Small businesses must be able to operate online if they are to prosper and grow – but they must be able to do so safely. In 2019, FSB’s business crime survey showed that one in five small businesses in England and Wales had been affected by cyber-crime during the previous two years.
Of those businesses, 51 per cent were hit after employees clicked on links in phishing emails, while 36 per cent were infected by malware and 25 per cent had seen systems and/or data locked by ransomware. Some 29 per cent had suffered online payment fraud and 22 per cent had been hit by online invoice fraud. On average, cyber-crime had cost the affected businesses £7,093 in the previous two years, and the aggregate costs to all the small businesses affected was almost £3.75 billion per year.
Cyber risks increased during 2020, in part because millions of people switched suddenly to working remotely rather than in their usual workplaces. Some were doing so for the first time, often using their own PCs, laptops, tablets or phones. Few employers had time to consider whether employees were accessing systems or data securely.
“We saw huge numbers of people hitting our support desks for help setting up virtual private networks and remote connections,” recalls Mark Lomas, IT solutions architect at technology and services provider Probrand. “Configuration changes were being made to allow people to have remote access, and sometimes there was some loosening of security rules to allow that, because this was being done in a rush.”
Research published by Malwarebytes in August 2020 suggested that factors linked to remote working had caused security breaches in 20 per cent of 200 organisations surveyed – but 45 per cent said no additional security checks or audits had been conducted following the shift to home working, while 44 per cent had not provided any extra cybersecurity training for staff linked to home working risks.
Any business could be affected by phishing or ransomware, but you might be forgiven for thinking a small business would be less likely to be targeted deliberately. In fact, any poorly defended IT infrastructure or data can attract opportunistic attackers, and small businesses may also be attacked because they can be used as stepping stones towards other targets, such as organisations to which they supply goods or services.
Greater connectivity with customers can also create risk. Many large organisations’ supply chains now rely on digital processes, with companies sometimes enabling other firms in the supply chain to access their systems in order to track and control the movement of goods through the supply chain. “Criminals may see that as an interesting way to get into networks,” warns Guy Lloyd, director of security solutions provider and consultancy Cysure.
Using cloud technologies and services usually helps to improve IT and data security – cloud providers use state-of-the-art security – but badly configured cloud services and poor employee security habits can create additional security risks. “People assume that if you put your data into Google, Microsoft or Amazon cloud services it will be secure, but of course the weak link is people,” says Mr Lomas. “The vast majority of data breaches reported to the Information Commissioner’s Office (ICO) are down to human error.”
One major source of security and data breaches, of cloud or on-premise systems, is weak passwords, or use of the same password for multiple purposes. In May 2020, research from software marketplace Capterra suggested that during the first few weeks of lockdown 30 per cent of staff working for small and medium-sized businesses fell victim to phishing emails designed to harvest log-in credentials.
“Password theft is one of the easiest routes for hackers,” says Mr Lomas. “They just set up a website that looks like a log-in portal, then send out lots of emails. They don’t need many people to fall for it.” Stolen log-in credentials can then be used to access business or customer data, or to construct fake emails that appear to have come from the smaller business and can be used to conduct payment or invoice fraud.
Budgetary flexibility to improve security is limited at present, but there are many effective yet inexpensive steps small businesses can take to start to reduce cyber risks (see below). One of the most important is use of multi-factor authentication to access business and cloud services, instead of relying on passwords, using authentication factors such as biometrics or mobile device management software to validate employees’ devices.
Some small businesses may need (and be able to afford) specialist information security support, but there are also many useful sources of free guidance and information, including the National Cyber Security Centre (NCSC) and the regional Cyber Resilience Centres being established across the UK, which can act as a source of advice, guidance and a way to access networks of trusted cybersecurity providers (see below).
Small businesses will also benefit from certification for the Government’s Cyber Essentials scheme.
“Cyber Essentials is the first level of cyber security certification, but it’s extremely effective,” says Chris Pinder, Chief Operations Officer at security solutions provider the IASME Consortium, the NCSC’s official partner for delivery of the scheme. Certification is also now a requirement for small businesses seeking to work with a growing number of public sector organisations and businesses, and is cited in ICO guidance as a means of demonstrating compliance with data protection regulation and legislation.
One business that has completed Cyber Essentials certification is Achieving the Difference, an aerospace consultancy. “Filling out the audit was a significant learning process that took a couple of months, but it was worth it,” says managing partner Clive Lewis. “Everything that we learned improved our cyber resilience. I would recommend it – you won’t realise how vulnerable you are until you try.”
Security solutions and services designed for use by small businesses include CySure’s Virtual Online Security Officer, which can be used to secure business processes and help to deliver employee training, as well as Security Foundry’s cyber threat scanning service Infinisight, which conducts weekly vulnerability assessments identifying risks such as devices within a distributed IT environment that have not yet downloaded recent software and security updates.
Above all, businesses must address the human element. “You may have the best technical security in place, but if an attacker has tricked someone into giving away their password, they’re in,” says Mr Lloyd. “User awareness and training is absolutely vital.” FSB’s 2019 research showed that only 26 per cent of small businesses had trained most staff to follow good security practices.
Employees must be trained to access and use data securely – not just to avoid the operational, financial and reputational damage associated with a data breach, but because in the event of a breach the ICO will require proof that the business has done everything possible to comply with data protection legislation and regulation.
Effective security strategies and policies should also be complemented with regularly
tested incident management and business continuity plans.
FSB’s 2019 research revealed that 41 per cent of businesses surveyed did not regularly back up data and IT systems, and only 9 per cent had a written plan for managing a large-scale IT failure or cyber security incident. FSB has published a guide to creating a business continuity plan (see below).
As a minimum, businesses should have effective back-up processes in place, says Karl Hargrave, director of Security Foundry. “If you’ve not built a good plan to recover, you’ll be unable to,” he warns. Helen Barge, Managing Director at the consultancy Risk Evolves, recommends businesses consider using the free Exercise in a Box online tool developed by the NCSC, which allows organisations to test their resilience to cyber risks and attacks.
Insurance also helps protect businesses against the financial consequences of security incidents or data breaches. Every FSB member business is protected by a data and cyber liability insurance policy as a standard benefit, including cover of up to £5,000 to restore the business’s systems and up to £10,000 to meet costs of disruption suffered by its customers or suppliers.
If a member firm requires additional insurance cover, FSB Insurance Service can arrange this with insurers, offering FSB members discounted premiums. Tim Lazenby, Sales Director at FSB Insurance Service, cites the example of an optician with four outlets that upgraded its insurance cover after being forced to recover from a previous data breach.
“It got compromised, because somebody didn’t read an email properly, and then they had to act quickly and that can be expensive,” he explains. The business now has cover worth £250,000 to protect it against a similar incident in future.
FSB members also have access to a data and cyber advice telephone service provided by security specialist NCC Group, which can offer information, guidance and support. Laura Holmes, Client Engagement Director at NCC Group, says there was a “significant increase” in call-backs it made to FSB members in need of immediate assistance during 2020. While in 2019, 42 per cent were cyber service calls (as opposed to cyber ‘health checks’), in 2020 service calls accounted for 65 per cent of call-backs.
“The most common incidents included phishing, malicious emails and data loss,” says Ms Holmes.
Cyber risks are real and dangerous, but with the right technology, processes, training and support in place they can be managed effectively. One possible silver lining to the events of 2020, Mr Pinder suggests, is that awareness of the dangers may have increased. He hopes this will encourage more businesses to work towards best practice. “All businesses should be making a start on that journey,” he says.
“For everything they put in place, they’re reducing their chances of becoming a victim.”
Top tips on how to stay safe
1 Take ownership of the issue: don’t ignore it or assume that outsourcing IT functions means security is not your problem any more. It is still your responsibility
2 Review your current security position. In particular, review controls on remote access to business/client systems or data
3 Do the basics: install firewalls, anti-virus and anti-malware software and keep them updated. Ensure that other software used by the business is also kept up to date with security patches installed. When people leave the company, remove their remote access privileges
4 Encrypt data, and implement controls over which employees can access it and what they can do with it (no moving it onto removeable devices, other cloud platforms, moving it via private emails, etc)
5 It may be appropriate to ban employees from storing business data on their own devices, so they can only access it remotely from business systems. If they do store it on their own devices, install remote wipe software to be used if the device is lost or stolen
6 Remote access to business systems and data (on-premise or in the cloud) should only be possible via a virtual private network, ideally protected by multi-factor authentication and/or mobile device management software. Passwords should be strong, changed regularly and not used for multiple log-ins
7 Work towards certification for the Government’s Cyber Essentials scheme
8 Provide cyber/data security awareness training, then test employees’ knowledge with phishing simulation exercises provided via solutions like Piranha
9 Effective security policies should be complemented by regular back-ups stored separately, and regularly tested and revised incident/crisis management and business continuity plans. The NCSC’s Exercise in a Box tool lets organisations test resilience to cyber risks and attacks
10 Review insurance requirements. FSB members have some data and cyber liability insurance as standard, with the option to upgrade to a higher level of cover if necessary
National Cyber Security Centre advice for small and medium-sized businesses: ncsc.gov.uk/section/information-for/small-medium-sized-organisations
Regional Cyber Resilience Centres. Search online – at the time of writing CRCs have been established in north-east England, Greater Manchester, the East Midlands, the West Midlands, south-east England, Scotland and Northern Ireland. Others are planned for eastern England, south-west England and Wales
FSB guidance on cyber security:
Cyber Essentials: ncsc.gov.uk/cyberessentials/overview
IASME Consortium: iasme.co.uk/cyber-essentials/
Non-profit organisation the Global Cyber Alliance has a useful list of free cyber security tools: globalcyberalliance.org
NCSC Exercise in a Box, for testing resilience to cyber-attacks: ncsc.gov.uk/information/exercise-in-a-box
FSB Insurance Service: fsb-insurance-service.com
FSB guide to creating a business continuity plan: fsb.org.uk/resources-page/how-to-create-a-business-continuity-plan.html
Scottish Business Resilience Centre: sbrcentre.co.uk/prevent-protect/cyber-services
Information Commissioner’s Office (ICO) guide to help assess compliance with data protection law: ico.org.uk/for-organisations/business/assessment-for-small-business-owners-and-sole-traders/