A Guide To Cyber Security For Small Businesses
Cyber security is one of the most discussed topics in the world of technology, yet it’s still not seen as a priority for small businesses.
According to Cyber Security Breaches Survey 202239% of UK businesses experienced a cyber breach or attack in the last 12 months. With cyber attacks on the rise, it may no longer be a matter of ‘if’ your business is attacked, but ‘when’.
In this guide we look at:
What is cyber security?
Types of cyber attacks
Steps to take to prevent cyber attacks
1. What Is Cyber Security?
Would you be comfortable living in a house where all the doors are open for anyone to enter? What if someone had access to a hidden pathway to the house – does that make you feel secure? Now, think of that house as your business’ internal systems and the hazards surrounding it as cyber threats.
You use a lot of devices each day – computers, phones, and tablets – and they are all connected to the internet. Data can be found on all these devices, usually stored on servers and websites such as banking websites and email servers.
Cyber security is a broad term that encompasses the protection of all of these forms of data storage from attacks, and related cyber events. Your data is valuable, and if it isn’t protected, hackers could steal it and sell it. Cyber security uses techniques to help secure various digital components such as:
Networks
Data
Mobile devices
Applications
Computer systems
Just as locks, doors and house alarm systems provide security and protect your house, network security protects your IT systems and data.
2. Types of cyber attacks
For all the convenience the internet provides, it can also be a very dangerous place. If you’re not protecting yourself and your data, you’re leaving your business open to many types of cyber attacks. Small businesses in the UK are victims of repeated cyber attacks, with around 27% attacked at least once a week in 2021.
Small businesses are often prime targets for cyber attacks because they aren’t protected by the same level of security as larger companies, yet they still have valuable data to offer.
Let’s look at the common types of cyber attacks.
Malware is the root of most cyber attacks
Malware is short for malicious software – it is harmful software designed to disrupt, disable, or take control of your computer system. Malware comes in many forms, usually hidden away in a file or disguised as a harmless app. It works by taking advantage of technical flaws or vulnerabilities in your hardware and software. For most malware attacks to work, they need a key ingredient – people. Cyber attackers find ways to trick people into running a malicious file, opening an infected file, or clicking an unsafe web link.
SEO spam
Hackers can use your site to infect visitors with SEO spam (a type of malware attack). This is where hackers fill legitimate websites with irrelevant keywords and links in order to redirect visitors to their own malicious sites.
If your business is subject to this type of attack, your website is likely to receive an SEO penalty, which makes it difficult for your company to reach new customers.
In other words, it creates a sudden drop in Google rankings, making it difficult for visitors to find your business and even purchase from your site.
Furthermore, your website can be blacklisted – this is where a search engine removes a site from its list.
When a site is blacklisted, it loses almost 95% of its organic traffic, which can rapidly affect revenue – the costs of cyber attacks for some businesses are simply too much to handle.
Encrypting files, demanding a ransom, and network vulnerability
A ransomware attack is one of the most dangerous forms of malware today. This type of attack threatens to publish a victim’s data, unless a ransom is paid. Ransomware has increased in usage because more businesses are willing to pay a ransom to get their data back. In 2021, 82% of UK businesses who suffered this type of attack reportedly paid the ransom.
Don’t fall for the bait – malicious email attachment, suspicious activity, and legitimate requests
Phishing – as the name suggests, is like a fisherman dropping bait into the water. Phishing attacks try to lure unsuspecting people into revealing personal information. This is done by sending an email that tries to deceive the recipient into clicking on a malicious link, or following certain instructions that may appear to have come from a legitimate source. Reports have found that May 2021 was a record month, with a 440% increase representing the largest spike in phishing attacks in a single month.
All phishing attacks have something in common, they exploit human nature rather than technology.
Many phishing emails trigger your emotions by telling you something is wrong, or that bad things will happen if you don’t respond.
Phishing emails often want you to act with urgency, and most phishing emails try to build trust by impersonating a brand or person you know.
DoS (Denial of Service Attack) and DDoS (Distributed Denial of Service Attack)
DoS (Denial of Service Attack) targets the website or the backend database, flooding it with fake traffic, resulting in the website crashing down.
A more sophisticated attack is a DDoS(distributed denial of service) attack, which sends traffic not from one single source but from multiple sources all at the same time, in the hope of overloading the system.
Here’s a useful analogy: Imagine if your competitors sent 100 fake customers to crash your store by blocking the entrance for your real customers to enter. That’s exactly how DoS attacks work. They flood your website with fake traffic and block access for legitimate traffic.
Overloading the system, Structured Query Language (SQL) injection explained
SQL injections are one of the common cyber attacks, in part because of how simple they are to perform.
Databases are containers that hold all your company’s data. SQL is a type of computer language used to access, update, create and delete that data.
If you’re running an online store, you or employees maintaining the website will usually provide commands using SQL such as “create new customer” or “delete this product”.
Now, imagine if someone, a hacker, could add statements to your intended requests.
The hacker could say: “Create new customer…AND export all customer data”
The hacker carries out this attack by injecting malicious code into databases to retrieve sensitive customer data and is very commonly seen on login screens.
The strength of passwords matters, as do cyber security controls
For hackers, cracking passwords is one of the easiest ways to gain access to a system, as no prior knowledge about the victim is needed to start an attack.
There is a risk in hackers gaining full user access and causing a data breach, impacting not only business owners, but also customers that may have logins to the business’ website.
Attackers let computers do the work, by using automated software to try different combinations of usernames, default passwords and common passwords until they find the one that works (known as password guessing or ‘bruteforcing’). Due to this repeated trial and error format, the strength of passwords matters a great deal.
Insider threats
Your business can be attacked from within – security threats are everywhere, and you may have internal security flaws.
Insider threats are malicious attacks caused by people that already have access to your business or your IT systems, often an employee, business associate, contractor, or another person with access to the organisation’s sensitive information.
An insider threat is one of the most challenging security risks because it involves individuals who know your systems and processes and who are more likely to bypass security measures. These attackers know how the business’ system is configured and know its weaknesses. Security measures and constant monitoring are key for business safety.
So why do insiders become malicious? Employees might act out for many reasons; financial pressures, job dissatisfaction, workplace hostility and interpersonal disputes are a few of the factors that might contribute to their malicious intent behind these attacks. While some may deliver these attacks on the job, others do so after hours or even on weekends or holidays. This makes it tough to detect when someone might be contemplating a threat to the business.
3. Steps to take to prevent cyber attacks
To reduce the risk of cyber attacks, there are several things you can do, including investing in security tools, such as antivirus software, and introducing internal compliance standards and regulations that employees must follow. In addition to these steps, here are some other ways you can minimise security flaws and protect your business from cyber attacks.
Use secure HTTPS
HTTPS is the secure form of http.
Without getting too technical, the difference between http and https is that https includes an SSL certificate that converts data being sent to and from your website into code, preventing unauthorised access from cyber criminals.
A cyber breach can give hackers access to sensitive customer information – without HTTPS, any sensitive data that customers enter into the site (such as their username, password, bank details, or any other form submission data) will be sent in plaintext and is therefore more easily accessible, hence more likely to be hacked.
Top tip: The first step to converting from HTTP to HTTPS is to buy an SSL certificate. You can purchase this certificate from your web hosting provider.
Keep your website updated
This is the simplest step, yet many businesses ignore it.
It’s great if your website is up and running, but to keep your business secure, it’s crucial to keep your entire website, including plugins, updated to minimise the risk of a cyber attack.
Software developers continuously update systems to manage security vulnerabilities, so updating your website should be an ongoing process for your business.
If you don’t update your site, it can cost you in the long run and result in your site being susceptible to many different types of cyber security attacks.
Regularly updating your site in terms of content, design and SEO improves performance and keeps features up to date. Most importantly though, updates contain online security features and vulnerability repairs, which help to fix any security issues in your website.
Top tip: If you haven’t already, add an update notification plugin to stay on top of updating your website.
Use secure passwords
Many e-commerce websites require customers to create personal accounts to purchase products and use their services – these individual customer accounts are a prime target for hackers.
A staggering 56% of people in the UK use the same password for their online shopping accounts, posing serious potential security risks.
Not all customers will be fully aware of the dangers of cyber security, and though you can’t bring everyone up to speed on best practice, you can apply security procedures when users set up an account on your website. For instance, you can put in place additional authentication factors and password strength meters.
Top tip: Employees who use the content management system of your website can generate a strong password by making it long, using a mix of special characters, numbers and letters.
Regular backups
A website backup can help you recover your website when your IT systems are compromised, or any files are overwritten, encrypted or deleted by hackers.
The location of your backup is equally important. Storing your backup on the same server as your website may seem like the easy and convenient option, yet, this leaves the website vulnerable to attacks. Consider backing up your data to a secure cloud service to protect it from these cyber risks.
Top tip: To ensure your data is always at your fingertips, follow the 3-2-1 backup rule:
3 – Create three backups (one primary backup and two copies of your data).
2 – Save your backups to two different types of media.
1 – Keep at least one backup file offsite.
Invest in cyber insurance
Cyber insurance policies are designed to protect small businesses from the risks posed by cyber attacks. These attacks cost small businesses money. A cyber breach costs the average small business £25,700.
In addition to the financial cost, your reputation, your customers and suppliers, your data, IT equipment and your services are all at risk if you suffer a cyber incident. As a small business owner, you should know that cyber insurance costs much less than the cost of recovering from a cyber attack.
If a hacker damages your business’ computer systems, websites or data files, cyber insurance will reimburse the costs of repairing, replacing or restoring such items. It can also cover the cost of lost business due to disruption or cover the cost of fees in the event of legal action against you.
A reminder that cyber insurance doesn’t stop cyber attacks from happening. However, it can provide you with the peace of mind that your small business won’t be ruined financially if you experience a cyber attack.
Training your staff
Cyber security knowledge is essential to stopping sophisticated cyber-attacks. Cyber security experts study the behaviour of hacker communities to stay a step ahead of malicious attacks, and they develop defences against common forms of attack.
Training your employees needs to be taken into consideration because no breach or attack can be prevented without the recognition of potential threats. This seems obvious but you will be surprised. The most common threat is caused by human error, which is why training exists.
Top tip: Make cyber security an ongoing conversion. Use different approaches to cyber security education, such as regular announcements or newsletter updates.
Take control of your security
Cyber attacks and threats are roaming the internet, looking for any available way to sneak into systems. To reduce your risk of being hacked, keep your software up-to-date, limit the number of people who have access to sensitive data, and keep backups of important information.
Working diligently to put best practices in place and providing your people with the tools and training they need will go a long way in protecting your small business.