Top cyber risks for small businesses and what to do if you experience them

25 years ago, people didn’t even know what a firewall was, yet today everyone has them by default on their computers and to some extent on phones as well.

Since then, awareness of cyber risk has definitely increased, especially since the ‘bad guys’ have picked up on the wealth of available opportunities presented to them as technology evolves.

But we can’t afford to be complacent, and we still have much to do to get ahead of cyber risks.

What makes cyber risk different to other business risks?

If you own a retail store there are risks, but these are largely localised to people who are present at the store.

Risks of damage to that store is generally limited to those people physically coming to the store and perhaps breaking a window or stealing goods.

However, if we think about opening the same kind of retail store online, all of a sudden you’re opening up that store to anybody connected to the internet.

Not to mention, cyber-attacks can actually be driven by people who are anonymised and hiding behind various technologies.

But whilst the scale of the risk is certainly much greater, the opportunities for businesses are also much greater as you’re open to the world and not just limited to customers within travelling distance.

Obviously the most secure system is one that isn’t connected to anything but that won’t make the system very useful or profitable.

So, it’s a question of striking the right balance between the business risks in the digital world vs. the opportunity that is out there for businesses to really grow.

What are the main cyber risks for small businesses?

The risks depend on the type of business you own and it’s important to consider that cyber risk can manifest in multiple ways.

Business interruption

Some of the key considerations and impacts relate to business disruption.

For example, if your systems are unavailable as a result of a cyber-attack, customers won’t be able to access your website or get hold of you via telephone and that can impact the core of the business.

There’s a quote by Warren Buffett – that it takes years to build a reputation and only minutes to ruin it.

This is especially true nowadays when you have people reviewing and leaving comments on the service they’ve received from companies and businesses.

We want to get feedback from customers all the time.

However, if customer information gets lost or they can’t get access to suppliers, that can certainly cause big problems and damage business reputation.

Data protection and privacy concerns

Ultimately, the owners of a business are responsible for the data they are processing if they are holding personal information about individuals and businesses.

If someone is looking to start a business and will be processing large volumes of data, then the whole area of data protection and privacy risk is really important.

Intellectual property

Organisations are consistently building their own intellectual property, whether as part of a manufacturing process, a book, source code or an app that someone is developing.

Any of this intellectual property can be easily lost or stolen and ultimately this could rip the heart out of the business that you’re trying to build.

This applies beyond things being produced.

For example, an importer looking to build connections with suppliers might have spent money travelling overseas to strike up good relationships with business partners.

The information collected via these ventures is really key to your business’s success.

However, if that information were to be leaked to a competitor trying to build the same business as you, all of a sudden the viability of your business might disappear overnight.

So, being able to protect the information that’s close to the heart of your business is key and the cyber world poses some real risks here.

Sending an email to the wrong person or leaving a laptop on the train which has valuable information on it can easily happen by mistake rather than by design.

The ‘availability’ of information

Another key business risk relates to the availability of information.

For example, an architectural business gets hit by a devastating ransomware attack.

They have 10 years of drawings and designs stored on their computers.

Overnight, these get locked away and they are unable to access them or recreate those designs.

Such attacks can set businesses back years.

The moral here is that without the right protection things can be lost really quickly.

Financial loss

Cyber-attacks can directly result in financial losses for businesses.

For example, where an organisation has been the subject of a phishing attack and ends up paying a phony supplier or invoice.

This money goes straight out of the business and into the hands of fraudsters.

This is something that cyber criminals have been extremely successful doing and it can have a devastating effect on businesses.

There are examples of small businesses transferring as much as €100k- €400k to fraudsters.

Money which often can’t be recovered, whilst the business still has an obligation to pay their supplier.

How do cybercriminals attack small businesses?

Cyber criminals have so many opportunities!

Cyber criminals have many different ways to harm businesses.

This could involve fraudsters convincing you to take an action that allows them to extract funds from you or gives them access to company business systems which could lead to more ways they can extract money e.g. by stealing information.

Cyber criminals predominately used to go after the infrastructure i.e. the IT systems which were vulnerable to attacks.

However, as we’ve started to gradually improve those systems, cyber criminals have shifted their approach to targeting users and individuals who have access to information, e.g. company email systems, to perpetrate attacks.

Are individuals the weakest link in the security chain?

It’s a bit of a double-edged sword; it’s easy to receive an email and click on a link or a pop-up on Facebook or Twitter that can download something onto your computer that you aren’t aware of.

But while humans are viewed as the weakest link in the security chain by cyber criminals, they can actually be the strongest link!

Simply by being more cyber savvy and street smart we can deflect and reduce the opportunities for these attacks to take place.

If people become hyper aware of the attacks, they can block them and recognise when they’re being manipulated into supporting the objectives of cyber criminals.

Using personal devices to carry out business activities

Social media

There’s a real vulnerability if businesses are enabling staff to use their own devices, for example from something on a social media feed hiding as ransomware.

To put it into perspective, corporate companies spend a lot of money on security and most people’s own home PCs or laptops will not be able to reach that level of protection.

Password cross-over

Some people do tend to use the same passwords for their social media and e-mail as they do for corporate systems.

Individuals have been seen using their corporate IDs as passwords to access social media platforms.

Often people will find that not only your account but also your password for that system is being published online.

That could lead to a big vulnerability where the attackers effectively shift their attack from the individual to the company that the individual works for.

We recommend a website called ‘;–have i been pwned? where you can input your email address and it’ll tell you if that email address has been compromised on any systems or websites.

‘Cyber hygiene’ and password safety

An exercise in cyber hygiene can help to clean up credentials that have been exposed on the internet.

The best practice is not sharing or repeating passwords.

Secure password generator apps, like ‘1 Password’ can be helpful to people but ultimately passwords are no longer considered to be very secure.

The issue of ‘dictionary attacks’ – where people use popular words as passwords – highlights the issues presented when passwords are the only things that let you into an account or system.

Businesses need to move to a place where they don’t just rely on passwords to access critical information.

Although it still isn’t very cost effective for individuals or companies, ‘multi-factor authentication’ technology can change this dynamic and offer protection.

This is the idea that passwords alone aren’t enough to access systems; there should be an extra step such as mobile phone, fingerprint or face authentication.

The system should be secure so that when the bank calls and asks for a name and a password, this information alone is no longer good enough, especially since this ‘memorable data’ is often information which is already on the internet and/or on a Facebook profile.

In practice, if you’ve logged into your business system in the morning and then don’t have to log in again for the rest of the month and then your system gets hit by a malware attack, the hackers will have gained access to your computer and then they have access to everything.

Two-factor authentication means that the cyber criminals have more hoops to jump through – one hoop to get onto the system but more hoops to get into email or social media accounts.

Top tip for combating password risks

There are two useful programmes – one is called ‘Google Authenticator’ and the other is called ‘Microsoft Authenticator’.

These allow users of free email systems to automatically add-on two-factor authentication to their sign-in processes.

Whilst these programmes aren’t fool proof (and hackers can find ways around them) they definitely change the game by putting more barriers between hackers and your personal information.

Should we be saving passwords?

It’s a fine balance between practicality vs security.

What businesses can do is set up the system so that if you access the email from a different device than usual, it’ll force you to re-authenticate.

Whilst employees might be a bit distracted by having to log in and out a bit more, it’s a worthwhile practice to have some kind of timeout feature on business systems.

The analogy of airports is useful here.

You can’t just go to an airport and get onto an airplane; there are multiple layers beforehand – tickets, departures, check-in, security etc.

The idea is to create layers of security by adding additional protections.

This is the kind of model we should aim to implement into the digital world.

Remote working

Remote working is becoming an increasingly challenging area as more employees are working from home and businesses want to provide an easy way for employees to log into the systems they need to do their jobs.

However, because of Covid-19 pushing the rise of home working, companies have had to spring up the ability to remotely function without necessarily putting all the right safety measures in place.

Many companies have had to quickly harness old systems or use outdated software which was originally put in place for a small number of users, not a whole organisation.

This happens a lot in day-to-day business where cyber security is often an afterthought and we’re constantly playing catch-up.

Botnets

‘Botnets’ are automated systems which scan the internet ‘knocking on doors’ to see whether they can get in.

From a remote access point of view, once they get in, they take the access credentials (the username and password) and sell that online so that other cyber criminals can perpetrate ransomware and other attacks.

How do the cyber criminals get in?

1. Vulnerable software: the software used to enable remote working often has security holes in it. Those holes are often patched or fixed with updates, but companies fail to use the latest version of that software which leads to weaknesses.

2. Passwords: guessing people’s passwords or finding other ways to get in i.e. ‘dictionary-attacks’

3. Levels of access: implementing additional levels of access and controls is key. Companies need to make a choice on how to best protect themselves – once employees are logged in, do they get to see everything? Alternatively, can employees only access particular servers if they’re a member of a particular team? Should employees be prevented from accessing servers relevant to other teams?

Ransomware

The cyber world has been said to be suffering from a ‘ransomware pandemic’ which continues to devastate organisations, impacting businesses both small and large – even hospitals!

The modus operandi involves convincing a user to click on a link which downloads a piece of software that runs on their computers or cyber criminals buying access to vulnerable company systems.

Often this attack has come through a remote working vulnerability where the ‘bad guys’ get in and manage to install software on your computer.

That software then encrypts data on your system until you get a ransomware note which says if you pay a certain amount of bitcoin, they will give you the decryption key that will enable you to unlock files you’ve lost.

For some businesses who haven’t got backups or haven’t been prepared for this type of attack, it can be extremely debilitating.

Perpetrators are now even threatening to take that data and publish it online.

For those organisations who hold sensitive data, this can have potential legal and reputational ramifications.

Ultimately, ransomware is highly profitable for criminals and devastating for organisations hit by it.

Should we pay if we’ve been hit by a ransomware attack?

Firstly, to make that decision, businesses need to realise that they’re dealing with criminals.

But it isn’t good for cyber criminals if they receive a ransom and then don’t deliver, so in a lot of cases, they will come through with the goods and help the organisation to recover.

However, that doesn’t always happen and in some circumstances, it’s against the law to pay the funds.

If cyber criminals don’t carry out their end of the ‘deal’, you could just be fuelling an illegal activity.

The cyber insurance industry is playing into this decision because a lot of businesses that have cyber insurance will have ransomware cover which acts as a fall-back for businesses.

However, caution needs to be taken so that cyber insurance doesn’t end up enabling ransomware attacks rather than encouraging taking preventative steps to stop them.

Before deciding to pay, businesses should ascertain whether it’s possible to recover those assets.

If they can, then that’s probably the better course of action.

Fundamentally though, businesses should proactively try to avoid ransomware attacks in the first place by maintaining their cyber security practices and having back-ups in place, so they’re not put in the position where such a decision needs to be made.

N.B. In the past, the attitude instilled by law enforcement was that businesses absolutely shouldn’t pay as cyber criminals can’t be trusted to not simply return and re-offend.

However, that tone has changed, and the decision has now fallen into hands of businesses who must live with the consequences if they pay.

What can we do to stay ahead of cyber criminals?

Cyber security is something that needs constant attention to keep up with the ‘changing game’.

It’s not just a tick box for businesses to say that they’ve done their security checks this year and that’s the end of it.

As with airport security, sometimes it is effective and other times, unfortunately, it is not.

And, when certain people have wanted to, they’ve managed to find a way around the measures that were in place and in response new measures and layers of security are added.

It’s like this in the cyber-security market too, as technology is ever evolving; criminals get smarter and more inventive, so we need to make sure we keep pace to avoid destruction of our businesses.

Antivirus protection

We recommend everyone has anti-virus protection but it’s not enough on its own and can often give a false sense of security.

The reality is that, because of the nature of cyber threats and the way that viruses, malware and ransomware evolve and change, it’s almost impossible for one anti-virus vendor to have the answers to every possible issue.

We recommend that businesses look into other software too and make sure that firewalls are in place.

Look at additional malware protection in addition to anti-virus software.

For example, the anti-virus on your email system should be different to the protection on your laptop or mobile phones.

There may be different ways of catching the same thing.

This is important because often, as soon ransomware gets in, it immediately turns off the anti-virus and it’s relatively easy to do this with many of the free simple anti-virus systems which are less sophisticated.

Businesses must be vigilant to recognise when their antivirus has been turned off as this can be an indication of an incoming ransomware infection.

Virtual Private Networks (VPNs)

VPNs add to those layers of protection discussed earlier.

Web proxies or scrubbers take the bugs out of web content coming to you.

This means that if you’re covered on the web with a VPN and then have a separate protection system for emails and something else for your computer, then you’re providing a variety of different options to combat bad bugs before they get to you.

This is important because your web anti-virus might pick up malware when it’s downloaded after visiting a rogue website.

However, if you have scrubber technology, it’s not even going to allow it to be downloaded and get into your machine at all.

So, having this combination to catch everything is important.

How do you spot a cyber-attack?

Ransomware

With ransomware, the cyber criminals want to tell you you’ve been attacked so you can pay the ransom.

But, before the ransomware is launched it’ll operate in ‘stealth mode’ to gather information, turn off your anti-virus or destroy backups before launching the attack.

For the user, there are so many opportunities to spot attackers, but we must be aware and monitor changes for unusual patterns.

Smaller businesses might not have this capability unless they use specialists from outsourced providers.

Alternatively, there are always new technologies coming out using artificial intelligence to assist with spotting abnormal behaviour and detecting.

Phishing

Fraudsters can get onto your systems and send emails on behalf of employees to business partners or suppliers.

However, if you look at the logs, it should raise a flag if you suddenly have employees accessing email from another country.

It should stand out, but only if someone is looking for it.

Warning signs

Warning signs to be aware of:

• Systems slowing down;
• Something not working the same;
• Backups no longer working;
• Hard drive crash;
• Receiving an email from a supplier to confirm whether your bank details have changed;
• Receiving an email requesting an urgent payment;

Attacks might start with a call from a phony service provider, for example a broadband provider saying that the company or person’s internet isn’t working very well.

Users will then be directed to a website and prompted to install malware software in order to ‘test the broadband’.

Employees can be trained to pick up on these warning signs to deal with them faster and earlier.

Awareness is crucial and if someone’s asking you to visit a website, don’t listen to them.

You can always double check a phone number through the actual site of the supplier and call them back directly if you aren’t sure.

Solutions

Solution providers are often clear about what they will protect and what’s your responsibility for example they might promise to protect your cloud storage but not your data itself.

As with physical security guards, depending on what you need to protect, you might need to outsource to someone to monitor systems for you.

This doesn’t necessarily have to be a person –a robot AI assistant can provide this extra support to detect and deal with issues.

Microsoft are also working on producing ‘impossible travel reports’.

The idea being that if you’re accessing your email from Ireland one minute and from China or Russia an hour later, the system will detect and alert you as you couldn’t have been in those two places at once.

What’s the best solution for combatting cyber-attacks?

1. Information sharing

If more people are aware of the attacks, we can do something about them and learn the lessons of those who have suffered losses

2. Awareness

Be aware of the different types of fraud happening in the industry and take note of them.

3. Human firewalls

Turn humans from the weakest link in your system to the strongest by providing training to look out for the warning signs, see patterns and pick up on unusual behaviours.

How can you stay aware of cyber incidents?

It’s helpful to stay aware of any cyber incidents in the news to see how other organisations have been affected.

If we then find that there is a new flavour of ransomware or a new attack taking place on websites, that information should be fed back to the organisation to reflect on whether that particular risk might be relevant to you.

We can learn the lessons that others have been unfortunate to experience to ensure the same attacks don’t happen to us as well.

How do we review our cyber security measures?

It’s important to follow good cyber hygiene and how far you go will depend on the level of risk.

Businesses will need to establish a hygiene regime that provides regular assessments and reviews.

Things like bringing in a new data-handling technology, a new supplier or establishing a new business relationship with a foreign organisation can all be triggers which could lead to a cyber risk implication.

It is important that cyber security becomes part of the due diligence exercise to ensure that businesses are as strong as possible, especially if you’re looking to sell your business or buy a new business.

Cyber insurance

Like all insurance, cyber insurance enables you to transfer some of the risk from your business to your insurer.

If you’d take out insurance for your home, it seems natural and a no-brainer to do the same for your data.

Especially since the likelihood of having a cyber-attack is much higher today.

Businesses have a responsibility towards their stakeholders, investors and customers to ensure appropriate measures are in play.

Cyber insurance can support accountability for organisations that hold onto people’s data.

Insurance doesn’t completely absolve responsibility and accountability though.

It’s fundamentally there to provide cover in emergencies and support in the event that something really bad happens.

How have cyber-attacks changed?

Cyber-security is a constantly evolving landscape and a bit of a cat and mouse game.

On the one hand, we’re seeing greater sophistication in attacks and the speed with which attacks are taking place.

On the other, the use of advanced technology such as AI means that on the defence side, we can apply similar technologies to keep up.

We’ve also been seeing a trend towards targeting individuals and using their access to company systems to perpetrate further attacks.

These commonly start with phishing attacks via email.

Since it’s free to send an email, phishing attacks are a very cost-efficient process for hackers who can send millions of emails and benefit greatly from one click.

Often, the attackers will then go on to perform further attacks from each click.

There’s also been a wide adoption of cloud-based services due to the proliferation of remote working.

Hackers have taken advantage of this to perpetrate their crimes since this shift to the cloud has not necessarily been accompanied by security.

People often have a perception that third-party applications and services will handle security, but that’s not the reality.

There’s a huge misunderstanding of how cloud security works because it’s still fairly new technology and hackers are honing in on this.

How can we keep cyber-attacks to a minimum?

In particular, businesses need to pay special attention when it comes to remote working and remote access.

These are a few technical controls we can implement to better protect businesses.

1. Multi-factor authentication
2. Using VPNs
3. Better, more complex passwords
4. Keeping on top of updates and patching so vulnerable software doesn’t get targeted
5. Policies and procedures to instil the right values in employees
6. Training and awareness amongst the organisation
7. Prioritisation – accept that you might not be able to protect everything but make sure you protect the most important things
8. Physical security to ensure laptops or phones aren’t stolen

As people work from home, they will continue to access business systems from non-trusted personal devices and third-party systems.

Businesses must adapt accordingly and get the right level of protection.

You can’t simply put up a firewall to be fully protected, you need multiple layers of security.