Cybersecurity is big news - no surprise when cyber-attacks cost businesses in the UK £15,300 per victim on average.
Data loss and cyber breaches leave companies needing to fix their websites, their systems and, most damaging of all, their reputations. If customer data is stolen, firms may face significant financial penalties.
Ransomware attackers can shut down operations entirely, while demanding payment from their victims. This can seriously disrupt trade, lead to customer loss and ultimately destroy your businesses.
Cyberattackers will take advantages of the weak points in your systems. That could be anything from devices and software to people and passwords.
Not every cyber threat is down to an anonymous hacker remotely accessing your computers. Your employees can leak information – accidentally or maliciously – or your suppliers could pass on information about you and your working practices to a competitor.
Here are some of the key steps that every small business can take to protect their data and operations from cyber criminals.
It’s important to ensure that all your accounts have different passwords. For instance, the password you use for social media must be separate to your email password. Any financial passwords should also be unique. Otherwise, a criminal who has access to one account, will also be able to access all the others.
It's particularly important to keep email passwords secure. If a hacker gets access to your email, they can access private business information that could be used in a scam. They may also be able to change the passwords on your other accounts by using the ‘forgot my password’ option. They can email people inside and outside your organisation, including your clients.
To keep your accounts secure, you should use strong passwords made up of three random words. Hackers find it more difficult to break passwords such as ‘dogbrightsquare’ than single words. Adding symbols, capital letters, and numbers to a password can make them even more secure. For instance Fairy!Saucepan?Jogging11 would be a very strong password.
You should never use any of the following in passwords:
If you have employees, you should make sure that you require strong email passwords from everyone, as your security is only as good as the weakest link.
If you or your employees struggle to remember lots of different passwords, try using password-managing tools. These remember passwords for you, and you access them using a two-step verification process, like the systems used by banks. You can also consider saving your passwords to your browser.
Many password managers allow you to synchronise your passwords across different devices, help spot fake websites, let you know if you’re re-using a password across multiple accounts, and even notify you if your password is used in a breach.
Two factor authentication is when you must have to prove your identity via a second method after entering your password. For instance, you might be sent a code, or need to login into an authenticator app that provides one. When you enter the code, it proves you’re logging in, rather than someone who’s stolen your password.
Online banking typically has two-factor authentication turned on by default, but you can usually switch it on for emails and social media accounts. Two-factor authentication only takes minutes to set up, but can protect you from password breaches.
Backing up important data helps your company to bounce back quickly in the event of a cyber-attack. Think about what data is essential to the running of your business and make sure it is regularly backed up. This could be documents, photos, emails, contacts and calendars.
Backing up everything to the cloud, and ensuring that your cloud storage has two-factor authentication switched on, is a great way to protect yourself from cybercriminals. Switch on automatic backups wherever possible, as this protects you from human error.
One of the most important steps to keep phones, laptops, computers and tablets safe is to immediately download software updates when they become available. When software developers find security weaknesses, they build fixes into their updates. Downloading them helps to ensure that you have most up-to-date protection against hackers and viruses.
Eventually, manufacturers will stop providing updates for older devices or operating systems. If this happens, you should consider upgrading your systems and software to make sure you’re protected.
Check the Which? guide to anti-virus software to find out more about what’s available. The most effective software is not always the most well-known.
When you get new devices you should:
If your business has employees, ensure that everyone has these security devices installed and working.
You must only ever download software and apps from official stores, such as Google Play or Apple App Store. They scan software for viruses before making it available, which can help keep your devices safe.
If you need to download software from elsewhere, you should ensure it is legit. Things that can help include:
For more information on applying updates, refer to the NCSC's guidance on Vulnerability Management.
Phishing is a tactic widely used by hackers that allows them to insert viruses on to your systems, so they can access information more easily.
Typically, scammers send fake emails to thousands of people, asking for sensitive information or with links to bad websites. These emails are getting more sophisticated and harder to spot, meaning every business is at risk.
To avoid phishing attacks, you must ensure that you and your employees:
You can also use the National Protective Security Authority’s Digital Footprint Campaign to educate your employees about the information they share online.
If you have employees, training them around cyber security and good password hygiene is really important for keeping your business safe.
Ensure bank details or company information is password protected and restricted to those who need to have access.
You should also:
The UK government provides free online training courses to help you and your staff protect against cyber threats.
Start with the Cyber Essentials scheme, which teaches you to increase and maintain cyber security throughout your business.
Other helpful resources include:
Cyber Essentials teaches you the technical measures you need to have in place to protect your business against the most common internet threats. A Cyber Essentials certificate shows customers you take security seriously and is a must when applying for government contracts.
For more courses and education, visit the government’s cyber security training for businesses page. This has a handy list of free e-learning courses that can help.
The introduction to Cyber Security course was developed with the Open University and FutureLearn. It gives businesses a comprehensive introduction to cyber security. Study is around three hours per week and the course is eight weeks long.
Imagine your IT systems went down – how would you be able to process orders, communicate with customers, issue invoices or carry on the rest of your working processes? If you had a data breach, who would you need to inform? Who would you call to get your IT working again? Thinking about these issues in advance will provide a valuable starting point if you are faced with a cyber breach.
The government has issued specific guidance on cyber security risk management for small businesses which can help with your planning.
The UK Data Protection Act requires you to protect data you hold and process about your customers, suppliers and staff. This includes all personal information – names, addresses, salaries, bank details and any other information that could be used to identify individuals.
Your business can be fined if you fail to comply with these basic principles. For more information, the Information Commissioner’s Office has a guide for small businesses.
UK government figures show that around a third of businesses (32%) report having experienced any kind of cyber security breach or attack in the last 12 months. This accounts for approximately 462,000 businesses.
The single most disruptive breach from the last 12 months cost each business, of any size, an average of approximately £1,100. For medium and large businesses, this was approximately £4,960.
However, smaller businesses are just as vulnerable as larger companies – sometimes more so, as they won’t necessarily have the same level of resources dedicated to cyber security.
Several traders have already found this out the hard way. A 47-year old builder was horrified to discover that criminals had stolen his details to set up a bogus company and steal £50,000 from the Covid bail out scheme. Read the story here.
Richard Parris, Which? head of computing comments: ‘As a customer, it's hugely important to feel confident with the online security used by the companies you deal with by email or on their websites. Ultimately, you're giving them your business, and that means all the right protections need to be in place to ensure your personal and financial details will be taken care of securely. Traders that are victims of hackers and fail to respond swiftly and communicate well with their customer may find that their reputation is severely damaged and they ultimately lose business to competitors.’
Even the best-prepared organisation can be the victim of a cyber breach, particularly as hackers get more sophisticated.
If you are being attacked, the first thing you need to do is identify the breach.
The NCSC says the following are signs that you are or have been attacked:
It adds that companies should answer the following ten questions to work out exactly what has happened. This will help you give the right information to your IT team who are trying to resolve the issue, and help you put measures in place to prevent an incident from reoccurring.
Next run your antivirus software, to try and find out more information about the attack. If the programme finds nothing, consider using an alternative.
Once you have gathered any information, look for advice online from Action Fraud, police websites, and the government. If it’s a common problem, there may be guides on how to resolve it.
If your IT is managed externally, get in touch with your providers as quickly as possible. If you manage your IT internally, activate your incident plans.
This could involve things like:
You may wish to consult a cybersecurity specialist.
Communication is a crucial element in responding to any cyber-attack.
Depending on the nature of the incident, you may have a legal requirement to inform the Information Commissioner’s Office You can check the ICO website to see which incidents they require you to report.
You should also report the incident to the police via Action Fraud.
You must also communicate with all internal and external stakeholders – including your staff and customers. If customer data has been compromised, they need to know. Being transparent and communicative can make the difference between recovering your reputation and losing valued customers.
You may also want to seek legal advice, particularly if there is a significant impact on your customers.
If you have a cyber insurance policy, you should get in touch with your insurers quickly, so that you can get started on a claim.
Finally, after the incident, you should review everything that’s happened, learn from any mistakes made, and put policies in place to try and prevent the same thing from happening again. This should include a review of any actions taken during the incident.
Strengthen your defences where possible, for instance with better antivirus protections, or a new and more secure password policy.