Protecting Your Business Online

In this blog, Neil Sinclair from the Police Digital Security Centre explains why it is important to make sure your business is digitally secure.

Small and medium-sized businesses (SMEs) generally do not think about cybersecurity, and if they do, they don’t think it will happen to them. A cyber-attack is more than just the loss of a few documents. Losing data can have a devastating impact on a company, big or small. In the 12 months to 1 July 2019 around 32% of businesses in the UK have reported a cyber-attack, at an average cost of £4180.

While many companies claim they don’t protect themselves because they believe they are too small to be attacked, most of them do not want to spend the time or money on something they do not believe will happen. However, preventing an attack in the first-place costs much less than repairing your company after one.

Although there are no figures for the number of SME’s being forced out of business, presumably because they’re not around to respond, these are the latest DCMS statistics:

• 32% needed to implement new measures to prevent further attacks.
• 27% had staff time taken up dealing with the breach.
• 19% had staff stopped from carrying out daily work.
• 48% reported at least one breach or attack a day.

The most common types of breaches faced by the 32% businesses above are:

• Phishing attacks (identified by 80% of these businesses and 81%).
• others impersonating an organisation in emails or online (28% of these businesses).
• Viruses, spyware or malware, including ransomware attacks (27% of these businesses).

It is nigh-on impossible to run a business without a digital footprint. The smallest, niche unit on the high street must, inevitably, use an online (usually Wi-Fi enabled) payment system, an online diary and email. Most owners also see a website as a key enabler to growing their business, whether it be a simple “this is who we are and how you contact us” or a payment platform, membership sign up and so forth, with several things going on behind the front page. And a business may well obtain these digital services for free or allocate a considerable amount of time and money to making sure they are “just right”.

If businesses don’t routinely consider the security implications of this digital footprint it is more likely that those businesses will suffer financial or reputational damage. UK businesses face one cyber-attack every 50 seconds according to Beaming.

There are several reasons why businesses allow themselves to be susceptible to a cyber-attack. These can include:

• A lack of knowledge, about both the threat and the solutions.
• A lack of funds.
• The (mistaken) belief that investment in cybersecurity has no benefit for “the bottom line”.
• Because everything is stored “in the cloud”, security is taken care of.
• A frequent response is “someone else (the website designer) looks after all that”.

So here is the quick-fire response to those five reasons:

• You don’t have to be technically adept to get a handle on cybersecurity.
• Making your business more resilient to a cyber threat does not have to cost you a lot of money.
• Equate cybersecurity to car insurance – it won’t improve the value of what you have but it will mitigate against a total loss, should the worst happen.
• The cloud is the biggest target for the cybercriminal
• Does that someone know they are responsible for the cybersecurity of your business? 90% of the time the answer will be “no”.

How can we make sure, then, that it is not our business that falls foul cyber-attack? The first step is to put cybersecurity up there with every other item of business resilience. Just as you have smoke detectors, first aid kits, burglar alarms, you should also have cybersecurity.

What would happen to your business if you lost access to the diary or the company bank account details were altered or that business plan was suddenly for sale on the dark web? What would you and your staff do if a piece of ransomware popped up when one of the team logs on tomorrow morning? These are questions to which every business owner should have the answer the moment they start to use a company email, an online payment portal or anything via a computer, laptop or smartphone. And then think a little further along the line: what would be the effect on my supply chain if someone attacked my business?

It may take a little while to accurately answer these questions. You may never find the precise answer, although you will do if something goes wrong! The average cost of a cyber-attack on a small UK business is £4180, rising to £9740 for charities according to DCMS Cyber Security Breaches Survey 2019.

So, what can you do to protect yourself and your business? There is no golden bullet because it is a very fast-moving landscape. Every new idea seems to bring with it a new vulnerability, and even some tried and trusted ones can be exposed by new technology. It is an ongoing requirement to monitor and upgrade your cybersecurity measures, and this is where it differs from physical security. That door or safe that was installed with the office will last for years, even if it is kicked a few times, not so for that stuff you keep online. However, there is plenty of very good advice out there, and plenty that you can do if you devote a little time, for minuscule financial outlay.

The National Cyber Security Centre (NCSC) provides plenty of free advice. The NCSC Guide for SME gives advice on password use, anti-virus and other simple cost-free steps to protect your business. The Global Cyber Alliance (GCA) has a toolkit and several other free to use solutions that will help to improve the security of your online presence.

On a wider level, you should have regular meetings with all your employees. You almost certainly have regular fire drills; your cybersecurity drills (for want of a better term) should be every bit as frequent. And it is more than likely that important pieces of the knowledge bank will come from unlikely places: the mail room may well have an avid gamer or coder who is a lot more savvy than the Financial Director about password security for example, so throw it open to all your employees. And it is very important that you discuss the resilience plan regularly and that you continue to update new people on the security protocols and remove access rights from leavers. It is vital that everyone knows the password protocols, that everyone installs updates as soon as they become available, that no one is plugging random USB sticks and personal devices into your office PCs. Whatever protocols you do put in place, they are only ever as strong as the weakest link. That is a well-meaning employee, as often as not.

The Police Digital Security Centre can give you additional advice and put your business on the path to a valid certification that will enable you to go to bed at night knowing your business is as safe as it needs to be in this digital age.

Remember, it is never too late to protect yourself against cyber-attacks, but it is best not to wait until you’re affected by one.