According to Louisa Murphy from Lancashire Police’s Digital Investigations Unit, 50% of crime is cyber or internet related nowadays. That’s a lot. But what sorts of things count as ‘internet related crime’? Well, the biggest threat to SME’s at the moment is a data breach – meaning someone accesses your company’s system and steals your data, whether that’s financials, account details, customer details, suppliers or any number of things.
Under the new GDPR you now have to report a breach, as you have a duty of care to your customers. If you don’t report a breach in time you could be looking at a fine of up to 4% of your income, so although it might be embarrassing, it is better to come clean. Of course, keeping on top of your security can limit the chances of a breach occurring in the first place. Louisa has given us the acronym ‘PUPS’ to act as an overview of what you can do to keep your business safe online.
PUPS: Passwords – Updates – Protection – Security
People tell you not to use the same password for everything and although we know it makes sense, it’s not something everyone does. Realistically, it can be difficult to remember passwords for everything and when you only get three attempts, the risk of a wrong one can become too great. There is, however, a simple way of creating a decent password:
- 12-26 characters
- 2 or 3 random words (ex. Tribe + gingerbread)
- Mix up the words (Tr1begiingrbre@d)
To make it more memorable, the first word can be less random – for instance, if you need a new Spotify password, keep it musical. Perhaps the first concert you went to. Then mix up the letters and add in some numbers to keep it obscured.
If keeping all your passwords in mind seems too complicated, you can use a password manager which locks all your accounts. You only need to remember the one password, but if you let that slip your entire system can be compromised. Similarly, if you need to let other people use your network, they don’t need to see everything. Your sales team don’t need to see your payslips and HR don’t need to see customer information, so create restricted access areas.
When you get a new update do you click ‘yes’ immediately or put it off until your system practically forces you to do so? You might think waiting until the bugs in a new update are fixed is no big deal, but if there has been a security breach or new protocols have been put in place, that update can be very important. Always keep your systems updated.
Relatedly, make sure you have a computer back-up too. If you use cloud storage, you might think your data is retrievable, but if anything happens to the main server, you won’t be able to get it back. Save your data locally on a hard-drive or USB.
Think before you click.
One of the main threats to your system come through emails. Do you trust the sender? Is the email address in the right format? Is there anything ‘off’ about the wording? Are there logos missing? If you aren’t sure about clicking a link, you can usually open a new tab and check the website or log in to your account separately.
When entering personal details or making a payment on a website, look for a little green padlock on the search bar and ensure that instead of http:// you see https://
If you take payments through your own company website, you can apply for a certificate to show you are a secure site which your host must then implement.
Even something as simple as free antivirus can help protect your business. Although there are more secure packages that focus on specific threats, generic antivirus and malware programs can stop your system from getting infected.
Different Types of Threats
Threats can come from all sorts of places. Some sound like conspiracy theories, but external threats from competitors, investigative journalists, hacktivists and even intelligence services do happen to small businesses and they can have a devastating impact. There are also internal threats such as viruses on visitor USB’s, ex-employees who still have access to the system, and even simple ignorance of cyber security protocol.
Malware is malicious software that can be used to spy on your company and steal or change your data. This is then used to ransom your company. Even when reported to Action Fraud, there may be little that can be done, but it is ultimately up to the company themselves whether they want to pay the ransom. On the one hand, you could lose your livelihood, but on the other hand, there’s no guarantee that you will receive your data back uncorrupted. Having an IT disaster contingency plan can be vital in such situations; allowing you to retrieve your data and continue operating the next day.
Pre-paid Business Cards
If you apply for funding and are asked to provide proof that you can match it, please be wary. Usually you need to prove that you can put forward some of the funds yourself, but this doesn’t mean you have to hand any money over. There’s a recent trend of asking people to pay some money into a bank account for it to then be matched. In all likelihood, if you do this then you are at risk of the company running off with your money, so make sure that any offer is genuine. If you have any doubts whatsoever, contact the Action Fraud Team.
Loss of Data
For systems not owned by your own company, there are other vulnerabilities. If your server in Ireland catches fire, that’s your data under threat. If your cloud storage is kept abroad the laws may be different to those in the UK, meaning you are not GDPR compliant. If you interact with other organisations, how secure is their access? Making sure everyone is aware of your standard operating procedures can be a step in the right direction to making sure things are secure. It’s important for staff to understand how they are responsible for the company’s protection.
Protecting Yourself from Staff
Protecting your business isn’t just about data threats, it’s also about reputation. Employees can damage your reputation without even realising it – where’s the line between being an individual and a company representative, after all? Although we don’t think you should be policing your employees, it is important to keep an eye out for potential scandals. Writing up a clause in staff contracts saying that if employee’s behaviour effects the company’s reputation they may receive a disciplinary.
You may also require staff to be discreet about where they work or what their role involves, as if they handle sensitive information, they become targets for social hackers. These are people who may befriend the person to learn about their lives and use them for access to your company.
What to Do If You Notice a Threat
If you suspect fraudulent activity, stolen data, malware attacks, or DDoS (purposefully disrupted services) then you should contact Action Fraud on 0300 123 2040. They can help you identify the problem, investigate the threat and try to solve it. If something is happening in real-time then you can also call 999, explaining the severity of the attack on your business.
For what seemed like a dry topic, the first October networking event was engaging and interactive. Louisa brought a team with her to help answer business owner’s specific questions about their own online security and everyone left with a more comprehensive understanding of the issues businesses face online.
Let’s hope tonight’s networking event on IPO is just as engaging!