11 cyber security tips for SMEs from an ethical hacker
From ecommerce to remote working, more and more SMEs are running their businesses online. But has this left them vulnerable to cyberattack? Rob Shapland, an ethical hacker at Falanx Cyber, reveals how to improve SME cyber security.
Rob gets paid to hack into businesses. Both online and, in some cases, in person. "I dress up in different outfits," says Rob, "I go and hide in a meeting room and hack them from the inside." It might sound extreme but almost half of businesses have experienced cybercrime in 2020, and more sophisticated methods are appearing every day. Ethical hackers like Rob are having to find inventive ways to expose the risk to businesses big and small, so they can learn to better protect themselves.
Rather than send Rob undercover, we've asked him to share his top SME cyber security tips that will help keep your business safe.
Tip 1: Understand you are a target
You might think that cybercriminals aren't interested in your business, especially if you're small or just starting out. But you'd be mistaken.
"Criminals look for low hanging fruit, easy targets they can pick off," says Rob. The reward for hacking a giant corporation might be higher but it's harder to do. While SMEs can't afford the same level of information security.
Rob adds: "If they can send an email to a company convincing them to do a money transfer and that company has had no cyber training, they're more likely to fall for it."
It's worth remembering that the laws safeguarding commercial bank accounts aren't as strong as those for personal accounts. Banks won't always reimburse you.
While money is always the motivation, hackers – working for organised crime, foreign governments or even rival organisations – don't just try and con you out of your bank details. They might be going through you to get your clients.
Rob explains: "Say a large company outsources all of their HR to a small company. They're going to be handling all their sensitive information, but with an IT security budget that might be a thousandth of the size. As a hacker, you're going to think what's easier for me to break into, this multinational bank or the small HR business they're giving all their data to?"
The good news is that you don't need a huge budget or a dedicated cyber security centre to tackle cybercrime. In most cases even the most basic IT security can be enough to put a hacker off. "Most will just move on to another business if you've got some basic security controls in place," says Rob.
Tip 2: Keep everything up to date
Malware is one name for a whole host of different viruses and nasties that can appear on your computer or devices. It can be used to damage your systems, steal your data, your identity and more. It can be spread via links sent on email, through fake software downloads, and even text messages. It's important to keep any software you use for business up-to-date and run anti-virus software that can help keep you a step ahead of the criminals. The cyber security business is huge. So it shouldn't be hard to find the right solution for your business.
Tip 3: Scrutinise every email – even if they look familiar
We all know spam emails are a security risk. Whether it's a prince offering to share their fortune with you if you hand over your bank details, or a hilarious video you have to watch by clicking a link or downloading it as an attachment.
The technical term for this is a phishing attack. A cybercriminal will send out a blanket email to lots of people in the hope that even just a fraction will open it. Either giving them access to your bank details or business files to make some quick cash.
"They often have spelling and grammar mistakes," says Rob.
Then there's spear-phishing, which is much more sophisticated. Rob says: "They'll tailor this directly to you – or something in your life – to massively increase the chances that you'll do it." For instance: "A hacker might look at your holiday photos online to see where you stayed and send an email pretending you left something at the hotel." They'll encourage you to open the attached photos, which will actually contain malware.
Cybercriminals don't just rely on their coding skills to scam you out of your money. They also use psychological techniques. For instance, Rob says: "I'll send someone in a company's finance team an email claiming I'm the [Chief Financial Officer]. I'll tell them I'm at the airport about to get on my flight. And I need a money transfer to be made to my bank account by the time I land."
That may not sound very Derren Brown, but it actually combines a number of persuasive tricks. Posing as an authority figure – the Chief Financial Officer – is one way to compel people to do as you say. Saying you need the funds urgently motivates them to act fast and not think about the consequences. While saying you'll be airborne for several hours makes them less likely to try and ring the CFO to verify.
"I've seen this done lots of times," says Rob. "Companies sending £15-20,000 at a time. There was a company, in January last year, that fell for it and transferred half a million pounds. Then the following week, the hackers tried again – and the company paid out again. They did this for 36 weeks, costing the company £18 million in total."
The solution to all these types of scams is to double-check every email. Does the sender's address look right? What about any web links they've included? Is the greeting impersonal, like they don't really know you? Or are they trying to rush you? If there's any doubt, call the person or company the scammer is posing as and ask them to confirm if the email's genuine.
Tip 4: Forget pet names. Make passwords long – but more memorable.
We've all been there. Trying to remember our passwords. Some of us use the same ones over and over again, but that can impact security.
The most secure passwords are long and made up of random characters. However, this means you either need a razor-sharp memory or a password vault to remember them for you. A password vault is like an online safe for things like usernames, passwords and credit card details. That way you only need to remember a master password to unlock the vault and access all your log-in details when you need them.
Alternatively, you could use a passphrase, which is just as tough for criminals to crack but easier for you to recall. Rob's example went like this: "At the moment I can see a cat, chicken, map and a chair. So I make my password cat, chicken, map, chair." To help him remember it, Rob uses a simple visualisation technique. "I imagine that the chicken is sat on the map, and the cat is sat on the chair looking at it. The chicken is also dressed in a suit, so I know it's my work password," he says.
Tip 5: Remember to back up your data
A growing threat is ransomware attacks. This is where a hacker effectively locks you out of your network until you pay them to regain access. In some cases, like the Wannacry NHS malware attack in 2017, hackers take control using a virus that spreads from computer to computer encrypting all your data. While the health service is the best known victim, WannaCry hit around 230,000 computers in 150 countries. Since then, ransomware attacks have only increased, and SMEs now account for 60% of victims.
However, a simple way of getting round a ransomware attack is to regularly back up your business data to the cloud. That way you can just retrieve it and regain control without a hefty payout.
Tip 6: Give your homeworkers business security
Coronavirus forced SMEs to adapt fast to home working and start selling online. But in our haste to get up and running in cyberspace, have we forgotten the home network security basics?
There are a couple of ways you can extend office-grade security to your home and the homes of the people who work for you. The first is to use cloud software. That means using Microsoft's Office 365, Google Drive or similar cloud services for your email, and to store your files and business and customer data. You're basically putting your security in the hands of the big tech companies. Which is pretty reassuring for you and your customers.
If you need to work from home but your files are stuck on a computer in the office, a VPN is a good option. "A VPN creates an encrypted tunnel from you to your office," says Rob. "Nothing can get in the way or intercept the information passed over it because it turns it into random rubbish you can't read."
"A VPN is the best way to connect to your office network from outside."
It's worth remembering that you can be fined for data mishandling if you don't have the right controls in place. Taking time now to get the best computer security, network security and business security in place can save a lot of time and money in the long run.
Tip 7: Make online shoppers feel safe
It's not just where SMEs work that has changed. In some cases entire business models have moved online. This might be the first time you've had to manage online transactions, and where there are bank details involved there's always risk. "A sensible way to do it is to outsource your checkout page to a third party provider like PayPal or Sage pay," says Rob. "That way you're outsourcing that responsibility, so you don't have to worry so much about being hacked."
Tip 8: Don't let a birthday Facebook post become a gift for hackers
You'd be amazed at how much information cybercriminals can glean from your social media profile. "Let's say you've been on Instagram for years," says Rob. "I go through your Instagram page looking for a photo of a gathering of people, click into the photo and look for messages saying ‘happy birthday'. I'll even count the candles on your cake. Or perhaps there's a picture of your dog, and your secret answer is your dog's name. I can build up enough of a profile to control your bank account or mobile phone account."
The quick fix is to set your personal social media to private, so only people you allow can see your posts. And encourage everyone in your team to do the same. When it comes to having a business page on Facebook or LinkedIn, the whole point is to be public so you can reach new customers. So just think twice about what you post and how it could be used against you.
Tip 9: Invest in guest wi-fi
Today, free wi-fi is a must-have. Whether you're serving it with a coffee or making it easier for visiting clients to connect with your team. But be careful. Giving a customer your wi-fi password is like giving them the key to your whole network. If you don't take proper steps, a hacker could use your wi-fi to access your files. Rob says: "As a criminal, I could break onto your own devices and take control of those and do whatever I want with them." Even a well-meaning customer could accidentally download malware onto your system while browsing the web.
"There's also a slight reputational risk if your wi-fi network was found to be the cause of someone being hacked," adds Rob.
You can protect yourself by setting up a guest wi-fi network. This keeps all customer's online traffic separate from your own. So customers can surf away, while your files are safe.
Tip 10: Get your people cyber-savvy
What is cyber security? Not everyone knows, so it's important to provide the right training. There are plenty of online courses available, but Rob says that if you want to really grab their attention, you should hire an instructor. "You'll get a lot more buy-in from it," Rob explains. "Rather than saying don't click on this link here, they'll explain the thinking behind it, why the criminals have done it that way, and what they're looking to achieve...it's a lot more interesting."
Tip 11: Prepare for the unexpected
Cybercrime isn't going away but how we tackle it is getting better each day. Our Cyber Insurance can't protect you from an attack but it can help you to deal with the fallout. It can cover the cost to fix your systems and your reputation.