Protecting your smaller business from cyber attacks

Protecting your business from hackers, cyber criminals, and malware is as important as physically safeguarding your premises.

According to the Cyber Security Breaches Survey, 39% of UK businesses were subject to a cyber attack in 2022, with an average cost per attack from loss of money or data of £4,200 for all businesses reporting an attack.

Putting measures in place to stop cyber criminals in their tracks can help protect valuable customer data, commercial intellectual property, and demonstrate to customers and investors that your business has robust systems to protect digital assets and data.

Failing to protect data can open the door to significant penalties.

The Information Commissioner's Office (ICO) can issue fines of up to £175 million or 4% of global annual turnover in the event of a severe data breach.

The Cyber Security Breaches Survey found that just over half (54%) of businesses had actively identified cyber security risks in the previous 12 months, yet only 17% of all UK businesses had carried out any form of staff cyber security training.

What is a cyber attack?

A cyber attack is any offensive or invasive action targeting computer systems, networks, or personal digital devices.

Depending on its purpose, a cyber attack can take many forms and common types include:

Phishing

This is the most common type of cyber attack reported by UK businesses – accounting for 83% of all cyber attacks in 2022.

Phishing involves tricking business employee into sharing security information, such as passwords and usernames, that allow criminals to access computer systems and networks.

Phishing often takes the form of a fake email asking users to visit a phoney website that steals the data entered.

Malware

Malware is an umbrella term for malicious software.

It often is deployed as a software program hidden within an email attachment or downloaded from a compromised website.

It can enable hackers to bypass security networks and steal data.

Denial of Service (DoS)

A DoS cyber attack usually has no direct benefit to the perpetrator and is often socially or politically motivated.

A DoS attack floods a website server with more traffic than it can handle, preventing legitimate website users from accessing your company website, for example.

Ransomware

According to research by Hiscox, criminals are increasingly using ransomware to target businesses.

Criminals illegally hack into a company's IT systems, then encrypt files and other data, which prevents genuine users from accessing them.

Hackers usually demand a ransom – which can run into millions of pounds – to decrypt the data and allow a business access to its files.

How to reduce the risk of cyber attacks

Create a Cyber Action Plan

A Cyber Action Plan is a free service provided by the National Security Cyber Centre to help individuals and small businesses improve their cybersecurity.

After taking a short quiz, the NSCC will create a tailored list of actions that will help bolster your cybersecurity.

Provide staff training

Most cyber attacks rely on tricking employees into sharing passwords or inadvertently installing malware.

Social engineering tricks are deployed, such as fake company emails, which means training staff in how to spot security breaches and what to do may help reduce the risk of a successful cyber attack.

The UK's National Cyber Security Centre (NSCC) has free online training for employees.

Have a clear security policy

Another possible way to respond to the threat of cyber attacks is to coach your employees on how they should behave and what they should do in relation to data security.

This can cover policies such as visiting websites, connecting their own devices to company networks, and transferring data with third parties such as suppliers.

You could make employees aware of these policies and regularly review their effectiveness.

Flag potential attacks

By encouraging employees to report suspicious emails or websites you can create a cyber secure culture where employees check first before clicking on a suspicious link.

If they do fall victim to a phishing scam, for example, you could provide a way for them to report it without fear of disciplinary action.

Store back up data separately

It can be a good idea to routinely back up data separately from computers, ideally offsite and in remote locations to minimise physical damage and cyber attacks.

Online data storage services, such as Amazon Web Services and Google Cloud, store business data on demand in different locations worldwide, along with disaster recovery tools.

Stay up-to-date

Ensure vital security software is up-to-date.

This includes computer operating systems, anti-virus software, anti-malware software, and firewalls.

Out-of-date software can have security holes that hackers can exploit to gain access to your network.

What else can you do?

Besides the above actions, you may wish to consider joining the Cyber Essential Certification Scheme.

This government-backed initiative helps businesses of all sizes protect themselves against the most common cyber attacks.

Implementing an ISO 27001-certified information security management system is another way to ensure, and demonstrate, best practice in keeping digital data assets secure.