When Steven Mitchell, founder of funeral price comparison site CompareTheCoffin.com, received an email placing an order for six coffins, he wasn’t initially surprised. “We’ve had large orders before so this wasn’t unusual,” he says. “I sent an invoice and said I’d take payment by bank transfer or credit card.”
The next day, a cheque payment for £64,000 arrived in his account, and he became suspicious. “The customer was supposedly in Dubai, but it had been paid in at a bank in west London. I called the shipping agent, and it turned out the ‘customer’ was operating under more than 20 different names. I offered to deliver a coffin to him personally, with his name on it, to his home address. I never heard anything again.”
Mr Mitchell discovered this is a fairly common type of email or invoice fraud, where a fraudster ‘overpays’ for a product and requests a refund of the overpayment, during which time the cheque is cancelled and the business is left out of pocket.
In larger businesses, where there are separate purchasing and credit control departments, this can go unnoticed. But Mr Mitchell oversees all business payments himself, so he reported the suspicious activity straight away to his bank. He’s now more careful about verifying customers’ identities.
Cyber-crime is a growing issue for small firms. In the Government’s 2017 Cyber Security Breaches Survey, 45 per cent of micro businesses identified a cybersecurity breach in the previous 12 months. In 2016, FSB’s own research found 66 per cent of small businesses had been a victim of cyber-crime, and on average a small business is a victim of four cyber-crimes every two years.
Aside from the financial risk, the introduction of the General Data Protection Regulation (GDPR), which came into force in the UK in May, has also reminded all businesses of the need to continue to be accountable for the security of their data.
Steve Kuncewicz, a privacy and data lawyer at BLM, says: “GDPR has turned up the volume on businesses’ need to protect data against unauthorised loss or destruction – to have appropriate technical protection in place. Your level of risk will depend a lot on what you do with data. For example, if you process credit card details, you need to have more sophisticated controls in place.”
Increasingly, too, Government contracts and some private sector tenders require businesses to be Cyber Essentials accredited, so protecting your company against a technical or data breach could also safeguard future projects.
Adam Bradley, Regional Vice President for the UK and Ireland for security firm Sophos, says the landscape for cyber-crime has changed. “It used to be about disruption or looking for fame, but it’s now more financially motivated,” he says.
“But when attacks are financially motivated, they are more professional and better organised. Hackers learn how to navigate between systems to get the maximum benefit. They will target anyone and everyone; and with small businesses it’s not whether they are going to get in but when.” He adds that the volume of attacks is not necessarily increasing, but their sophistication is – which makes them more difficult to defend against.
A common example of what firms are dealing with is ransomware, where malicious software takes over a computer or system and encrypts data so that it cannot be accessed. The hacker subsequently demands money to decrypt the data and restore access. “Companies often pay but find they’ve lost important data, and end up on a list of targets because they’ve paid up,” says Jamie Randall, Chief Technology Officer at IASME, a cybersecurity accreditation body and a member of the FSB’s home affairs expert reference panel.
Another popular approach is targeted phishing, says Mr Randall. “An employee receives what looks like an email from the CEO asking for a transfer while they’re on holiday. The hackers give context so it looks real – a nickname or the fact they know the boss is away – so the employee hands over the money.”
And despite companies investing in anti-virus software, hackers still come up with ways to get around it, as Colin Tankard, Managing Director of security consultancy Digital Pathways, explains. “File-less attacks are increasingly common,” he says.
“Malware attacks tend to include something to download, but this is a new form of attack. Anti-virus programmes often can’t see it’s there.” While connected to your computer or network, these programs launch valid applications and use them to manipulate external systems, gather data or even use your systems to launch a much broader attack on a larger organisation.
This is precisely why small businesses should never assume ‘this won’t happen to us’, argues Mark Lomas, Technical Architect at technology company Probrand. “Small businesses are a prime target for ‘stepping stone’ attacks,” he says. “Hackers target small companies as they are aware that the data they hold may lead them to a much bigger and more profitable organisation, which will have a more secure system that an attacker can’t access as easily.”
“There are two main threats to business security: technical and human, and they’re usually inter-related,” adds Paul Mason, Head of Education at ethical hacking company Secarma, which tests companies’ networks to gauge their resilience. A high proportion of cyber-attacks are a form of social engineering, playing on people’s trust – an ‘order confirmed’ email sent near Christmas, for example, or using a copied logo from an official source.
“These types of attack are difficult to stop,” says Mr Randall. “You have all the technical protection you can afford, but you also need to make staff aware of what could happen, and empower them to delete anything that doesn’t look right.”
He advises that anything that looks “unexpected and urgent” should ring alarm bells and be checked via another source, such as ringing the public number for the bank, rather than the one in an email.
Educating staff to be aware of these ‘wolves in sheep’s clothing’ is crucial. Regularly training staff on these issues can help to embed a culture of cyber-safety. This culture should include, according to Ben Rose, Cyber Director at insurance company Digital Risks, “always verifying the identity of anybody by calling up and asking for information; checking the origin of any suspicious emails, links and attachments; and always making call-backs to a known and pre-designated number to confirm payment instructions and check authenticity”.
With education and technical protection in place, however, small businesses are in some ways better placed to protect themselves against cyber criminals than larger ones, says Mr Randall. “Small firms often use cloud applications which, as long as they are configured securely and regularly patched, can make it easier to comply with standards,” he says.
Mr Mason adds that if you make it part of your culture now to be security-aware, it becomes easier as you grow. “Embed security and turn it into an opportunity,” he says. “It may feel like it costs more in the first place, but a cyber breach could damage your reputation, and ultimately your customers will vote with their feet.”
Get an audit carried out
“When it comes to cyber-protection, it’s not a case of one size fits all,” advises Adam Bradley, Regional Vice President for the UK and Ireland at security software company Sophos.
“All organisations will have different sets of requirements, so it helps to get someone in who can evaluate your security approach and build a risk profile based on your business model,” says Mr Bradley.
Many cybersecurity companies offer an audit service, but a complimentary cyber-check is now included with FSB membership. Subscribers to the FSB Cyber Protection scheme can also access a data and cyber advice line, and up to £10,000 in insurance cover for third-party claims.
Visit fsb.org.uk/benefits for more information.
Communicate your policy
Ben Rose, Cyber Director at insurance company Digital Risks, argues that setting out the do’s and don’ts on handling sensitive information, good password management and dealing with suspicious emails should be set out in a policy that is communicated widely.
“Companies should be proactive about communication and training on the biggest risks, what different attacks look like – particularly social engineering – and how to respond in the event of a breach,” says Mr Rose.
Secure networks and devices
Businesses should establish a “robust system for login authentication and ensure passwords are strong and inscrutable”, advises Greig Schofield, Technical Director at cloud network firm Netmetix.
Two-factor authentication – which requires users to pass two ‘tests’, such as a password plus a PIN – is a good idea, he says.
Encryption should be set at a level where if laptops and devices are used outside the office, they are sufficiently secure.
Keep software up to date
Up-to-date computer systems are the safest when it comes to being attacked by cybercriminals. Last year, the WannaCry ransomware attack crippled NHS systems, but those with an updated version of Windows weren’t affected.
“All businesses talk about patching or keeping their operating systems up to date but still struggle to make it a priority, so the bad guys find these vulnerabilities,” warns Mr Bradley from Sophos.
The National Cyber Security Centre has produced a guide dedicated to small businesses. For more information, visit: ncsc.gov.uk/smallbusiness