All SMEs, no matter how small, are vulnerable to a cyber attack

Detective Inspector Fiona Bail, below, is Head of Cyber and Innovation at the Eastern Cyber Resilience Centre (ECRC) which supports and strengthens SMEs, supply chain businesses and third sector organisations against cyber crime. Here, she guides us through what we need to know.

When an SME comes to you for advice, what are the first things you tell them? How aware are SMEs of the dangers of cyber criminals?

The very first thing is a reassurance that even if they don’t have any technical expertise there are some simple free steps that they can take to drastically increase their cyber resilience. We try to use real world examples to make the ethereal digital world mean something more. For example, businesses wouldn’t dream of leaving their physical premises unlocked, in fact they probably have secure door locks, window locks, CCTV and maybe a safe for important items. The ECRC aims to do the same with their digital premises, making sure that only those allowed can get access to the private side of the business. I think businesses have become more aware over the past couple of years about cyber crime, mainly due the reporting in the news of large organisation being victims, however I don’t think many understand why these attacks are successful. And, unless the why and how is explained, smaller businesses may struggle to see comparisons between these large companies and themselves, but at the heart of it all businesses are at risk.

If an SME says to you that they are too small for a cyber criminal to bother with, what do you tell them?

Every business with an online presence is at risk. Most cyber criminals target vulnerabilities rather than specific companies, so size is not a safety feature. In the same way that a burglar would prefer to steal from a house which isn’t overlooked, has been left unlocked and has no CCTV, cyber criminals will go for the easiest targets, and that is frequently smaller companies with limited or no technical controls. Smaller companies may actually be more attractive in some situations as they will be more likely to pay a ransom if their data gets encrypted due to them not having backups or the technical help to recover in a way that doesn’t shut down their business.

How have the threats of the cyber criminal changes in recent years?

Cyber crime has become a business, with organised crime groups having affiliate schemes, bug bounties and are able to buy services from other criminals to launch or escalate attacks. This means that phishing emails have become more sophisticated and harder to spot and that new hooks are created as soon as a news event occurs. It also makes law enforcement more complicated as attributing attacks to a particular group becomes harder. Criminals no longer need to have technical expertise; they just hire it.

Criminals using ransomware have also started to steal data before encrypting it. This is known as double extortion. If companies can recover from the encryption through backups, then the criminals will threaten to release the data they have stolen if they are not paid. Depending on what data they have managed to take, this is an effective threat and emphasises the need to prevent this from happening. Companies really need to think about whether they could survive, both financially and reputationally, if this did happen. But paying isn’t the answer. Cybereason found that that 80 per cent of companies that paid a ransom were hit a second time, with 40 per cent paying again, and 70 per cent of these paid a higher amount the second time round!

And as these criminals group continue to explore what is going to make them the most money, it is likely going to target IOT devices, some of which are inherently insecure. If companies use IOT, they need at assess the risk this poses to their business.

Has the increasing popularity of working from home led to an increase in cyber security threats? If so, how?

Yes, it has. Companies had to adapt very quickly during the pandemic so they could keep functioning, and consequently cyber security may not have been prioritised. Along with the fact that it is harder to monitor and secure devices outside of a set network, many businesses have allowed remote workers to use their personal devices without additional training or technical controls. This has increased the risk of unauthorised access via the personal devices as well as the introduction of malware onto systems through shared use of devices within families.

How can companies ensure their passwords are strong and safe?

Password should be unique and complex. Unique meaning that they are not reused across different systems and aren’t going be used by anyone else, such as Liverpool1 or Password123!, and complex meaning over 12 characters with a mixture of upper, lower, numbers and special characters. You can generate super strong passwords by following the National Cyber Security Centre’s guidance of using three random words and adding some numbers/symbols e.g. Horse4Spider8Millipede1000! The added challenge is remembering them all, as most people now have over 100 passwords. Passwords managers are great at this, so you remember one super strong password and your manager remembers the rest.

What kind of training do you provide for SMEs?

Our free membership includes a series of weekly emails built around the key considerations in cyber resilience. It is a great starting place for companies who aren’t sure what they need. We also signpost to free resources such as the online training available from the National Cyber Security Centre and the free staff awareness session that local police protect officers can deliver to small businesses. The ECRC also delivers bespoke affordable security awareness training through local university students who are trained and mentored by senior ethical hackers. The students get really good work experience for when they leave university and customers get a quality service at an affordable rate.

You are involved in something called Cyber Essentials and Cyber Essentials Plus. Can you tell us about that and how it works?

Cyber Essentials is a government-backed scheme to try and raise the standard of cyber resilience within small and medium businesses. It concentrates on five fundamental control areas, which, if implemented can fully or partially mitigate businesses from 99 per cent of common cyber-attacks. It is a great way to demonstrate to customers and supply chains that cyber resilience is being taken seriously. There is also cyber insurance which comes with the scheme which smaller business might find very reassuring if the worst does happen.

To sum up, what would be your top tips to build resilience against the cyber criminals?

Firstly, cyber isn’t as scary as you might think, a non-technical person can do a lot without any help to improve their resilience. Help is available for free, such as the ECRC’s membership, and is a great place to start building that resilience with support and guidance when required.

The one thing I would get everyone to do, would be to enable Two Factor/Multi-Factor Authentication wherever possible, especially on email accounts and social media. This could be the difference between a criminal logging on to a business network through stolen/leaked credentials and them not being able to access the system at all. There are some excellent “how to” videos online about setting up 2FA for almost every system imaginable and it will only take a few minutes to do.

Eastern Cyber Resilience Centre