Cyber attacks like the one that affected PageUp in June can heighten business’s senses around their virtual vulnerabilities.
Even though a recent report suggested small business could be at a significant risk of cyber attacks, there’s an ongoing perception that it’s the big banks, global corporates and high-profile tech companies that are at the greatest risk.
Paul Byrne, co-founder and chief executive of Amplify Intelligence, a startup providing tools for small businesses to protect themselves against cyber attacks, says there’s a knowledge gap among small businesses, and too few cyber security experts, who are are snapped up by big banks and corporates.
However, it’s the smaller businesses, without the big budgets, that are more vulnerable.
“Criminals have realised that actually it’s really hard to steal money from a big enterprise,” says Byrne.
Corporates have sophisticated defences in place, while “small businesses are still at anti-virus and firewalls”, he says, which means “they’re trying to use 10-year-old tech against new attacks”.
Startups are at risk as well. Being tech savvy doesn’t necessarily mean being security savvy, Byrne says.
As a startup founder himself, Byrne knows first hand that security might not be at the forefront of entrepreneur’s minds. If nothing else, you have to be “blindly optimistic” to launch a startup in the first place, he says.
“We’re so focused on building the vision of what we want to build, it’s about what’s most important. Security might not come up if we don’t have an awareness,” says Byrne.
However, tech startups are some of the most vulnerable to these kinds of risks.
“The more and more we’re leveraging data, and our business models are based on that,” the more susceptible they are, Byrne says. And “they’re much higher value” to hackers.
It can be easy to become overwhelmed with the amount of ‘little fixes’ around cybersecurity, such as enabling HTTPS protocol, which simply prevents tampering in communications between a website and its users, and is just “turning on encryption with communications” and is “one of thousands of settings you should use to protect yourself”, says Bryne.
However, under the mandatory data breach reporting amendments to the Privacy Act, which have been in place since February, businesses need to maintain basic cyber hygiene more than ever before. And that’s not as difficult as it may first appear.
We asked Byrne and Jason Murrell, who runs Defend Wise, a business helping small businesses bolster their cyber resilience, to share five relatively easy ways startups and small businesses can get their security on track.
1. Know what’s valuable
There’s a common misconception that small businesses would not be a target for hackers because they’re too small-fry, but Byrne says no business is “too small to get noticed”.
In fact, things like ransomware are hitting small businesses harder than others. And attackers are not necessarily trying to access money.
Startups and small businesses should consider “what assets you have that can be monetised in ways you don’t realise”, says Byrne. For example, personal information about customers or employees can “actually be really valuable to criminals”, he says, even if they just sell it on.
Byrne sets out the example of a healthcare company. The business may protect its clients’ health data to a sufficient standard, but to criminals, staff data could actually be more lucrative as it can open up a door for identity fraud.
2. Train your staff
Big corporates have people entirely dedicated to cyber security. For the most part, small businesses just don’t have the budget for that.
Murrell says businesses with fewer than 30 employees, particularly in the legal, financial and health space, are vulnerable to phishing attacks, whereby criminals will send a fraudulent email including a link, in a bid to get people to enter their email details. They’re also susceptible to what Murrell calls spear phishing attacks that target one person in particular.
In one example, employees of a small law firm received an email purporting to be from Office365, saying their email inboxes were full. One employee typed her credentials into the replica Microsoft page the email linked to, and as a result, gave her details to the hackers.
After monitoring the account for a while, the hackers stopped outgoing invoices and changed the bank details, redirecting the funds. In this case, by the time the staff member followed up the invoices, the money had been transferred far away.
“From there, you can’t really go to the police,” Murrell says.
“It’s almost like leaving your house unlocked,” he adds; criminals will always take the easiest option.
The only way to avoid this kind of situation is through training, whether that’s through videos, external consultants or running simulation scams.
Either way, it’s important to get staff on board and engaged, Murrell says, and that can come through making them think about their personal risks, as well.
“We want them to think not just about protecting business, but also protecting them at home,” he says.
Equally, there’s no point in naming and shaming those who fall for an attack. Rather, the focus should be on celebrating those who spot them.
3. Two-factor authentication
In the case of the employee at the law firm, that breach would have been avoided entirely if the employee in question had had two-factor authorisation on changes to her Office 365 account.
Two-factor authorisation simply requires an additional piece of information that only the user would know before they can log into something, whether that’s an app, client management system or email account. Typically, before the user can log in, a code will be sent to a different device — usually a mobile phone — which is required for access.
According to Murrell, if a platform has the option of two-factor authentication, “it’s a key thing you should be looking at”.
Byrne also names this as an easy way to “get yourself up to the next step” of security.
4. Know where your data is
When using online storage or cloud providers, such as Dropbox or Google Docs, it’s important to be aware of where that data is hosted, what that means for the business, and whether it increases the risk.
However, Byrne says he worries less about cloud-based storage options, and more about people storing critical information on their email.
He has seen small companies keeping things like contracts and client details on their email accounts, where “that’s the only copy they have”.
“That’s less safe than putting it on Dropbox,” he says.
Emails are one of the easiest parts of a business to hack. And, if a business is compromised, the first question customers are going to ask is what is being done to protect that client information.
The reputational damage could be significant, but the measures taken to protect such data will also have a bearing on the penalties imposed.
“The governance and regulatory bodies are saying that as long as you’ve taken as many measures as you can … that would be okay,” Byrne says.
“If you haven’t really done anything, they’re going to come down a lot harder.”
5. Be aware
Simply raising awareness of cyber risks within the business can make a big difference.
“A lot of people don’t consider cyber security to be an issue until they get a breach,” Murrell says.
“It’s not if, it’s when. You either have [been attacked] or you’re going to be,” he adds.
It’s essential to having policies in place around things like responsible use of equipment, in addition to general good practices, which should also extend to contractors.
Equally, any third-party suppliers should be vetted to make sure they have good cyber hygiene themselves.
Eventually, Murrell predicts that businesses will be benchmarked for cyber safety, gaining accreditation depending on how secure their systems are. With this visible to clients and collaborators alike, the issue will quickly become more important to any business.
But that’s a means to an end, Murrell says. Ultimately, business owners should be motivated to be cyber secure for themselves.
“It’s just one less thing to worry about,” he says.