We sat down with Paul Maddison, Director of National Resilience and Strategy at the National Cyber Security Centre (NCSC), to talk about the importance of online security for small businesses.
Paul believes there are five actions all businesses can take to protect their most important assets from cyber-crime. Watch our short film above to discover what they are. And if you’re looking for more information on how you can improve cyber-security within your organisation, read on…
Cyber-crime is on the rise. And small businesses are increasingly becoming a target, with 38% identifying a cyber-security breach or attack in the last 12 months.*
The coronavirus pandemic introduced even greater challenges for cyber-security. With more employees working from home and using their own devices making it harder for businesses to secure and manage their networks.
It can take businesses weeks, if not longer, to recover from a cyber-attack. “The average cost of a cyber-incident for a small business is £8,000, but it could be much worse than that.” says Paul. It’s not just the financial implications a small business has to deal with, like retrieving lost data and repairing affected systems, networks and devices, but also the impact on their staff, client relationships, customer loyalty and brand reputation.
The good news is that business leaders are recognising the importance of cyber-security, with 77% of micro and small businesses saying it's a high priority for their directors. However, only three in 10 have cyber-security policies in place.*
So what steps should small businesses take to improve their online security?
“Password attacks are one of the most common ways that criminals will access a network,” says Paul. If a hacker successfully gets into your email, they could reset the passwords for all your other accounts and access information you have saved about yourself, and your business. So creating a strong and separate password that you don’t use for any other services is very important.
“We recognise that it’s really difficult to memorise complex passwords, so we advise you to use three random words,” says Paul. “Choose three words that have a meaning to you but to nobody else, and make sure you use a different password for each of the accounts you use.”
Don’t use words that can easily be guessed (like your pet’s name), and try to include numbers or symbols. You can save your passwords in your browser, or use a password manager – offering a secure way to store, share and manage passwords in a single location.
Two-step authentication is also one of the best ways to protect your online business accounts. By adding a second step in your usual log-in process to prove your identity, it makes it harder for criminals to gain access to your data.
All businesses, regardless of size, should regularly back up their important data. “If you have an offline backup, you’ll be able to restore your services quickly and can’t be blackmailed by ransomware attacks,” says Paul.
Keep at least three copies of your data and make sure you store them in at least two different formats, like a USB stick or external hard drive, that aren’t permanently connected (either physically or over a local network) to the device holding the original copy.
Cloud backups are an excellent, cost-effective option for giving your business additional security. Your data is encrypted and physically separate from your location, allowing you to retrieve any file or folder you need from any computer or mobile device – wherever and whenever you want.
Put simply, if you don’t keep your software and devices updated, you’re leaving the door to your business open for cyber-criminals. Operating systems, mobile devices, laptop software, and apps should all be set to ‘automatically update’ where possible. And make sure your staff know how important it is to install these updates promptly, as soon as they’re notified.
“If you allow people to connect to your network using their own devices,” says Paul. “It’s important you also ensure they’re updated. Otherwise you may have to restrict access to corporate data.”
Malware accounts for 29% of reported cyber-crime and is one of the biggest and most widespread threats facing small businesses.** It’s malicious software installed inadvertently, usually by visiting a malware-infected (but otherwise genuine) website, or by opening an attachment from a phishing email, that criminals then use to access and control your networks.
The best way to safeguard your business is to take a multi-layered approach to security. That means using more than one security tool. Antivirus software offers an extra layer of security when you download something, protecting your company data, and is often included free with the majority of operating systems.
A firewall is another effective solution to take your security to the next level. It monitors inbound and outbound traffic in real time, protecting your systems from advanced threats before they reach your network. Education is also key. Advise your staff never to download files or software from untrusted websites, or open attachments and click links in suspicious emails.
Phishing attacks are a big problem for small businesses. They occur when cyber-criminals pretend to be a trusted contact, tricking employees into doing the ‘wrong thing’, like clicking a link that installs malware, downloading a malicious file, or giving them access to sensitive or financial information. And unfortunately, they’ve grown a lot more sophisticated in recent years making them harder to spot – targeting users over the phone, through social media, via text message, and most typically, by email.
One of the most effective forms of defence against phishing is to educate your employees on the different types of attack and what they should do if they receive a suspicious email, through online training, like our Skills for Tomorrow programme.
But Paul believes you shouldn’t solely rely on your staff to stop them. “They’re often very sophisticated and credible. So you need the technical controls in place in order to reduce the likelihood of a phishing attack being successful.” For example, configuring your staff accounts so they have the lowest level of user rights required to perform their jobs. This means, if they do fall victim to a phishing attack, the potential damage is greatly reduced.
We believe that working together is one of the most effective ways of stopping cyber-crime. That’s why we’re working closely with the NCSC to keep people safe from cyber-attacks, while making it increasingly difficult for cyber-criminals to target the UK.
As a business, we protect ourselves from over 6,500 potential attacks a day. We’re also one of the first telecommunications providers in the world to share malware information with other Internet Service Providers, so they can do the same.
“By raising the cyber-security bar, we’re making it more difficult for cyber-criminals to make gains,” says Dave Harcourt, our Chief Security Advisor at BT. “We’re never going to eradicate cyber-crime, but by continuing to collaboratively share threat intelligence, we can try to stay one step ahead of them and protect our customers, whether they’re individuals or multinational organisations.”***