When the employee of a small e-commerce company downloaded an email attachment one evening two years ago, he inadvertently infected the firm’s network with malware (malicious software) that locked down all of its files. Criminals held the data to ransom until, helped by security experts, the enterprise got up and running the following day.
So-called ransomware is part of the “new normal” and businesses must think and act accordingly, says Andy Portlock, group operations director of Ignite, the technology company that helped to overcome the attack.
But they often “throw money at the problem” without oversight or analysis, adds Tom Martin Ball of standards and certification firm, Alcumus ISOQAR. “One enterprise recently spent a large amount on putting fingerprint identification entry in place, but failed to realise that the fire exit at the back of the office wasn’t locked.”
Cybercriminals take advantage of such sloppiness, but small businesses don’t help themselves in other ways, explains Edward Whittingham, a former police officer and solicitor who now heads The Defence Works, a cybersecurity training company. He says that it’s largely a problem of culture. Human error is behind the large majority of cyberattacks, yet security still sits too far down the agenda. “It’s not exciting and there’s a tendency to stick heads in the sand or think that it costs too much, but it doesn’t.”
So what can businesses do? Basic defences include firewalls (included with most operating systems) and antivirus software, but both must be kept up to date.
Ensuring that your workforce is savvy about threats is also key. “Companies don’t realise how vulnerable they make themselves,” states Whittingham. “Employee social media use is a particular risk, as they might reveal working relationships that can be exploited.”
Phishing attacks are one such way. These fraudulent emails are disguised as coming from trusted partners or colleagues and can be so convincing that experts admit that not all will be stopped. They’re used to trick colleagues into paying fake invoices or passing on banking details and other confidential information.
One protection against phishing is to hover your mouse cursor over email links in your browser, which will reveal their true destination addresses. Otherwise, look out for low-quality versions of recognisable logos, typos, extra hyphens and so on, advises Whittingham.
Portable devices can also make an enterprise vulnerable, so impose policies around them. Use of memory sticks should also be limited.
It’s important to be cautious with phones, tablets and laptops anyway, says Adam Philpott, EMEA president at McAfee. Tell staff to avoid interacting with texts from unknown sources, he says. Employees should also use privacy settings across social media, accounts for which should require two-factor authentication. Devices can be configured so that they can be tracked, remotely locked or even wiped if compromised.
While employees are encouraged to update passwords frequently, this can be unworkable for overstretched memories, so only change them following a hack, advises the Government’s National Cyber Security Centre ( NCSC). Passwords made up of three words are strong, says Whittingham.
Important data should also be backed up to the cloud or a separate device that isn’t connected virtually or physically to the main system, suggests the NCSC. Certification with the its Cyber Essentials scheme can also reassure current and potential customers that a small business takes cybersecurity seriously.
Firms shouldn’t be intimidated by cybercrime, adds Whittingham. “It’s just the evolution of crime and not that different to what I saw during my time with the police – combating it is just about locking the virtual doors and windows.”