessment
- Compliance with General Data Protection Regulations
Employee monitoring
An insider threat can be a current or former employee, service provider, supplier, contractor or anybody else who may be able to gain access to your confidential data.
These individuals are likely to have access to sensitive information, often with the responsibility to protect it, leading to severe consequences if it turns out they can't be trusted.
We've outlined some simple steps your business can take to prevent employee misuse of data.
Periodic assessment of vulnerabilities
Finally, periodic testing should be carried out to identify impending security risks to your network. In this scenario, third parties can be hired to do the stress testing to identify any loopholes in the system, so they can be plugged before it's too late.
What happens if you're hit by a cyber attack?
Even with the best technology and security measures, sometimes you're powerless to stop a breach. This is where an effective response plan comes in, enabling you to control the situation as quickly as possible with minimum impact on you and your customers.
Yet, despite its importance, only 19% of SMEs have a breach response plan in place, potentially leaving them floundering in the event of an attack.
An effective response plan should include the following elements:
- Your legal response: You need to outline how you'll handle the legal aspects of the breach, for example informing the Information Commissioners Office (ICO) of the issue and defending your business against any claims of negligence
- Handling media queries: Your business could be the focus of media attention following a breach, so be ready to handle all external communications about what happened and how you're handling it. You're likely to need professional PR expertise to do this effectively
- Finding out what happened: You'll also probably need to have IT forensics experts on hand to find out what caused the breach, with a view to rectifying the problem quickly and ensuring it doesn't happen again
- Informing customers: Depending on your customer base and the scale of the breach, you could have a lot of unpleasant phone calls to make. You'll need to be ready with a way to handle this communication efficiently
How can cyber insurance help?
If the worst does happen and you're facing the repercussions of a data breach, your final line of defence is a watertight cyber insurance policy.
Cyber insurance is designed to cover any business which operates online or is exposed to the internet and the risks that come with storing and handling data when running a business.
It can cover you for breach of data protection laws (where they're legally insurable) and your liability for handling data. It can also provide cover for extortion, system rectification costs, plus PR expenses and financial loss due to system downtime.
Some key aspects to look out for include:
GDPR fines
The Information Commissioners Office can impose two distinct levels of fines based on breaches of the General Data Protection Regulations (GDPR).
The first is up to £8.7 million or 2% of the company’s global annual turnover of the previous financial year, whichever is higher. The second is up to £17.5 million or 4% of the company’s global annual turnover of the previous financial year, whichever is higher.
The potential fines are substantial and a good reason for companies to ensure compliance.
Expenses
Cover for your out-of-pocket expenses, which could include system repair costs, lost income while the system is down, or even ransom payments to hackers.
When shipping giant Maersk's systems were infiltrated with the devastating cyberweapon NotPetya in 2017, it cost the company between $250-300 million to get back to operational. The cyber incident brought the company to a grinding halt for two weeks.
Trademarks
Cover for your website, blogs and social media, for copyright or trademark infringement, or defamation etc.
If your business needs professional indemnity insurance (PI), a good tip would be to try and make sure it’s the same insurer as the cyber liability insurer. The two covers are linked and have some crossover covers.
When choosing your provider, make sure they have a good technical understanding of how they work together. At Superscript, we keep our PI and cyber liability covers together to make sure they both work for you and avoid any confusion.
Some final thoughts
With cybercrime and data leaks on the rise, it's not a case of 'if' your business will be hit, but more a case of 'when'.
Getting up to speed on the scale of the threat and how best to protect your systems, can prepare you and keep your business out of the cyber spotlight.
For more cybersecurity and insurance advice, check out our cyber insurance guide.
You can also drop us a line at hello@gosuperscript.com or give us a call on 0333 772 0759+31 10 8080 889 to discuss how cyber insurance can help your business.
Was this article useful?
We're here to make complex information easier for businesses to understand.
This content has been created for general information purposes and should not be taken as formal advice. Read our full disclaimer.