As a business owner you have many responsibilities. One of these is to protect your business and staff from day to day cyber security threats. If you make use of or rely on IT systems or data for the success of your business, then cyber security should be high up on your agenda.
SME cyber security has never been so important as cyber criminals are increasingly active and looking to take advantage of all situations in order to target vulnerabilities. The rapid shift to remote and home-based working in response to COVID-19 lockdown which may have led to a change in practice for many businesses is a good example of a situation which can offer opportunities to cyber criminals. Evidence suggests that cyber-attacks have increased during the coronavirus pandemic.
Is your SME taking cyber security seriously?
It can be easy to think that cyber criminals only target big companies. And that as an SME you wouldn’t be on a cyber criminal’s radar. But this is far from true. In fact, some studies suggest SME’s are just at, if not more at risk of cyber-attack. This may be due to a perception that smaller businesses do not have the resources to invest in cyber defences or that they even need to defend themselves.
As an SME it is vital that you recognise the risk cybercrime can present to your business and that it should be a part of your risk management strategies.
One way to protect your business from the impact of a cyber-attack is through cyber insurance. Yet figures suggest that only 11% of businesses have a specific cyber insurance policy in place. Despite 99% of claims made on ABI member cyber insurance policies being paid out in 2018.
Cyber liability insurance offers a range of protection not just against financial losses caused by a cyber-attack but also in helping you investigate the cause, rectify any damage to your systems caused by hackers, help contain and conduct crisis management, provide cyber business interruption cover and provide support.
Suffering a cyber-attack can be just as devastating to your business as suffering a fire or flood at your business premises or being the victim of vandalism or theft. And most businesses insure against these types of risks. At Anthony Jones we always ask, if you rely on data or systems to run your business, why are you not thinking about protecting your business with cyber insurance? The risk is real, and it is not going away. We strongly advise you to consider protecting your online business in the same way that you would your tangible assets.
What cyber security actions can your SME take?
SME cyber security will involve taking a range of actions and a risk management approach.
Areas you should look to consider include:
It is vital that your staff are trained on what a cyber security threat is, the different types of cyber-attack they may encounter and what to do in response. This can empower staff to take responsibility for maintaining cyber security across your business.
Figures suggest that as many as 95% of cyber security breaches are due to human error. Giving your staff the knowledge and information to enable them to avoid falling victim to a scam is therefore vital.
Backing Up Data Securely
Backing up your data securely is another key step for SME cyber security defences.
Data is valuable to your business. And therefore, it is valuable to cyber criminals.
Ransomware attacks are on the rise. If you are targeted by a ransomware attack then typically your computer will become locked and/or your data could be stolen, deleted or encrypted. You will then be sent an anonymous request for money in return for regaining access to your data. Having full and secure data back-ups can help you recover from a ransomware attack and limit data loss.
You also have a responsibility as a business owner and data processor to protect the personal data that you hold. Suffering a data breach can have significant consequences under GDPR and leave your business open to fines and other penalties.
Avoiding Phishing Attacks and Hackers
Phishing attacks are a common method employed by cyber attackers and they have been around for many years now. They typically use email as a way to get users to disclose access information or sensitive business information by getting a user to click a malicious link for example.
Phishing attacks are ever evolving and becoming more sophisticated over time making them harder to spot.
Given the prevalence of phishing attacks, your business should take actions to prevent becoming a victim. The National Cyber Security Centre (NCSC) suggest taking a multi layered approach when it comes to defending your business against phishing attacks, with 4 main principles:
- Make it difficult for attackers to reach your users – it is possible to filter and block incoming phishing emails, so they rarely get to your staff as a first line of defence
- Help your users identify and report suspected phishing emails – create a culture that encourages users to report things which don’t seem right, train staff to recognise techniques a phishing attack may use so that they are in the best position to recognise fraudulent requests
- Protect your organisation from the impact of an undetected phishing attack – security systems when correctly configured can help protect your devices from malware and prevent malicious websites opening. Also ensure you are using strong password and authentication techniques.
- Respond quickly to any incidences – this can help limit the amount of harm caused
Having up to date staff policies should also be a feature of your cyber security defences. User education will form an integral part of your ability to defend against cyber-attack.
As well as implementing an overall user security policy, which staff are trained on and is part of the induction process, it is also worth thinking about specific areas including:
Working from home
Working from home can present additional cyber security risks.
Some of the cyber security vulnerabilities linked with working from home include:
- Home wi-fi networks may not be as secure as those in a work environment
- Staff may make use of personal devices which are not configured to the same security standard as business issued equipment
- Being outside of the office environment may make users less vigilant or more susceptible to attack
- There may be increased use of software not approved by your business – e.g. using a personal email address to send work related emails
- Privacy of an employee’s home
Put a home working or remote working policy in place which details how users should access your systems, which technology they can make use of and the need to protect data. This is of particular importance in the current climate where working from home has seen rapid growth increasing the need for cyber security for remote workers.
Use of personal devices and removable media
It is important to have a clearly defined policy when it comes to staff using their own personal devices in the workplace. This should include removable media such as USB sticks given the security risks related to such devices.
Best practice would be to only allow staff to connect work devices to your network. Not personal devices. Personal devices are unlikely to be set up and have the same level of security as business equipment so connecting personal devices to your corporate infrastructure can lead to inadvertently importing malware or compromising sensitive information.
How to report incidences
Have a clear policy on the steps your staff need to take if they do think they have fallen victim to a cyber-attack. And make sure your culture encourages staff to speak up if they think something is wrong. Identifying any breaches at an early point can help minimise the potential harm.
If you have any questions about cyber insurance or SME cyber security risk management then do get in touch with use today. Our team of experts will be ready to help. You can call us on 0208 290 9080 or email us at firstname.lastname@example.org.