Securing small businesses against cyber threats
Whether your business is in furniture manufacturing or retail, it is under threat from cyber attacks. According to Redsquid’s Mike Ianiri, 43% of these are carried out on small businesses – so it pays to be prepared, no matter the size of your enterprise …
Consumers and micro businesses may have some protection from the new agreement the banks are signing up to, but some have yet to commit to the voluntary agreement around payment scams. The message is clear – we all need to do as much as possible to protect ourselves and our businesses.
Let’s review what steps you can take in your business:
The weak link
Unfortunately, it is still the case that the weakest link in any cyber security protection plan is human. In a busy working day, most people simply do what they believe is right at the time.
Impersonation emails are one of the biggest cyber threats aimed at small businesses, and most people will respond by doing what it says in the email. Examples of this appear daily. We know of companies losing £100,000 because a supplier, reputedly, emailed them with new bank details.
The training need
To reduce the threat, training is essential for manufacturing, retail and office staff. By training your team what to look out for, you can help them to help you protect the business. To avoid falling for a scam people should:
• Check email addresses carefully. The fraudsters use addresses and URLs that are very similar to the legitimate person.
• Question requests for urgent or large payments. Emails from finance directors requesting an immediate payment is made are a common form of cyber attack.
• Don’t open emails you don’t recognise, or if the email headline is worrying. Cyber criminals want to scare you so you take action. They’ll present fake problems (warning that your website is about to crash, for example) aimed at getting you to open attachments or click on links designed to infect your machine and your network.
• Be watchful of new contractors. Some cyber criminals will simply walk into your showroom or office and try to infect your machines. If a visit is unexpected, don’t hesitate to check. Most contractors will be legitimate, but it is better to be safe than sorry.
These are just some examples of the threats you face in your business. A good way to check how much your staff have learned from the training is by introducing simulated phishing attacks. Using regular simulations can identify who is following the training or if some need a refresher. We’ve used this at Redsquid, and clickthroughs dropped from 54% to 4% in just three months.
You need a range of network protection measures:
A robust hardware firewall with intruder prevention capabilities needs to be in place. If your firewall is a few years old, we recommend you update it. Its ability to protect your network needs to be upgraded as the threats to your network will have increased. Sophos is an example of a good provider of such devices.
Keep your PCs fully patched. Your operating system provider regularly publishes security updates to protect against the latest cyber threats. By not patching, you run the risk of not being protected.
3. Windows 7
Microsoft stops supporting Windows 7 on 14th January 2020. If you are still running Windows 7 after that date, you are seriously risking your network and your business. You must upgrade to Windows 10. If you upgrade your hardware too, you’ll benefit from the physical security and performance enhancements built into new machines.
4. Vulnerability and penetration testing
There are many different ways to get into your network and the data it contains. Vulnerability scanning is the intelligence-driven deployment of scanning engines, updated with information from the latest threat intelligence feeds. These help to ensure the security of your systems, services and applications from a number of common attack vectors, exploited by both automated and manual attackers. Vulnerability testing should ideally be done continuously, but at least every month.
A penetration test is an authorised simulated cyber attack on a computer system, performed by a suitably qualified third party. It is designed to evaluate and ultimately fortify the security of a target system through the identification of security vulnerabilities. We recommend these are done at least once a year. The investment, in an independent body (not your IT provider), is worth it for the peace of mind it provides.
These tests also mean you are properly ticking the GDPR box. You need to be able to show you are protecting Personally Identifiable Information (PII) you hold on your customers and staff. If a breach does happen and you cannot prove you have taken reasonable steps, the Information Commissioners Office (ICO) can fine you up to 4% of your annual global turnover.
5. Web applications and APIs
Most businesses are using multiple web applications and APIs to streamline productivity, but have you checked whether the ones you use have been tested for intruder prevention? They can easily become a back door into your network for cyber criminals.
6. Email gateways
Email gateways are a great way to reduce the opportunity for people to make mistakes. By passing all your email through a gateway, you block the malware, phishing and spam emails that threaten your network.
7. Multi-factor authentication
Multi-factor authentication (MFA) uses multiple devices to protect your network. Your phone, which isn’t more than a metre away from you right now, can act as confirmation you are who you say you are when you are logging into your laptop or an application. By using multiple layers of security, you make it harder for unauthorised users to get into your network.
Protecting your network is always the first step, but we also recommend you insure your business against cyber threats. Whilst it cannot replace what is stolen, cyber insurance will help you recover. In the event of a ransomware attack, for example, they may consider which is more beneficial – paying the ransom or paying the costs of getting you back running. Some may even pay any ICO fines. As with all insurance, we recommend you take advice on what you should have and you read the small print carefully.
Also, remember – if you find yourself caught up in a breach of cyber security, take the necessary steps to comply with GDPR and report the crime.
For all types of business in the furniture sector, training your people and putting network protections in place are essential for protecting your business from the threat of cyber crime.
Mike Ianiri is the sales director at Redsquid, an independent UK provider of business voice, data, ICT, cyber security and IoT solutions.