Fraud is now classified as the fastest growing crime in the UK, with around 3million victims in England and Wales last year alone. Rewind the clock 25 years ago and you might think of a fraudster as somebody who’d organised a ‘Ponzi’ scheme, a confidence trickster, or somebody cold calling the elderly selling ropey goods. But today it’s much more likely it’ll be a person sitting behind a computer connected to the Internet.
It’s no surprise to hear that small businesses are well represented in those fraud figures, and why wouldn’t they? Small firms lack the big budgets of their larger counterparts who have deep pockets to spend on sophisticated IT systems, robust accounting procedures, and HR systems that are more geared up to instil a culture of cyber awareness across the business.
According to the co-authors of a new book, the appropriately named Cyber Security: Law & Guidance, it’s this latter point that all too often overlooked by smaller businesses. Manchester based FSB members Justin and Mark Blackhurst, set up digital marketing firm Digital Next in 2009 and have seen first hand the explosion in cyber crime targeted at businesses. They were recently asked to write a chapter for the book by its author, Manchester lawyer Helen Wong.
Says Mark: “We were delighted when Helen asked us to contribute. She knows how we view cyber security here at Digital Next, and felt we could offer some useful insights as a business involved in designing and maintaining websites for our clients.
“When we build a website, in built cyber security is something that we treat as a major priority, not just in the design stage, but as an ongoing process. You can’t just hand over the website and say to the client: ‘there you go, job done!’ That’s just the beginning – that website needs to change as part of a developmental process, and too many business owners still don’t get that.
“You can build your own website now for next to nothing, but it won’t be secure. The coding of each site is a big part of its security, and if that’s not done well it leaves them exposed. I tell clients, especially if the website is their business, then they have to look after like it’s the crown jewels, because if it goes down then they haven’t got a business.
Mark recounts a recent case when a fellow business that runs from the Sharp Project where they are based, was hacked. “The owner approached us one morning in utter despair,” he recalls. “They’d been hacked and lost control of their website overnight – which is usually when these things happen because nothing’s being monitored.
“So they’d lost their website and obviously all their sales. At that point their business was not trading. It was a real mess but we quickly worked out the problems and got them back online, and in time gave them a strategy to improve their company’s cyber security culture, and integrated it with their marketing plan.
“That’s not an uncommon story, but there are hundreds of thousands of online businesses out there who don’t take a full 360 degree approach to their website,” continues Mark. “They want minimal set up costs, pay next to nothing for a cheap website build and the ongoing maintenance and upkeep costs.
“We urgently need a change of culture in the UK to the way people, especially smaller businesses, approach the subject, but that is going to take time.”
Recent FSB research published earlier this year paints a similarly alarming picture.
Small businesses are collectively subject to almost 10,000 cyber-attacks a day, and as many as one in five small firms say a cyber-attack has been committed against their business in the two years to January 2019. More than seven million individual attacks are reported over the same period, equating to 9,741 incidents a day.
The annual cost of such attacks to the small business community is estimated to be £4.5 billion, with the average cost of an individual attack put at £1,300.
“We’ve seen cyber-crime grow alongside the explosion of digital markets. It is now such a massive issue for businesses, but it’s still not getting the priority it deserves, even in this day and age when we’re never far from a headline or news story on the subject. In my experience it’s all too often down to money. Businesses will and have always sought to cut their costs wherever possible, but it should never be their cyber security. It’s the Wild West out there, and there are criminals lining up to do them harm – which can ultimately costs them a lot more in the long run to put right,” added Mark.
But it’s too easy to think of a cyber-crook as a lone wolf hacker. The culprits can sometimes be closer to home. Staff are an often overlooked problem. Mark’s brother and co-owner of Digital Next, Justin, said bosses often failed to realise the weak point, in many cases, was poor internal security – although he warned it was not necessarily always deliberately malicious. “There’s an increasing trend for remote working, or working from home, but with that change comes new dangers,” he says.
“Public wi-fi systems are quite often poorly protected, with some not even demanding a password. Unsecured sites are a nightmare and should be avoided at all costs by anyone on your staff using a company machine. That should be on the first page of the employee handbook in my view, he adds.
“It’s a fact of life that employees sometimes lose or have their laptop or phone stolen. So if your devices have biometric security included, make it company policy that staff use it, this can add another layer of security which is useful because people are fallible.”
But bosses should also be mindful that workers, in some cases, can be the problem, especially disgruntled staff – while some staff will often apply for a job just to get through security: “Employees can also be the biggest threat, and it’s not easy to spot. It’s easy enough for anyone to plug a memory stick in and walk off with years of customer data, but it’s actually more likely they will allow a 3rd party with hostile intentions access to your system unwittingly, perhaps because they’ve used their laptop in their favourite café.
“That’s the biggest danger, and why it’s essential all staff are kept aware of cyber best practice. That might mean training and operating a robust cyber aware culture in the workplace. This can also help tackle the more obvious threat from contractors working in the building and with unfettered access to systems. Staff need to be vigilant – again that’s a culture thing.”
In 2018, a survey by the consumer body Which? revealed 82% of respondents believed the local police station was the right place to contact having fallen victim to a cyber fraud. It isn’t. It is in fact Action Fraud, which is run by the police, but it’s unlikely you’ll get through to a person straight away. No wonder – last year the number was contacted by 800,000 individuals – equivalent to 2,200 calls a day.
In the event of a cyber attack, quite often businesses will need to seek the help of other professionals rather than relying on Action Fraud. Getting IT systems back up and running for starters, and dealing with other unforeseen fall out. FSB members will be pleased to know that they get automatic cover under the FSB Data and Cyber Advice Line, manned by cyber security experts on hand to advise, not just after, but before an attack.
Members can access guides and templates to help make their business more resilient to an attack, there’s up to £10,000 cover for third party claims for damages and costs following a claim brought against you for a cyber attack or data breach. And there’s also up to £5,000 for first party claims covering members against their own losses following a cyber attack or data breach.
Mark, whose runs his business from Manchester based Sharp Project – perhaps the spiritual home of Manchester’s burgeoning tech scene - neatly sums the issue up: “The online economy is a fantastic place to do business. It poses a limitless place for those ready to explore it, and it’s become a way of life for most of us. But it brings with it real and genuine risks and responsibilities. We all need to start seeing cyber security as an everyday essential, not something we address with a half-hearted approach.”