Small businesses are three times more likely to be targeted by cybercrime than large companies!

Drawing on her own industry experiences as well as those of the small businesses she's seen as part of the CRC for London, Fiona Wickramasinghe from our Community Outreach Team has put together this fantastic guide for SMEs just getting started on their cyber resilience journeys.

I worked in the IT industry, in the easy breezy days before cybercrime was a common thing. It’s a different ball game now - IT and cybersecurity are two different things altogether. You can maintain your IT systems, but this doesn’t guarantee that your business is automatically protected from cybercrime. The astonishing fact is that an attack could come from a criminal on your premises or located on the other side of the planet. It’s akin to a criminal having a remote control for your business! I am quite sure that you don’t want this to happen. My point here is, that many people think of cybercrime as very complex, yet it is often forgetting the basics of cyber hygiene that leaves us vulnerable to attack. 

I’ll explain… many of the small and micro businesses I recently visited and spoke with in London were absolutely lovely people who visibly care very deeply about the services they provide. I observed that the business owners’ time is precious, after all, time is money and many small businesses have been hit in succession by the impact of COVID-19 and the crisis of rising costs. For some businesses, their trade is transactional, it’s a roaring trade all day without breaks for them to breathe and think “What if?” and not having the headspace to plan for the unthinkable. I love having the opportunity to help guide them towards becoming more resilient and safe.

Some do worry about cyber threats, yet still don’t know what on earth they would do if they suddenly came under attack whilst trading. On the flip side, some other businesses don’t worry at all, because they find it hard to believe that an attacker would want to target them - as though there is no perceived way for an attacker to possibly reach them. Both of these circumstances are, in themselves, actual vulnerabilities in my personal opinion and it’s quite a concern if this is typical of small businesses. A lack of awareness of the many different routes of attack forms part of this reactive, rather than proactive approach. If small business owners cannot imagine or recognise how they could fall victim to an attack, how can they take the necessary steps to protect themselves? Our team enjoys a good chat with them and having thought-provoking discussions!

Well, I’m delighted to tell you some good news - it’s mostly the basics that let us down when falling victim, and we absolutely can do something to strengthen ourselves against those who prey on us when our backs are turned or when we accidentally drop the baton. It’s not about spending a crazy amount of money on protection. It’s about self-awareness, being vigilant and careful. It’s about your whole business team being trained in the basics and getting them to buy into the principle that prevention is always better than cure. We frequently read in the news about larger companies being brought to their knees due to not following cybersecurity basics. So, what I want to tell you is, that it’s about the importance of all members of staff coming together and building a strong front line and not skipping these business-critical steps. Here are some great tips for small businesses:

Use 2-step verification.

If a criminal finds out your password, they will be unable to get into your account, as they don’t have access to the device that generates the One-time Passcode (OTP) for verification.

Use strong passwords, and consider using a password manager.

A password manager generates strong passwords and stores them for you, so you don’t have to remember them. 

Do frequent software updates.

Applying software updates promptly is important because hackers are always finding new ways of gaining access. Software updates offer you the latest version which makes your software more secure. Also consider using the automatic updates option.

Do regular backups of your data.

This means that in the event of anything disrupting your business (e.g. a cyber-attack, loss or theft of devices), you can restore your files and data back onto devices.

Don’t share your main Wi-Fi password with customers.

Speak to your internet provider on how to create a guest password, to keep your business devices and network separate and secure. Also, use a strong password that can't be guessed easily.     .

Use antivirus.

Getting infected by malicious software (malware) can result in data theft and disruption to business operations. Ransomware is a form of malware that “locks” your data and files, and demands a ransom to unlock it.

Know your vulnerabilities - formulate your Incident Response Plan and have it ready for a cyber-attack.

Further on in this article, I have given an example Incident Response Plan for the typical micro business in the high street, so you can get some ideas of how to write one that would work well for you.

I would encourage businesses who have IT support, to have regular conversations with your IT professionals, to make sure they are meeting your security needs and expectations. There is often a misconception that by having IT support, you are automatically cyber resilient, but they could be doing very little to protect you unless you have explicitly asked them to.

Now let’s paint a picture everyone can relate to, to highlight some common risks:

Be prepared to face a cyber-attack with an incident response plan and review it regularly. Did you ever wonder how a small business like a hairdresser salon, or a cafe should respond to a cyber incident? Here are some tips we often mention during our business visits:

I’ve been hit by a cyber-attack, who should I contact to report it?

Call Action Fraud on 0300 123 2040 if the cyber-attack is currently happening. Report online if the cyber-attack has been resolved: https://www.actionfraud.police.uk/

Should I pay a ransom? 

Ideally no if you can help it, you cannot guarantee you will get your access back and you can make yourself more of a target for the hacker if they believe you will pay. Contact Action Fraud for further guidance. You could try nomoreransom.org, which can remove many types of ransomware so you don’t have to pay.

Someone is on the phone pretending to be my bank.

Hang up and dial 159 to contact your bank and report the incident.

I think I’ve clicked a dodgy link/attachment.

Run your antivirus and look out for unusual activity on your device - crashing, repeated error messages, lots of pop-ups, and inappropriate ads are examples of red flags.

I was tricked into giving out bank details.

Contact your bank with a trusted number.

I was tricked into logging into a fake site.

Change passwords to all accounts at risk - remember the golden rule - ensure your email password is strong and different (i.e. not used for any of your other accounts).

You can report a scam website to the National Cyber Security Centre: https://www.ncsc.gov.uk/collection/phishing-scams/report-scam-website

Where do I go for additional victim support?

The Cyber Helpline is available for free, expert help for victims of cybercrime, digital fraud and online harm: https://www.thecyberhelpline.com/

If in doubt, always go to Action Fraud. They are our national reporting service for all cybercrime and fraud: https://www.actionfraud.police.uk/

Sometimes we worry about things that might happen, but we just choose to hope for the best. But that’s a conscious choice and it’s better to be prepared and in control - you’ll be less worried, more informed, stronger, and able to minimise the damage or loss that comes with cybercrime. 

If you found my article helpful, please share it with anyone you think could benefit from it!

Written by: Fiona Wickramasinghe

Cyber Resilience Centre for London

From the Community Outreach Team

"Small businesses are three times more likely to be targeted by cybercrime than large companies" - Source: https://www.forbes.com/sites/edwardsegal/2022/03/30/cyber-criminals/