It feels like barely a week goes by without news of another high profile cyber-attack or data breach, affecting millions or even billions of people. Attacks happen so often that we've become almost desensitised to the numbers, but the cost to individuals and businesses is staggering, with a report by Grant Thornton putting it at around $280 billion globally in 2016.
We all hear about it when big businesses are hit - Tesco Bank, Talk Talk, and Three Mobile are prime examples - and it's easy to think that start-ups and small businesses are less of a target. But no business, big or small, is 100% safe in this era of cyber warfare. In fact, IDC found that 71% of data breaches are now targeted at small businesses - so it's time to sit up and take notice.
There's a lot of information and advice out there, and it can be hard to work out what's most relevant to you as a small business. That's why, in this e-book, we take you through everything you need to know about cyber-attacks, data breaches and cyber security, including why your business could be at risk, what those risks are and how to ensure your systems are as safe as possible.
Why should small businesses care about cyber security?
Digital Risks is often challenged by founders of small businesses as to why they should be concerned about cyber security, assuming their operations are either too small or their data is not theft-worthy. Unfortunately, that couldn't be more wrong.
So, what exactly makes you a target?
You're too busy and hackers know it
Running a start-up or small business can be stressful. With long days and sleepless nights, who has time to think about data security? Let's face it, you have a lot on your plate and you haven't spent much time making sure you're protected.
Lack of security expertise
Small businesses often don't allocate enough resources to deploy strong firewalls and updated security patches, resulting in loss of important information if faced with an attack. Cyber security is a complex and multi-faceted issue, that requires the right technology and the right policies and processes in place.
Lack of specialist legal expertise
Unlike large organisations who have the budget to hire an entire law and compliance department, you probably don't have any dedicated expertise internally. As a result, you may be overlooking your responsibilities around handling data.
Your data grows with you
It can be easy to lose track of the amount of data you've generated over time. Your customer database may be small in the early stages but it can grow to a thousand or more pretty quickly. Mishandling this data could leave you exposed to attacks and fines from the Information Commissioner's Office (ICO).
Many start-ups and small businesses have freelancers or remote workers accessing their systems from local coffee shops or co-working spaces. If that's the case and there's no secure Wi-Fi connection, hackers can easily steal your data.
Your data is an entry point to the big guys
It's a common misconception that hackers won't be interested in attacking a business with little money or data. And while they probably don't care about the £80 order you took yesterday, your unprotected systems could give them a 'back door' into larger clients or suppliers, which is exactly what they're after.
Every website is a target
Hackers have a lot of time on their hands to spend trawling the internet in search of websites with vulnerabilities. If your VPS (Virtual Private Server) is compromised it can be used to fire out thousands of spam emails, potentially blacklisting your IP address and costing thousands to repair. Check out this real-time hacking map to give you an idea of the number of attacks happening right now.
What are the biggest threats?
Cyber-attacks and data breaches are often clumped together, when in fact there are various culprits, that access and attack your systems in different ways. What's more, they're constantly evolving, so it's important to stay vigilant to new threats.
In the spirit of 'knowing your enemy', here's a rundown of some of the major cyber risks facing start-ups and small businesses in 2017:
Phishing, Spear-phishing and whaling
One of the most common modes of attack, phishing involves the attacker sending out emails to multiple recipients, posing as a reputable company. The email will either contain malware in a link or attachment, or will prompt the recipient to enter sensitive account or password details, enabling cyber criminals to hack into their PC or accounts. While many of these emails may look and seem suspicious, some are surprisingly convincing, and when sent on mass, usually catch someone unawares eventually.
Varieties on phishing include spear-phishing, whereby attackers target a specific company or individual, and whaling, where senior executives are specifically targeted. Both can be hugely damaging if successful.
As the name suggests, ransomware infects your computer and holds your data to ransom, demanding significant sums for its release. Attacks of this kind are growing exponentially, with SonicWall reporting 638 million worldwide in 2016, 167 times the number of attacks in 2015!
Ransomware usually accesses your computer through a phishing email sent to unsuspecting employees, although new tactics have seen ransomware hijack adverts on popular news sites, with the New York Times, BBC and AOL hit last year. One click on an infected link or attachment and it's in your system, almost impossible to get rid of it without paying up.
The crime rings that perpetrate these attacks are growing more intelligent and sophisticated by the minute and small businesses are often a soft target, with less protection and cyber awareness than larger companies.
A type of malware, worms have been around for a many years, with the first one famously created in 1988 as an innocent way of testing computer networks. They have since been used to devastating effect, penetrating vulnerable computers, before replicating and spreading within a network. One of the most famous worm attacks was on MySpace in 2005, which spread to over one million computers in 20 hours.
Worms are often used to steal confidential information or turn computers into remote-controlled 'zombies' or 'bots', which are then used to attack more systems. It's estimated that at any moment there are several million 'zombie' computers on the internet.
New types of worms are emerging all the time, including 'headless worms', which target so-called 'headless' devices like smartphones, smart watches and medical hardware.
With driverless cars, smart entertainment systems and connected cameras, the Internet of Things, or IoT, is growing bigger and more complex. Yet these devices are often overlooked when it comes to cyber security, leaving them especially vulnerable to attacks and being used as a part of a botnet to attack other systems. As the Internet of Things grows more prolific, this is a potential 'back door' route to accessing valuable data deeper in the system, and whole networks could be affected this way in the future.
As scary as it sounds, ghostware is a type of malware designed to penetrate networks without detection, steal confidential data, then cover its tracks before it leaves. That means you may not realise your business has been compromised until it's too late, and it's impossible to find the source of the breach.
Similar to ghostware, but this time the malware completes its task and then destroys the system it has infected. It can potentially be much more damaging for this reason, however you will at least know that your system has been compromised.
The type of attack that took down various major websites last year, including Twitter, Netflix, Reddit, and Airbnb, DDOS (Denial of Service) attacks are on the rise, with DDoS for hire services making it easier and cheaper for cyber criminals to strike, bringing down websites and affecting businesses across the world. They work by flooding a company's servers with requests, so they are unable to cope and shut down. That leaves the business unable to trade for minutes, hours or even days, with potentially catastrophic long-term impacts. And it's not just big businesses that are affected - small firms are often more vulnerable due to their website architecture.
Again, the clue's in the name, as this type of malware is like a Trojan Horse which enters your system under the guise of a legitimate piece of software. Once there, it can perform a number of functions, including deleting, modifying or stealing data. Unlike worms and viruses, they cannot replicate themselves, but they can be just as damaging.
Malicious or not, human error is the most common reason for cyber-attacks and data breaches, with studies showing it's responsible for as many as 95 per cent of incidents. A breach can be caused by anything from employees accidentally sending sensitive information to the wrong email, losing their company smartphone, using default passwords or occasionally with criminal intent. Yet despite the risks, many small companies don't have the necessary controls, training and communication in place to mitigate against breaches of this kind.
How to keep your business safe
The 2016 Global Threat Intelligence Report from NTT Com found that roughly 77 per cent of organisations are unprepared for cyber security incidents. With that in mind, here's our step-by-step guide to keeping your business safe:
First things first, a cyber risk assessment helps you understand the areas you need to protect and those where you could be most vulnerable. Start by auditing the data and information you hold that is most valuable. This will give you a good idea of where you need protection. Then look at how you store this data, who has access to it and how it's protected, to understand where you could be most at risk.
If you're not confident carrying out a risk assessment, then you might want to consider hiring an expert to do this for you.
Implementing strong network and workstation controls
Once you've identified your most valuable data assets, cover all the bases to secure it with the appropriate technology, including firewalls, anti-malware and anti-virus software on all your computers and devices.
Here are some of the controls that will make a big difference to your cyber security:
Install security software on your company website and keep all its scripts up to date
Implementing a properly configured firewall through a dedicated resource
Applying current and up-to-date patches on everything, including the gadgets owned by employees
Implementing SaaS-based security services, which are often less expensive than traditional software
Using secure cloud-based applications
Implementing solutions like VPN (virtual private network) so remote access is secure
Implementing a disaster recovery site that can take over in case of a DDoS attack
Having a static page to keep customers informed if your order page goes offline
Access controls so employees only have access to information they need
If you don't have any dedicated IT expertise in house, it's probably best to consult an expert on the best approach for your needs.
Communication and training
The right technology is of course hugely important, but getting your people and processes up to speed perhaps even more so. Yet this is an area that is often overlooked – a recent Government survey found that only 17 per cent of businesses have given staff some kind of cyber security training in the last 12 months.
Your communication should begin with a cyber security policy, outlining key processes and procedures, what staff should and shouldn't do, and the potential repercussions if the guidelines aren't followed. The exact issues covered will vary from business to business but potential topics could include:
Guidance on handling sensitive information
Stipulations regarding password security
A policy covering remote working and the use of personal devices
How to look out for, report and respond to a security issue
Required checks on suppliers to ensure they are complying with security best practice
You should ensure the cyber policy is easily accessible to all employees, is updated regularly, and that staff are also given training around the issues at least every 12 months.
Build a security centric mobile culture
It's easy to overlook the fact that sensitive information accompanies your employees inside and outside the office premises, and that it needs to be protected at all times. Here's some mandatory rules that will keep your data safe when your employees are on the move:
Make employees use complex passwords – see 5 password tips for better SME security
Introduce passwords that automatically expire and need to be renewed
Block access to certain websites that pose risks to the security of your data.
Encrypt all smartphones used for business purposes.
Most small businesses aren't aware of the amount of information that their vendors have access to and this can also pose a serious security risk. Checking a vendor's security controls should form part of the vetting and onboarding process. Things to look for include:
How your data will be stored
Access controls for the vendor's employees
Frequency of vendor risk assessment
Compliance with General Data Protection Regulations
An insider threat can be a current or former employee, service provider, supplier, contractor, or anybody else that may be able to gain access to your confidential data. These individuals are likely to have access to sensitive information, often with the responsibility to protect it, leading to severe consequences if it turns out they can't be trusted. We've outlined some simple steps your business can take to prevent employee misuse of data here[.]
Periodic assessment of vulnerabilities
Finally, periodic testing should be carried out to identify impending security risks to your network. In this scenario, third parties can be hired to do the stress testing to identify any loopholes in the system, so they can be plugged before it's too late.
What happens if you're hit?
Even with the best technology and security measures, sometimes you're powerless to stop a breach. This is where an effective response plan comes in, enabling you to control the situation as quickly as possible, with minimum impact to you and your customers.
Yet, despite its importance, only 30 per cent of organisations have a breach response plan in place, potentially leaving them floundering in the event of an attack.
An effective response plan should include the following elements:
Your legal response: You need to outline how you'll handle the legal aspects of the breach, for example informing the Information Commissioners Office (ICO) of the issue and defending your business against any claims of negligence.
Handling media queries: Your business could be the focus of media attention following a breach, so be ready to handle all external communications about what happened and how you're handling it. You are likely to need professional PR expertise to do this effectively.
Finding out what happened: You'll also need to have IT forensics experts on hand to find out what caused the breach, with a view to rectifying the problem quickly and ensure it doesn't happen again.
Informing customers: Depending on your customer-base and the scale of the breach, you could have a lot of unpleasant phone calls to make! You'll need to be ready with a way to handle this communication efficiently.
How can cyber insurance help?
If the worst does happen and you're facing the repercussions of a data breach, your final line of defence is a watertight and specialist cyber insurance policy. Covering you for breach of data protection laws (where insurable by law) and your liability for handling data, it can also provide cover for extortion, system rectification costs, plus PR expenses and financial loss due to system downtime.
Some key aspects to look out for include:
The Information Commissioners Office (ICO) can impose two distinct levels of fines based on breaches of the General Data Protection Regulations (GDPR). The first is up to €10 million or 2% of the company’s global annual turnover of the previous financial year, whichever is higher. The second is up to €20 million or 4% of the company’s global annual turnover of the previous financial year, whichever is higher. The potential fines are substantial and a good reason for companies to ensure compliance with the Regulation. The Digital Risks cyber insurance policy will cover notification costs, legal fees defending regulatory action, and in some cases the penalty itself (where this can legally be insured).
Cover for your out-of-pocket expenses, which could include system repair costs, lost income while the system is down, or even ransom payments to hackers.
Cover for your website, blogs and social media, for copyright or trademark infringement, or defamation etc.
With cyber-crime and data leaks on the rise, it's not a case of 'if' your business will be hit, but more a case of 'when'. Getting up to speed on the scale of the threat and how best to protect your systems, will put you into "prepared mode" and keep your business out of the cyber spotlight.
We made buying insurance simple. Get started.
- 04 March 20201 minute read
From court costs and employee disputes to tax enquiries and VAT mistakes, commercial legal protection is essential for many businesses. Read our guide to get to grips with specialist support. Start today.
- 28 February 20201 minute read
Digital agency insurance keeps you protected, but are you prepared for the risks that come with online marketing, from GDPR and data protection to new social media regulations? Read our top five risks and build an action plan. Start today.