Five easy ways to bolster cyber security for your business
Startups and small businesses are among the most vulnerable to cyber attacks. Here’s five steps to improve your cyber security.
Cyber attacks like the one that affected PageUp in June can heighten businessโs senses around their virtual vulnerabilities.
Even though a recent report suggested small business could be at a significant risk of cyber attacks, thereโs an ongoing perception that itโs the big banks, global corporates and high-profile tech companies that are at the greatest risk.
Paul Byrne, co-founder and chief executive of Amplify Intelligence, a startup providing tools for small businesses to protect themselves against cyber attacks, says thereโs a knowledge gap among small businesses, and too few cyber security experts, who are are snapped up by big banks and corporates.
However, itโs the smaller businesses, without the big budgets, that are more vulnerable.
โCriminals have realised that actually itโs really hard to steal money from a big enterprise,โ says Byrne.
Corporates have sophisticated defences in place, while โsmall businesses are still at anti-virus and firewallsโ, he says, which meansย โtheyโre trying to use 10-year-old tech against new attacksโ.
Startups are at risk as well. Being tech savvy doesnโt necessarily mean being security savvy, Byrne says.
As a startup founder himself, Byrne knows first hand that security might not be at the forefront of entrepreneurโs minds. If nothing else, you have to be โblindly optimisticโ to launch a startup in the first place, he says.
โWeโre so focused on building the vision of what we want to build, itโs about what’s most important. Security might not come up if we donโt have an awareness,โ says Byrne.
However, tech startups are some of the most vulnerable to these kinds of risks.
โThe more and more weโre leveraging data, and our business models are based on that,โ the more susceptible they are, Byrne says. And “they’re much higher value” to hackers.
It can be easy to become overwhelmed with the amount of โlittle fixesโ around cybersecurity, such as enabling HTTPS protocol, which simply prevents tampering in communications between a website and its users, and is just โturning on encryption with communicationsโ and is โone of thousands of settings you should use to protect yourselfโ, says Bryne.
However, under the mandatory data breach reporting amendments to the Privacy Act, which have been in place since February, businesses need to maintain basic cyber hygiene more than ever before. And thatโs not as difficult as it may first appear.
We asked Byrne andย Jason Murrell, who runs Defend Wise, a business helping small businesses bolster their cyber resilience, to share five relatively easy ways startups and small businesses can get their security on track.
1. Know whatโs valuable
Thereโs a common misconception that small businesses would not be a target for hackers because theyโre too small-fry, but Byrne says no business is โtoo small to get noticedโ.
In fact, things like ransomware are hitting small businesses harder than others. And attackers are not necessarily trying to access money.
Startups and small businesses should consider โwhat assets you have that can be monetised in ways you donโt realiseโ, says Byrne. For example, personal information about customers or employees can โactually be really valuable to criminalsโ, he says, even if they just sell it on.
Byrne sets out the example of a healthcare company. The business may protect its clientsโ health data to a sufficient standard, but to criminals, staff data could actually be more lucrative as it can open up a door for identity fraud.
2. Train your staff
Big corporates have people entirely dedicated to cyber security. For the most part, small businesses just donโt have the budget for that.
Murrell says businesses with fewer than 30 employees, particularly in the legal, financial and health space, are vulnerable to phishing attacks, whereby criminals will send a fraudulent email including a link, in a bid to get people to enter their email details. Theyโre also susceptible to what Murrell calls spear phishing attacks that target one person in particular.
In one example, employees of a small law firm received an email purporting to be from Office365, saying their email inboxes were full. One employee typed her credentials into the replica Microsoft page the email linked to, and as a result, gave her details to the hackers.
After monitoring the account for a while, the hackers stopped outgoing invoices and changed the bank details, redirecting the funds. In this case, by the time the staff member followed up the invoices, the money had been transferred far away.
โFrom there, you canโt really go to the police,โ Murrell says.
โItโs almost like leaving your house unlocked,โ he adds; criminals will always take the easiest option.
The only way to avoid this kind of situation is through training, whether thatโs through videos, external consultants or running simulation scams.
Either way, itโs important to get staff on board and engaged, Murrell says, and that can come through making them think about their personal risks, as well.
โWe want them to think not just about protecting business, but also protecting them at home,โ he says.
Equally, thereโs no point in naming and shaming those who fall for an attack. Rather, the focus should be on celebrating those who spot them.
3. Two-factor authentication
In the case of the employee at the law firm, that breach would have been avoided entirely if the employee in question had had two-factor authorisation on changes to her Office 365 account.
Two-factor authorisation simply requires an additional piece of information that only the user would know before they can log into something, whether thatโs an app, client management system or email account. Typically, before the user can log in, a code will be sent to a different deviceย โ usually a mobile phoneย โ which is required for access.
According to Murrell, if a platform has the option of two-factor authentication, โitโs a key thing you should be looking atโ.
Byrne also names this as an easy way to โget yourself up to the next stepโ of security.
4. Know where your data is
When using online storage or cloud providers, such as Dropbox or Google Docs, itโs important to be aware of where that data is hosted, what that means for the business, and whether it increases the risk.
However, Byrne says he worries less about cloud-based storage options, and more about people storing critical information on their email.
He has seen small companies keeping things like contracts and client details on their email accounts, where โthatโs the only copy they have”.
โThatโs less safe than putting it on Dropbox,โ he says.
Emails are one of the easiest parts of a business to hack. And, if a business is compromised, the first question customers are going to ask is what is being done to protect that client information.
The reputational damage could be significant, but the measures taken to protect such data will also have a bearing on the penalties imposed.
โThe governance and regulatory bodies are saying that as long as youโve taken as many measures as you can โฆ that would be okay,โ Byrne says.
โIf you havenโt really done anything, theyโre going to come down a lot harder.โ
5. Be aware
Simply raising awareness of cyber risks within the business can make a big difference.
“A lot of people don’t consider cyber security to be an issue until they get a breach,” Murrell says.
โItโs not if, itโs when. You either have [been attacked] or youโre going to be,โ he adds.
It’s essential to having policies in place around things like responsible use of equipment, in addition to general good practices, which should also extend to contractors.
Equally, any third-party suppliers should be vetted to make sure they have good cyber hygiene themselves.
Eventually, Murrell predicts that businesses will be benchmarked for cyber safety, gaining accreditation depending on how secure their systems are. With this visible to clients and collaborators alike, the issue will quickly become more important to any business.
But that’s a means to an end, Murrell says. Ultimately, business owners should be motivated to be cyber secure for themselves.
“It’s just one less thing to worry about,” he says.
NOW READ:ย Human error (not hackers) behind most data breaches in Australia
Comments