Posted on 26 July, 2018 | 6 mins
While the news tends to cover stories of hackers attacking giant corporations, the truth is small businesses are often at greater risk of a cybersecurity incident.
In fact, 42% of micro and small businesses in the UK have been on the wrong end of a cyberattack over the past 12 months1.
That’s because SMEs are easy targets. An attack on your business can result in reputation damage, loss of assets and damage to equipment that most small businesses don’t have the money to replace. The worst cyberattack the average SME will be hit with over 12 months directly costs them a mean £12,1001. Plus, there are the legal implications of GDPR to consider.
The General Data Protection Regulation, or GDPR for short, requires that all businesses take extra care when gathering and storing customer data—or face hefty fines. Wondering what this has to do with cybersecurity? With GDPR in effect, more business owners are thinking about privacy and security. The reality is that GDPR requires businesses to manage risks, and SME owners especially need to be thinking about ways to make their business safer—both for their customers and for themselves. Think of GDPR as a great excuse to improve your SME security.
So, where to start? We’ve done the research and put together five simple steps you can take to make your small business more secure (and bonus: they’ll help you comply with GDPR, too).
1. Understand the risks
Learning about the potential risks is the first step towards building not just cybersecurity but cyber-resilience. Cyber-resilience is the ability to stay safe as well as the capacity to bounce back should the unforeseen occur.
Let's take a look at some of the main cybercrimes that plague small businesses:
- Phishing: The most common cybercrime to affect SMEs1. These email scams help hackers obtain sensitive information. A phishing email looks like it’s from a well-known organisation or person, and usually asks for personal information or encourages you to click on a link that downloads a malicious attachment. Remember, most businesses won’t cold email you if you haven’t signed up to their communications (with GDPR, it’s becoming harder for them to do so legally). So be cautious of any email from a company you’re not subscribed to, check the sender’s email to see if it at least looks like it’s from the right company and, if in doubt, get in touch through the company’s official website to check authenticity.
- Spear phishing: Related to phishing, but a lot more personal. Cybercriminals impersonate someone you know or a very familiar service provider to extract secure personal and financial information from you and your business.
- Malware: Ever had a ‘virus’ on your computer? Most people are familiar with this kind of attack. Malware infects your computer and collects your sensitive data, or just wreaks havoc on your systems and your life.
- Card-not-present fraud: When a criminal uses the card of a person or business over fax, phone or the internet—basically any non-physical way of transacting without the cardholder having to use a PIN. Imagine someone going on Amazon and buying a boat with your credit card number. No face, no ID, but once they have your information, they will maliciously use it. By the time you notice, they're out to sea.
2. Identify what needs protecting
Ask yourself: "what do I need to protect?" Obviously, there's your financial information, but this could also be an idea kept in a word document or other intellectual property. Take this opportunity to look at the bigger picture of your business and identify what needs protecting. What do you store on your computers? What is behind your passwords? Do you even have passwords? The next step towards cybersecurity is performing a risk assessment.
There’s a good chance that your customer data also sits behind your passwords. In today’s post-GDPR world, protecting that data is more than just about protecting your reputation, it's the law.
If this feels overwhelming, start by grouping data and information into categories and then prioritise their protection based on levels of potential impact on your business. Consider information like your bank login, parts of your business that would be hard-to-replicate if your systems went blank, and personal information about your staff. Recognise where that information lives and then you can start to take more definite actions towards protecting your valuable assets.
3. Build resiliency by reducing your exposure to possible attacks
Small business owners are famously strapped for time. Let’s face it: no one has the extra hours to deal with a cyberattack. Setting up a multi-faceted approach to cybersecurity is vital, but luckily, it’s also easy. Just check some of these ideas off your list!
Let's start with passwords. Put everything you value behind a password. Don’t use default credentials that come with your software, your home address or any other information that could be guessed if someone had a small amount of information about you. For a next-level approach, use a password manager app that works by generating super strong passwords and then securely storing them because they’re too long to remember.
For your most important accounts and data, activate two-step authentication whenever possible. This means that even if someone got their hands on your password, they’d need access to your mobile phone to get into your accounts.
To protect yourself from malware, install reputable anti-virus software. Always update your operating systems and firewalls, and install new versions of that anti-virus software. Malware often attacks through outdated versions, so it’s worth investing in available updates.
When you need to dispose of old computers, do you do it safely? Are staff using personal computers on your network that don't have the same security credentials? Both are hardware considerations secure businesses think about and mitigate.
Another approach to protect your most valuable assets is to have a separate computer where only you have access. From this computer, you can do your accounting and protect your intellectual property. Think of this separate computer like a bank. At a bank, there’s usually just one door. Everyone comes in and out of it, and it’s easier to keep an eye on it.
One more thing: run continual backups of your entire system. We recommend storing that in two places: make one an external hard drive and the other on the cloud. Set up automated backups so you can ensure you never lose your most important data.
4. Educate your staff
Your staff are amazing. They help you get the work done and keep the lights on. We love our people, too, but…
The biggest security risk for a business of any size is staff. Some of the biggest hacks in history have been inside jobs, and even the most loyal, well-meaning staff can fall prey to a spear phishing scam. Security training needs to be a business priority from day one. So, develop an overall cybersecurity policy and hold all staff accountable for abiding by its terms. This should include training on how to spot obvious signs of phishing attempts, who has access to what files and systems, and how often passwords are changed.
You can accomplish huge SME cybersecurity wins by focussing on controls, access and monitoring. Keep your business safe by keeping your data and accounts secure internally as well as externally. As a rule, keep access to your financial accounts and passwords limited. Also, apply restrictions that prevent your staff from downloading programmes and software before an IT expert has cleared them for use.
5. Get apps that do the security work for you
No one expects you to build all-new security systems from the ground up. One of the best ways to ensure your data is safe is to entrust experts to guard it for you. Introducing business apps into your work flow does more than just streamline your systems, it also makes your business processes more secure.
Software companies continually invest in the security capabilities of their servers and software—it’s part of what you pay for, and saves you from having to do it yourself with proprietary tools. Whether it’s keeping track of your inventory, managing expenses or selling to customers online, top accredited business apps help keep your and your customers’ data safe, while also assisting you comply with GDPR. This is especially true of customer-facing apps. As a small business, it’s essential to demonstrate that you treat your customers’ data with care. Point-of-sale and online store apps help with SSL encryption and are continually working to figure out ways to help safeguard your customer data. As with your other accounts, ensure that access to these apps is managed and that your passwords are strong.
If you’re thinking of getting on board, think of security as a “must have” when comparing business apps and keep it top of mind when doing your research.
Making your SME more secure
For any business today, being a victim of a cyberattack is no longer a case of “if” but “when”. All any enterprise can do is be prepared. Remember, it’s a lot more expensive and time-consuming to clean up a cybermess than to be proactive now and build a cyber-resilient business.
If the average cyberattack costs you almost £10,0001, imagine how many attacks you can avoid (and the money you can save) by investing at least that into staff training and IT security. Think about cybersecurity as a long-term investment in business continuity, sustainability, reputation and survival, and it’s easier to take action.