By Alex Martin, cyber services director at Reliance Cyber
Official government statistics found that last year just over four in 10 UK businesses (43%) experienced a cyber security breach or attack in the last 12 months equating to approximately 612,000 firms. You might think that it’s just larger businesses that are in the cross hairs of criminals but unfortunately, it’s not the case since 35% of micro businesses and 42% of small businesses experienced phishing attacks in the same period.
Make it difficult for criminals and they will likely move on to the next target
These figures may seem daunting but it’s important to remember that in most cases cyber criminals are highly opportunistic. Just as most burglars target homes that leave a door or window open, cyber criminals also look for easy targets first.
Unfortunately, AI is making the situation worse since it is possible to use tools which can find weaknesses in thousands of organisations to easily identify potential victims. Yet the situation remains – make it difficult for a criminal and in most cases, they’ll move on to the next target. There are several, relatively simple steps that any SME can take to make themselves safer. Where to start?
Mandate multifactor authentication (MFA) everywhere
For an SME, this is the single most effective control and means that a criminal needs more than just a password to log in to a company system. MFA is relatively simple to deploy since an employee only needs to download an authenticator app to their phone to get codes to log in.
One time passcodes can also be delivered via SMS. Whilst less secure, it’s still better than not using it all. Enforcing MFA on all employee email, remote access (VPN), cloud platforms, and any financial or administrative systems makes it harder for criminals to access important systems since passwords alone are highly vulnerable.
Implement strict credential hygiene
Passwords are an inherent weakness. Employees often use weak, easy to guess combinations. There are reportedly some 16 billion freely available breached password and user name combinations on the dark web that criminals can use to try and hack accounts.
Many employees will have used their company email address as a log in and possibly even the same password making it easy for criminals to break in using automated ‘credential stuffing’ tools that try different combinations at scale. So instead, ensure employees use a password manager which means they use strong, unique passwords for every service and quickly deactivate their accounts when they leave the business.
Keep software updated
Regularly update all software, including operating systems and applications, to protect against known vulnerabilities. When a software supplier advises to update then do it without delay. The highest profile UK breach last year was at Jaguar Land Rover (JLR) through a failure to patch a known, critical SAP vulnerability.
For months this left a door wide open for attackers. It’s therefore vital to have a robust and timely process for identifying and patching critical vulnerabilities, especially in internet-facing enterprise systems.
Map to your ‘crown jewels’
Create a register of your business-critical systems and data and ensure they are backed up. Identify which tools are on the “critical path” to protecting these assets. Every new tool or service adds complexity to a network so instead of buying something new, consider working with your internal subject matter experts or vendors to tune the tools you already have to protect those specific areas.
Train for cyber-attacks – particularly phishing and vishing
Employees will always be the weakest link, and social engineering via phishing is a primary route in for criminals. Training them what to look out for is vital. Messages flagged as from outside the organisation should be treated with particular care and anything prompting an urgent action is a huge red flag. Staff must be specifically trained to detect voice phishing (vishing) calls that could lead to a breach, where attackers try to trick them into revealing client information or credentials over the phone.
Have cyber insurance coverage
View insurance as a vital safety net not a substitute for security. The JLR incident highlighted the massive financial risk when coverage is inadequate. Read your policy’s fine print. Insurers are now routinely denying claims if the policyholder failed to implement basic, required security measures like MFA or regular, tested backups. Ensure you are compliant with your policy’s requirements.
Create a one page incident plan
Don’t wait for a crisis. Have a simple, one-page checklist that answers: Who is the first person we call (e.g., your external IT support or legal counsel)? What is our insurer’s breach hotline number? What is the first technical step (e.g., disconnect the affected machine)? Store this plan offline where it can be accessed if the network is down.
There are some excellent incident response resources available from the National Cyber Security Centre (NCSC) at no cost which helps SMEs with planning.
Remember that incident response plans should be a living resource, which is re-visited regularly to take account of changes in an organisation.
Get certified with Cyber Essentials
Developed by the NCSC, the certification scheme is aligned to five technical controls designed to prevent the most common internet based cyber security threats. It serves as an excellent starting point for an organisation to understand what their baseline cyber security is and over 35,000 organisations have the certification but remember that as is the case with other security accreditations. This is a point in time snapshot of security posture, often with narrow scope. Therefore, system security should be considered equally to the availability and effectiveness of technical systems.
Taking these steps won’t guarantee your business stays safe but it will prevent the majority of attacks and do so cost effectively.