Half of small business owners experience at least one type of cyber-attack over a one-year period, research from Nationwide’s Small Business Indicator survey revealed.
The reality is poor cyber security awareness and a lack of dedicated IT professionals make startups and small businesses tempting targets to well-funded networks of cyber criminals. So what are the simple steps you can take to protect your business?
Unlike larger organisations, small businesses are poorly equipped to recover after a cyber attack. Ransomware, a variant of malware that locks computers and infrastructure, could cripple your business and force a five-figure pay-out.
If you fall victim to ransomware, you may be required to spend a small fortune on cyber security contractors. But even these experts can’t guarantee you’ll recover any critical data.
The good news is that there are simple ways to protect your business from a nightmare security scenario and even basic precautions can dramatically reduce the risk of your business being hacked.
1. Protect against insiders
It may seem counter-intuitive, but your own employees are your greatest cyber security risk – this is true for businesses of every size.
Any employee can cause a data breach or leak by mistake and you can’t watch everyone, but you should pay specific attention to privileged users, third parties and terminated employees.
Privileged users are usually the most trusted employees and will control the access to your critical infrastructure and data. You must keep track of the number of privileged users in your organisation and terminate their access when they leave, even if you’re on good terms.
Subcontractors and third-party vendors should also be treated as a potential security risk. Don’t give an IT contractor admin privileges to your critical data and systems – and if you have to, reset your passwords once they’ve finished.
To defend against insider threat, it’s key to restrict the number of employees with privileged access to your critical systems and software. Plus, when employees leave, be sure to deactivate their accounts.
2. Give your employees basic cyber security training
Any cyber security strategy or investment is redundant if your employees fail to grasp basic cyber security principles.
A well-targeted phishing email could convince an unaware employee to give up their password, bypassing any defences you’ve worked hard to establish. Whether you have dedicated IT support or not, you can’t monitor every employee.
That’s why education and training are essential to protect your startup from cyber crime. Some employees may not know (or care enough) to protect themselves online, and this will put your business directly at risk.
To solve this, hold training sessions to teach your employees cybercrime basics, including how to properly manage passwords and identify potential phishing attempts. Alternatively, consider motivating your employees to take some online cyber security training – like CompTIA’s Cybersecure course.
For impartial and free advice around defending against cyber security threats, take a look at the National Cyber Security Centre (NCSC).
Even a basic level of cyber security knowledge could mean the difference between being hacked or avoiding the risk altogether.
3. Assign responsibility to your employees
You now know that your cyber security strategy is only as strong as your weakest link (i.e. your most careless or uncaring employee).
Every employee must understand the basics of cyber security, but it shouldn’t end there – responsibility for cyber security should be given to your employees. Even in startups and small businesses, someone must be responsible for cyber security.
By assigning responsibility, you have someone to hold accountable to ensure your cyber security initiatives are completed.
Everyone knows not to click on a link in a suspicious email. But even with near-constant warnings from a frustrated cyber security industry, businesses still fall victim to phishing attacks every day.
Phishing remains effective because it continues to evolve and remains one of the most effective methods used by criminals to introduce malware into businesses.
If an employee is tricked into clicking a malicious link within a phishing email, they may accidentally unleash malware onto their machine, which can then quickly infect the entire business network.
Spear Phishing, is an ultra-targeted form of phishing in which malicious emails are designed to mimic someone the recipient trusts, like senior management or a regular client.
Depending on the seniority or perceived value of the target, cyber criminals may even trawl social media and other online profiles to gain valuable insights that can be used to tailor a highly authentic spear phishing campaign.
To mitigate the danger posed by phishing, training and awareness is key. You must ensure your staff understand the dangers of phishing attacks and understand how to spot a phishing email. Again, the NCSC has some great guidance to protect against phishing attacks.
Ultimately, you can never prevent an employee from accidentally clicking a link in an email. To mitigate the risk, ensure your data is backed up outside of your business network in case it is locked-up by a ransomware attack which has gained access through a phishing email.
5. Secure your passwords
Factory-set passwords left unchanged are one of the most common security mistakes organisations make. All vendor-supplied passwords that come with any system or software must be changed before they’re deployed.
Pay particular attention to devices like routers; even your office printer can represent an easy target for criminals to gain access to your network.
You’ll likely be using dozens of different tools and services, each ideally requiring a unique strong password – it can be hard to remember them all. Take advantage of free password management software which can help you to generate and store complex passwords in an encrypted (inaccessible) state.
However, like any security software, they’re not impregnable and you’ll still need one “master” password to gain access – ensure this is never written or recorded anywhere.
Interestingly, the NCSC actually now advise against forcing employees to regularly change their passwords, going against a long-established security guideline.
Why? The more often your employees are forced to change their passwords, the greater the overall vulnerability to attack.
The new password may have been used elsewhere, and attackers can exploit this weakness – if they gain access to one account, they may be able to access others with the same or similar password.