Small Business Research and Enterprise

Author: Hannah Khoo, Customer Relationship Manager at the Cyber Resilience Centre for London

You cannot protect yourself from cyber-attacks if you do not know what you are protecting yourself from. So, let’s break down some of the dangers you can face and summarise how you can avoid them.

Common forms of cyber-attacks

Ransomware is malware that locks a device and filesystem from access and demands money for its release. Paying the ransom does not guarantee your data will return or that malware will be removed so consider alternative solutions. Seek professional advice and visit No More Ransom, which provides the key to unlocking common ransomware.

Phishing is fraudulent emails that manipulate a victim into actioning a request like clicking on links, opening attachments, paying an invoice to the criminals and more. Responding to the request can lead to large scale cyber-attacks and financial loss. In the latest Department for Digital, Culture, Media and Sport Cyber Security Breaches Survey, 83% of attacks started with phishing. It is the most common attack you will face so remain vigilant.

A data breach includes lost or stolen devices or hard copy documents, unauthorised access or extraction of data from the network. You must inform the ICO within 72 hours of identifying a data breach – you can take the self-assessment to determine if this applies to you.

Denial of Service (DOS) is typically a flood of traffic taking down a website but this can also apply to phone lines, other web facing systems and in some cases internal systems. This attack can cause significant disruption to business.

An insider is a malicious or accidental action from within the organisation which causes a security incident. An accidental example would be falling victim to a phishing email or an intentional example would be someone leaking data to a competitor.

A targeted attack is specifically targeted at the business – usually by a sophisticated attacker. Phishing emails become personal to make you fall victim known as spear phishing or whaling when the target is the big fish like the CEO or executive teams.

Unauthorised access includes access to systems, accounts and data by an unauthorised person, whether they are internal or external to the business. It is common for small businesses to have their social media account taken over after falling victim to fraud.

Brute force attack is using computing power to guess multiple combinations of passwords against a single account until the attacker gains access.

A zero-day vulnerability is when criminals exploit security flaws in software that are yet to be fixed by the manufacturer.

The list can go on but these summarise some of the most common and disruptive attacks businesses can face.

Now you know of the dangers, you can be prepared to face them with your Incident Response Plan- your playbook to help you identify, contain and remove a threat, remind you of who will action your plan, who you will notify of a threat, when you have legal obligations and more. Being prepared to face adversary will minimise disruption to your business.

How to avoid becoming a victim

However, you do want to avoid being a victim of cybercrime in the first instance and getting a basic layer of security in place will greatly reduce your risk of attack. Here are 10 easy to implement solutions for you to try out:

1. Automatically update software and operating systems to reduce the window of opportunity criminals have to attack security flaws.
2. Educate staff to spot fraud and reduce the likelihood of them falling victim.
3. Have long and complex passwords to lock online accounts from brute force attacks. A Password Manager will create different, strong passwords for every online account you have.
4. Use 2-Step Verification (2SV) to prevent unauthorised access to your online account when your password is compromised in a data breach or you fall victim to fraud. 2SV is a onetime passcode sent to your phone or generated by an authenticator app that is required during login and unknown to the criminal.
5. Install and run antivirus to block and remove malware.
6. Enable a firewall that monitors connections travelling across the network and blocks any connections that are unauthorised – firewalls are often built into operating systems or packaged with antivirus.
7. Avoid connecting to public Wi-Fi, to prevent criminals capturing your information. Use a Virtual Private Network (VPN) when on the move and when connecting to public Wi-Fi is unavoidable, to obscure your information from view.
8. Screen lock all your devices with a password, passcode, fingerprint or facial recognition to protect your information should the device become lost or stolen.
9. Review who has access to information within your organisation and set permissions based on their need. This can reduce the likelihood of a data breach. You should also consider creating an admin account which gives certain (but limited) users additional permissions to carry out software updates.
10. Backup your data to recover quickly after a cyber-attack or accidental damage

For step-by-step guides on how to action these tips visit the Cyber Resilience Centre for London and follow their “Getting the Basics Right” programme as a Community Member.

What to do in the event of a cyber-attack

If you are suffering from a cyber-attack contact Action Fraud on 0300 123 2040. Further advice on reporting cybercrime can be found here.

If an attack has a financial risk, contact your bank immediately.

Report cybercrime and fraud to Action Fraud, even if the threat has been removed, so they can identify criminal trends and provide guidance so others avoid falling victim to the same threat.

---

*We strive to do our best when supporting small business and their growth. Our business databases can give you information and data that can help you with advertising, market research, company information, and industry factsheets. If you have already taken the plunge, we would love for you to join us at a seminar, our workshops cover digital marketing, business model canvas and planning, demystifying taxes and intellectual property to name a few. Visit our events page or website for more information.