Cyber security is incredibly important for small businesses. Cyber breaches are often caused by employees inadvertently creating an entry-point into systems and networks, leaving confidential information vulnerable to hackers. A cyber-security breach could be detrimental to the future of your organisation due to potentially devastating fines for data protection breaches introduced by the GDPR in 2018, not to mention the knock-on effect that lax cyber-security could have on your organisation’s reputation and its standing within the business community.

Important to remember is that maintaining strong cyber security involves the creation of a compliance culture; where behaviours aligned with your regulatory obligations are not only encouraged, but nurtured and regularly reinforced. Investing in cyber-security awareness training means your staff will be empowered to spot and report suspicious activity, and your organisation can build on its strong reputation as a trustworthy business that invests in its customers’ right to privacy.

Far from just an issue for large corporations (although the media does tend to sensationalise these large scale data breaches), there’s around a 50% chance that a UK SME will experience a cyber-security breach of some kind. In fact, due to the likelihood of start-ups and SMEs not investing enough in cyber security training or top-of-the-range security software, these types of organisations make for easy targets. That’s right, hackers are aware that smaller businesses are less likely to have an up-to-date cyber-security training programme in place and, as the weakest link in the chain, this means that your staff are more vulnerable to common security threats.

Common Security Threats for Small Businesses:

Keeping your systems safe doesn’t need to be confusing or even extensively costly. With a few simple steps, you can increase your cyber-security efforts and help mitigate the risk of your business falling foul to common types of cyber-crime.

Using email and the Internet Securely

It may seem obvious to you, but basic internet/email awareness training shouldn’t be ignored or accepted as ‘common knowledge’ – something everyone automatically already knows prior to employment. Remember, most Malware is introduced to its host computer by the user clicking on a download link, email attachment, or by visiting an insecure website.

Malware may take many forms, e.g. ransomware, viruses, Trojan horses, spyware, and so on, but it almost always finds its way onto business networks due to gaps in employee knowledge when it comes to safe use of email and/or the internet. When it comes to computer literacy and its effect upon cyber-security, regular refresher training should never be underestimated

Social Media

There are reports that, on average, people use eight different social media accounts at any one time! Given this information, it’s highly likely that most of your employees will access at least one form of social media on a daily basis, and that’s why it’s so important for small businesses to define their terms of acceptable social media use early on, and to highlight (and therefore mitigate) cyber-security risks on these platforms.

Social Hackers exploit both the proliferation of social media in recent years, and the ease of access to new victims afforded by these sites (e.g. through users’ friends-lists). Because we don’t generally see the information we post on social media as ‘valuable’, or even as confidential, users tend to let their guard down whilst accessing these platforms, and this makes them easy prey for hackers. You are, e.g., far more likely to click on a Malware download disguised as a fun link, or fall for a Phishing attempt asking for confidential information, whilst using social media.

Remember, it only takes one unsuspecting employee to unwittingly click on a Malware download for your entire network to be infected. Social media awareness training has never been so important.

Software Updates:

Ignoring software updates puts your business at risk. Although it seems convenient to keep clicking the ‘remind me later’ option, out of date or unpatched software doesn’t just slow down your operating system, it invites known threats to infiltrate your system. As well as removing outdated features and fixing bugs, software updates fill-in any newly-discovered holes in security, blocking hackers’ chances to infiltrate the gaps and plant, for example, Spyware, onto your machine.

Remember, updates are important for all digital media devices, not just network PCs and laptops in the office. So, if your team uses or shares mobile internet devices, e.g. tablets and mobile phones, it is the responsibility of everyone to ensure updates are installed. This kind of accountability and responsibility for cyber-security is known as:

A Compliance Culture

If you expect your employees to take cyber-security seriously, it’s important for small businesses to embed compliance firmly within the organisation’s culture, as part of its core business model, and led firmly (and positively) from the top.

By fostering a culture wherein employees are regularly trained, updated, and reminded about compliance procedures in an empowering, uplifting way (i.e. not just as a box-ticking exercise), small business owners can set foundations, lay out their expectations, and even influence employee behaviours in ways that ensures their cyber security training goes way beyond what is simply mandated by law.

Financial Services play a critical part in our economy and, thus, in the daily lives of consumers. Their importance to the functioning of business, insurance, pension systems, and banking means that the systems and networks of Financial Services Institutions store information about pretty much everyone in society, most of it digitalised. Should cyber security for a Financial Services Institution fail for any reason, the consequences could be immediate and substantial. That’s why it’s important that Financial Service Providers educate their employees on their responsibilities as data processors, and offer them regular cyber-security awareness training.

The prominence of the Financial Services sector and the demands of modern consumers for digital infrastructures (e.g. online/telephone banking accounts) mean that financial institutions are faced with a dilemma: how to, on the one hand, streamline business processes and appeal to their customers’ requirement for convenience whilst, on the other hand, avoiding data and security risks.

Information Security Chiefs in the sector stress the import of cyber security first and foremost, calling for its move away from IT teams and security software (although these are still important factors) and into the boardroom, where a unified approach to cyber security ought to be developed. The focus is very much on adding awareness-training and education into the mix, with a culture of compliance made clear, and communicated from the top.

In other words, improving cyber security for Financial Service Providers involves influencing the behaviour of the people who own and work at them.

What does the Financial Conduct Authority (FCA) say?

The FCA is a regulatory body in the UK that ensures financial Service Providers meet (and continue to meet) certain standards in the interest of their customers. Members of the FCA must ensure that they conduct their business with fairness and integrity, abiding by the Authority’s rules and principles at all times. It is in the interest of customers to do business with Financial Service Providers that are members of the FCA, as they can expect to receive a good, transparent service as standard.

The FCA expressed concerns over the cyber-security of its members following the instance of a well-known, supermarket-owned bank losing £2.5M of customer money through fraudulent transactions in 2016. Their report highlighted how traditional approaches to security are failing to work, and suggested that banks and other financial institutions may not be taking the threat of cyber-crime and hacking seriously enough.

Seemingly counter-intuitive, the FCA criticised the complexity of the banks’ digital systems, arguing that the more complex these networks become, the more points of entry are available for criminals to take advantage of.

One response from the FCA was to develop its ‘Scam Smart’ campaign; an initiative that targets investment fraud by educating organisations on the importance of awareness training and employee/customer empowerment rather than relying exclusively on security-software and other digital acrobatics to get the job done.

Improving Education within the Workplace

Chief Information Security Officers (CISOs) in the Financial Sector have reiterated the same message: that frequent communication between leadership teams, board members, and other employees can help strengthen and maintain firms’ cyber-security practices. The idea is that, if employees are trained to serve as the first line of defence for organisations, they will no longer be just another weak link in the cyber-security chain for hackers to exploit.

It’s true, offering even basic awareness training can significantly improve the cyber-security of Financial Services companies, and help prevent the monetary and reputational losses that go hand-in-hand with unauthorised access to devices, networks, and databases.

By spreading the message that everyone is accountable and responsible for cyber security, and by offering regular awareness training that’s both up-to-date and engaging, financial Services organisations have the chance to generate self-governing cultures of compliance that go above and beyond the minimum requirements for cyber-security under laws such as GDPR and The Data Protection Act 2018.

Cyber security is the responsibility of everyone in the organisation, but it’s down to the leadership team to start the ball rolling and set the correct tone from the top. Entrepreneurs, managers, and their executive-teams play a crucial part within a business; down, in no small part, to their influence on corporate culture and the way that behaviour is shared and learnt inside work environments.

It’s true that a lack of employee understanding around the subject of cyber security is usually how an issue or breach occurs in the first place. When this happens, cyber-security threats, e.g. Malware, can quickly get out of control and infect the entire office/workplace network – but these risks can be controlled and mitigated through the actions of the workforce.

Remember, gaps in employee knowledge and consequent low confidence levels mean that mistakes do get made, however unknowingly. Seemingly simple things, such as creating inadequate passwords or failing to secure personal storage devices, leave valuable information exposed for hackers to take advantage of.

A Compliance Culture

Management and executive teams can and do impact the culture of the organisations they work for. The way employees observe other employees behaving has a huge effect on the behaviour and attitude of the whole team, and the same is true for compliance behaviour around the topic of cyber security.

Whilst education and awareness training is an extremely important aspect of cyber security and should never be ignored, it is equally as vital to lead by example when it comes to creating cultures of accountability that encourage all employees to take personal responsibility for their own actions. For example, new employees to the company should not observe other executives neglecting to install system updates, opening unsolicited email attachments, leaving desktop PCs unlocked, and so on. These behaviours indicate a lack of accountability, responsibility, and general cyber-security awareness, and could lead to serious security breaches if permitted to continue through learned behaviour.

Good practice is to nurture an environment whereby employees are regularly trained, updated, and included in discussions about the part they play in compliance activity. The key here is communication across the board, no matter how large the business is, to ensure that standards of conduct are not only maintained, but encouraged and commended. When it comes to cyber security, standards of practice should not be discussed behind closed doors in boardrooms and amongst IT Professionals, all employees play a part in risk management, often as the first line of defence.

Common Security Threats to Businesses:

Cyber-attacks exploit basic vulnerabilities in IT systems, software, and employee awareness. Even the most basic security practices like ensuring system updates are complete in a timely manner and training employees on how to create secure passwords can have a big impact on deterring cyber-criminals away from your organisation – after all, there’s always somewhere else that will have neglected these activities and, thus, made gaining access that much simpler.

Common security threats to businesses include:

• Internet and email misuse
• Neglecting software updates
• Phishing scams
• Malware / ransomware
• Insecure/unlocked digital storage devices
• Social engineering / social media attacks

Small Businesses and Start-Ups

Not just an issue for large corporations to worry about, start-ups and SMEs have around a 50% chance of encountering a cyber-security breach in the UK, largely down to time and budget constraints affecting their cyber security training, software, and awareness programmes. Make no mistake, hackers are aware that smaller businesses are less likely to have put measures in place to protect against cyber-criminals, and use this to their advantage when targeting organisations that may process and store valuable personal data, e.g. credit card numbers.

With worrying statistics for security breaches and increased fines for failing to meet data security responsibilities under the General Data Protection Regulations (GDPR) even entrepreneurs can’t afford for their business to fall short when it comes to matters of compliance. Whether there’s one or one-hundred employees working at your organisation, a culture of compliance should set the standard for the future.

Cyber security is the protection of systems, networks and data from attack. Cyber security audits examine the threats, vulnerabilities ad risks facing your organisation and address how to mitigate these risks. When assessing your cyber security there are three key areas to take into account: people, processes and technology. Thorough audits should be performed regularly not only to protect your organisation but also to comply with legislation regarding protection of personal data.

Incident Response

Within a cyber security audit it is necessary to assess the availability and strength of plans for when things go wrong. Your response policy must be tested to see how it performs under pressure. An effective crisis management plan helps to ensure business continuity in the midst of security breakdown and also to quickly mitigate repercussions. Some such repercussions are loss of reputation, legal action and damage to those whose data is affected. A crucial foundation of incident response is rapid detection. Automated detection tools should be in place to facilitate early discovery.

Users as the Biggest Security Risk

Users are more often than not the cause of cyber security breaches. Be this accidental, through lack of education, or deliberate, by a disgruntled employee. Despite there being little we can do about the latter, there is much to be done about lack of education and knowledge. Thorough cyber security education and regular refreshers helps to ensure your staff remain vigilant to any potential breaches e.g. phishing emails, malware attachments and suspicious activity. Cyber security training is the silver bullet of cyber security.

Cyber Security Evolution

Cyber security is a rapidly evolving field with criminals working relentlessly to overcome new technology safeguards and find innovative ways to infiltrate our systems. For this reason, a stagnant approach to cyber security is incredibly dangerous. You must make sure that you are keeping up-to-date with recent security advancements and not leaving your business vulnerable to attack. Frequent audits are vital in identifying and addressing new risks. Immediately updating software to the newest versions safeguards your systems, but this alone is nowhere near enough. Patches are a set of changes made to a computer program with the intention of updating, fixing or improving it. Some patches fix security vulnerabilities and are crucial in protecting your program from attackers. Some vulnerabilities discovered in audits can be addressed by patch usage.

Why are Cyber Security Audits Important?

Cyber security audits are essential in allowing you to identify vulnerabilities in your organisation before they are exploited. Were these vulnerabilities to be exploited by cyber criminals, you may find yourself the victim of cyber-crime. Individuals’ personal data is often unlawfully obtained in cyber security breaches. Not only can this have frightful effects on the individual affected, such as identity theft, but it can also damage your business.

Since the General Data Protection Regulation (GDPR) was introduced on 25th May 2018, the Information Commissioner’s Office (ICO) has been able to issue fines up to €20 million or 4% of your annual turnover, whichever is greater, for a serious data breach. Some security breaches seek to disrupt your system’s processing, demanding you to pay before functions are restored. For example, they may encrypt files. This type of attack is called ransomware. In 2017 the NHS suffered a “WannaCry” ransomware attack in which files were corrupted. Employees received phishing emails that released the malware into their system. The attack had staff resorting to pen and paper and turning patients away. Thorough staff training to identify phishing scams could have prevented this harmful breach. In order to protect your business against this plethora of adverse effects, you must perform regular cyber security audits to identify any vulnerabilities.

The evolution of cybercrime coincides with the evolution of the internet, and with that came the invention of emails. The first serious wave of cybercrime came with emails in the late 80s. Their accessibility meant that hackers could targets their victims directly by sending harmful files straight to an inbox.

The WannaCry case is a perfect example of how emails can be dangerous. This ransomware attack infected over 200,000 computers, and it all started with an email. It was sent at around 8am, and by lunchtime that day, employees all over the world were being locked out of their devices, highlighting how fast and widespread an email virus can be.

It may seem tedious, but email awareness training shouldn’t be dismissed as ‘common knowledge’ because any gaps in knowledge within a workplace are seen as vulnerabilities that hackers can exploit. When it comes to computer literacy and its effect upon cyber-security, the effects of regular refresher training should never be underestimated.

The Dangers in Emails

With 59% of UK business leaders seeing emails as their biggest threat, the dangers that can come into your inbox cannot be ignored. Hackers are growing in skills and techniques, reflected by the fact they constantly developing news ways to use emails for cybercrime.

Emails can often include attachments that, once opened, create an entry point for malware to get into the system. Disguised as a document, voicemail or PDF, they are designed to launch an attack as soon as they are opened.

Links to malicious webpages are another popular example. This can pop up in an attachment or the main body of the email and can appear as a fun link sent from a friend, a trap that the unsuspected recipient clicks on without a second thought. Dangerous links account for a significant number of data breaches within organisations.

Not only are the techniques of hacking varied when it comes to emails, but the malware types that appear also differ, and as a result, the impact varies. When you hear names like Trojan horses, spyware, ransomware, viruses, and so on, what you’re really hearing about is types of malware. The different names refer to the different ways hackers get into a system, with trojan horses disguising themselves as harmless in order to gain entry to a network to infect it.

Ransomware works by encrypting a victim’s data and demanding a fee to restore it. In other words, the hackers convert the data on the device into a code that is illegible for the user, and as a result the recipient is forced to pay for the data to be restored.

Phishing works by people gaining the victim’s trust through pretending to be a legitimate source, and as a result the victim hands over sensitive data that the criminals can make a profit from. By the phisher claiming to be a reliable source, the victim unknowingly clicks on a link or opens an attachment, exactly what the hackers want.

Man-in-the-Middle Attacks are anything but a game. This is when the attacker puts themselves between the user and the organisation in order to intercept and impersonate the user. This way the attacker can read and manipulate email conversations and steal information as they go, all without the victim being any more the wiser.

Spam remains a mainstream term when it comes to unwanted email. With servers now having a dedicated filter for spam to automatically go into, it would be easy to think that we are protected. Think again. Spam remains a significant challenge for everyone, and when it contains malware, it not only wastes your time, but also becomes a head ache for you cyber security.

How to Stay Safe

Being vigilant with emails means that you have more chance of keeping the hackers out through knowing what to look out for, and as a result you can keep your data protected. Following a few simple steps means that you can help prevent yourself from becoming the next victim to cybercrime.

Never share sensitive information such as passwords or credit card numbers, no matter how real the email looks. No bank will ever ask you to disclose sensitive details over email, text or phone. Never give away any personal information.
Think twice before you open anything: If you receive an email with a link or attachment, make sure you are 100% sure it is legitimate before you open it. If you don’t know the sender, ignore it.
Don’t assume anyone who’s sent you an email is who they say they are, better to be paranoid than become a victim of cybercrime.
Use your spam folder: This will do a lot of the hard work for you, but if you ever see suspicious emails, mark them as spam for future reference to maintain a consistent level of protection.
If you’re ever in doubt, get in touch with the company through their separate website (never follow links/phone numbers they provide you with).
Ask yourself:

How it looks – If they have faults in spelling and grammar, or the logo seems a bit fuzzy, then mark it as spam straight away.

How they address you – If they don’t know your name, chances are they are trying to win you over with what little information they have. Remember, this really is personal.

The website address or email – Businesses and organisations don’t use web-based addresses such as Gmail, so if there is a long URL that looks unsophisticated to you, step away quickly.

Your bank accounts – Regularly check on your accounts for suspicious activity. Anything that you can’t remember spending, get in touch with your bank immediately.

Breaches in cyber security can cause considerable financial and reputational damage to organisations of any size and industry. Hackers have the aim of gaining unauthorised access to your networks in order to steal or damage the data they find. From there, they can sell it on the ever-growing cybercrime ‘black market’ to make a profit from the valuable information.

The cybercrime scene has earnt an impressive reputation, with profits now fetching in more than the illegal drugs trade. This tempting outcome, teamed with the accessibility growing through online ‘how-to’ guides means that the dark web can attract as many as 80,000 users at the same time, highlighting that it isn’t a case of if a hacker will target you, but more a question of when.

This isn’t to scare you, but more to stress the importance of having an effective protocol in place should a breach occur. By acting fast and efficiently, you’re not only reducing the impact it has on your organisation, but also abiding by the new regulations brought in by the GDPR in 2018 to avoid hefty fines that could make or break your business.

The Effects of a Data Breach

Data breaches can happen daily to any business, and with our dependence on technology growing, they aren’t set to fade any time soon. One recent example was in the form of Edmodo, the popular learning site used by schools up and down the country.

The breach occurred in the May 2017, when it was revealed that 77 million user account details were stolen and sold on the dark web. Believed to be the largest breach of children’s data ever recorded, the usernames and email addresses of both children and their teachers were exposed. The site became aware of the breach on 10th May, and notified users 2 days later, showing how timing is everything in these sorts of situations.

Act Fast

The EU’s GDPR and the UK’s third generation Data Protection Act 2018 (DPA 2018) both aim to modernise data protection laws by considering the increased need strong levels of cyber security due to the growing crime field.

GDPR stipulates that all parties involved must take necessary measures to ensure against unlawful and unauthorised data processing practices, one prominent example being data breaches. Organisations that process their data digitally, which more and more companies do nowadays, have to carry out risk assessments to evaluate and mitigate the risk of a cyber security breach. Examples of measures they’re expected to take could be encryption (converting data into codes), cyber security training so that all employees know what to look out for and how to respond, up-to-date antivirus software, but all in all, having an effective protocol on standby so that everyone knows what to do if a breach should occur. By doing so, the company is more likely to limit the impact of a breach, whether that is financial impact or reputational.

The conversation goes between two parties, controllers and processors. The controllers deal with customers such as a high-street service, and the processors are external IT companies hired by controllers to deal with the data first hand. The controller has to make sure the processors comply with data protection laws by receiving up-to-date records.

If processors fail to comply by the GDPR, they must let their controller know straight away in order to maintain a strong level of communication from both sides. The controller is then up against a 72-hour limit to let the supervisors know what is going on. In doing so, the problems can be dealt with quickly and efficiently to try and limit the damage done, as well as avoiding potential fines you could receive.

Efficient Breach Protocol

The regulations require that the organisation notifies the authorities within the 72-hour deadline, supplying the following information:

• The nature of the breach – What has been lost, how much has been lost and where it has been lost from
• A contact point – Make sure you maintain strong connections through passing on the information of the data protection officer
• Consequences – What could be the result of the breach
• What happens next – How you feel you can address the breach to limit the effects

Once this is done, the customers need to be informed if the breach is “likely to result in a high risk to their rights and freedoms”. By combatting the problem and contacting authorities, you are dealing with the problem well, but by actually keeping your customers in the loop, you are going the extra mile in facing the problem.

Notifying the customer should involve:

• Including a contact point, most likely the data protection officer, should they want more information
• Explain how the breach could affect them personally
• How you are planning on dealing with the breach

As you can see, an effective protocol is all about communication. By gaining all of the information needed as fast as possible, and contacting the right people about it within the time limit, you are not only following regulations to avoid fines, but effectively dealing with the problem head on so as to reduce the impact it has on the company in the long term.