In this article we’ll discuss the growing cyber security risk faced by small businesses and I’ll walk you through a set of cyber security tools you can implement in your small business that will help to protect you against some of the most common and potentially devastating cyber threats.
A case study in Small Business Cyber Threats
Bob* is an Operations Manager at a small B2B professional services firm in Sydney that experienced a potentially crippling ransomware attack in November last year.
On morning in early November, the receptionist at Bob’s firm was going about her morning routine, processing invoices received via email from the firm’s various suppliers, when she opened an email purporting to be from the firm’s mail carrier with an attached PDF documented labelled ‘invoice’.
When the receptionist double clicked the PDF attachment, something strange happened. Rather than opening an invoice she received an on screen message notifying her that her PC had been infected with a virus, her files had been encrypted and the only way to unencrypted them was to deposit approximately $500 AUD worth of Bitcoins using a link provided in the message. The message promised that once this deposit had been made she would be provided with a key to access her encrypted files.
The receptionist had unwittingly executed a file containing a variant of the Cryptolocker ransomware (more information on this bad boy here). Unfortunately, this piece of malicious software did not only effect the receptionist’s computer. In spite of strong cyber security controls at Bob’s firm, which included virus scanning on all networked computers and drives, along with scanning of inbound email attachments, the virus was able to spread rapidly throughout the firm.
Over the course of the next hour or so the ransomware gradually infected every networked document file at the firms site, locking staff out of critical customer files and essentially bringing the business to a grinding halt.
Thankfully, Bob had prepared for this type of scenario and had recently implemented daily offsite backups of all networked files. Within 24 hours he was able to restore the company’s key files and business was able to resume, albeit with a significant task to reprocess file updates and tasks that were in progress the day of the attack.
Cyber Risk doesn’t just effect big businesses
When we think about cyber security risks faced by the business community today, it’s easy to focus on some of the more headline grabbing attacks that have occurred on big name companies over the last few years. Examples of significant compromises to corporate and customer security such as the Sony Hack in November last year or the ‘epic’ Target credit card data compromise in 2013 highlight just how serious a targeted cyber attack can be. But, as demonstrated by Bob’s experience above, it’s not just large corporations that need to be prepared to deal with these threats.
According to Symantec’s 2014 Internet Security Threat Report two out of three small to medium sized businesses reported some type of cyber threat event during the 2013 calendar year. Now before you freak out, toss your computer in the trash and go back to a cash box and abacus, it’s important to note that these threats included attempted cyber attacks (such as companies receiving phishing or virus laden emails), along with successful ones, which helps account for this somewhat alarming statistic.
No need to go back to this old girl
What this statistic does highlight however is that small and medium sized businesses are absolutely being targeted by cyber criminals and those without the right cyber risk management controls in place are leaving themselves exposed to a very real and active threat which has potentially disastrous consequences.
The Small Business Cyber Risk Toolkit
The best way to protect your small business from the broadest spectrum of cyber risk threats is to employ a cyber risk strategy that covers three key areas:
- Digital Perimeter Security
- Physical Security and Internal Controls
Investing in these three areas doesn’t need to cost the earth, doesn’t require any special skills and doesn’t need to take up a lot of time (hell you can probably cover all three for under $100 in a few hours). The detail below assumes you are probably running on a Windows Operating System in your business, however the basic principles of address the three above mentioned areas largely apply to any environment.
Digital Perimeter Security – Keeping the bad guys out
Keeping your digital perimeter security strong ensures your business is best placed to deal with external threats. Follow these tips to keep the nasty stuff (think viruses, trojans, ransomware) off your computers and networks:
- Make sure you install antivirus software if you are running anything earlier than Windows 8 on your computers (think Symantec, Norton or AVG)
- Keep your antivirus databases up to date! Antivirus providers are constantly updating their databases with new viruses and virus variants. If you install you’re software and then never bother to update the database don’t fool yourself into thinking you are protected.
- Keep your Operating System patched with the latest updates. Microsoft regularly releases patch updates for their supported operating systems. These patches include things like bug and error fixes, but they also include patches to address security flaws. Microsoft notifies you whenever a new patch becomes available via an irritating little popup in the bottom right corner of your desktop. Don’t ignore it!
- If you are still running anything older than Windows XP consider installing a third party firewall to control your computers’ inbound and outbound traffic, preventing unauthorised individuals from remotely accessing your computer whilst connected to the Internet (since Windows XP Service Pack 2, all Windows Operation systems have come with a pretty solid firewall).
- If you use publicly accessible web based services to run your business (think Internet Banking, Gmail, Dropbox, Evernote) keep your login credentials smart and safe. This means ensuring passwords (and forgotten password answers) aren’t easy to guess and are changed regularly. Password management tools like Lastpass can generate strong passwords which autofill in your browser when you visit relevant sites (so you don’t have to remember them all) and will prompt you to set new passwords periodically.
Physical Security and Internal Control
Once you’ve addressed external threats to your business it’s time to turn your attention inward:
- Ensure any devices that are used to access or store sensitive data are kept physically secure. For PC’s and laptop’s invest in a desk lock or laptop chain and get into the habit of locking your screen whilst your device is unattended.
- If you have employees, practice strong access hygiene. This means ensuring access to devices, programs and files is limited to the functions each employee actually needs to perform their job. Ensure your employee’s practice the same safe and smart password practices mentioned earlier and remember to remove access and change shared passwords when an employee leaves your business.
- Be especially mindful of protecting your devices when travelling. Pack your laptop chain (don’t forget to use it) and limit your usage of secure sites and web services accessed whilst connected to public WiFi networks. If you travel regularly for work and rely on public and hotel WiFi whilst on the road, you might want to consider investing in a Virtual Private Network service like Nord to encrypt your data when connecting to these services.
Recovery measures are really your last line of defence when dealing with cyber threats. If the worst happens and you suffer some form of cyber catastrophe you need to be prepared if you want your business to bounce back quickly and minimise impacts to your customers and employees:
- Backup critical files on site regularly. The approach you take to backing up your files will depend on the size of your business, the sensitivity of your data and the amount of money you want to spend. The simplest on site solution is investing in a simple thumb drive or book drive and using either File History (for Windows 8 users) or free backup software like SyncBack Free to transfer your files.
- If your business can afford it, consider investing in an offsite backup solution in addition to your local backup. Cloud backup providers like Carbonite offer the security of an offsite backup that updates throughout the day as files and folders are modified.
- If you hold a lot of sensitive customer data, consider purchasing Cyber Insurance for your business. Cyber Insurance policies provide an additional layer of protection for your business by covering the costs associated with a customer data breach (including customer notification and any resulting financial loss).
I hope you enjoyed this article and found some practical applications to your own business. If you liked the article please don’t forget to hit that like button or drop me a comment below.
For more insights on how your organisation can be more efficient, make better decisions and avoid costly mistakes using risk management you can subscribe to The Risk Guy here. Subscribing takes less than 1 minute and as always I promise no spam – just useful, exclusive content and practical tools straight to your inbox.
*Bob’s name is totally not Bob in real life.