top of page
  • LinkedIn
  • Twitter
  • Facebook
  • YouTube
Search

Ransomware: Free Ways To Help Protect Your Small Business

  • emilybevan6
  • Apr 7
  • 6 min read

At the end of 2024, ransomware was highlighted as the most significant cyber threat to UK organisations. With notable incidents such as the attack on Synnovis, a key NHS supplier, exemplifying the human and financial consequences of such cyber incidents; it is more important than ever to ensure your organisation is maximising their cyber resilience to such threats.


If you are not sure where to begin, you are in the right place. This blog will explore what ransomware is, and the simple steps small businesses can take to stay safe.


ransomware on a computer

What is Ransomware?


Ransomware is a type of malicious software (malware), which blocks access to your computer systems or encrypts your files. Once your device has been infected, attackers demand a ransom payment in order to restore access.


The impacts of ransomware can be particularly harmful. Businesses lose access to critical data, experience long periods of downtime, which incur additional costs, and often face significant reputational damage. What is particularly distressing, is that paying the ransom offers you no guarantee that you will get your data back. Statistics actually suggest that being victim of a ransomware attack highly increases the likelihood of being targeted again, particularly if you have paid the ransom.


This places many businesses in an uncomfortable position. They may be forced to weigh up the ethical and financial considerations of paying money to criminals, for a chance to restore business as usual, or refuse to pay and face a long and difficult process, that may be impossible to recover from.  In short, it is not a situation any business wants to end up in.


According to the National Cyber Security Centre (NCSC) common vectors for ransomware include:


-          Phishing emails containing malicious attachments or links

-          Exploiting software vulnerabilities

-          Compromised security, through poor password hygiene or lack of multi-factor authentication (MFA)


Given the destructive potential of ransomware, the best advice is to prevent and prepare and educate yourself and your staff on this form of attack. Fortunately, there are a multitude of free and easy ways to make your business a much harder target.


What can I do to stay protected?


Keep Software and Devices Updates


One of the easiest and most important cyber resilience tips is to keep all software, apps and devices updated. Software developers frequently release security updates, or ‘patches’, that fix vulnerabilities. Criminals often exploit known vulnerabilities so ensuring that updates are installed as soon as they become available helps reduce your risk profile.


  • Turn on automatic updates where possible

  • Regularly update not just computers, but phones, routers and any device that is connected to the internet


Backup Your Data


Backing up your business’s important data is one of the best protections against ransomware. If your data is backed up, you have copies to access if your business gets hit with ransomware. This means you will not have to pay a ransom to retrieve your files because you have other places to access them.


  • Use the 3-2-1 rule. Keep three copies of your data, on two different forms of media, with one copy stored offsite.

  • Ensure backups are offline or off your business network, to prevent them from becoming encrypted in the event of an attack.

  • Test your backups regularly to ensure you can access them when needed.


Use Strong Passwords and Multi-Factor Authentication


Poor password hygiene offers a common entry point for attackers. Brute force attacks involve criminals using common passwords, and known passwords from previous data breaches, to attempt access to your accounts. Making sure that strong, unique passwords are being used for each account, across your business, greatly reduces your risk.


  • Use the NCSC’s three random words technique to create strong passwords. Password length increases strength so meshing three random words together creates a random and strong password, particularly when used in conjunction with numbers and special characters.

  • Turn on MFA. Ensuring MFA is used on every account where it is available means that even if a password is compromised, criminals still cannot access your accounts. This is particularly important for email, finance and cloud storage accounts.


Educate Yourself and Your Staff


Staff can be your biggest vulnerability or one of your greatest defences when it comes to cyber security. One successful phishing email can compromise your whole network, however if your business force is well versed in cyber resilience, phishing attempts can be spotted and reported, mitigating the threat.


  • Offering basic cyber security training can help staff spot phishing emails and suspicious activity. The ECRC can offer Security Awareness Training at very little cost to your business. Additionally, Police Cyber Protect Officers can also deliver training for free to businesses.

  • The NCSC also offer several free resources to educate businesses. Their website is full of easily readable guides and blogs, and their Exercise in a Box offers training resources small businesses can explore together.


Secure Remote Working


With many businesses offering remote or hybrid working, businesses must ensure they are implementing secure working practices. This is particularly important for micro businesses and sole traders, who may not consider cybersecurity as a critical priority in these early stages of business.


  • If employees are using their own devices for work purposes, ensure the device is secure. Personal use of devices can leave you vulnerable to other types of compromise, so ensure devices are updated, with reputable antivirus protection, strong password hygiene, and MFA.

  • Encourage staff to connect using a Virtual Private Network (VPN) if accessing company resources remotely.

  • On the above, avoid using public Wi-Fi networks in general. Public Wi-Fi networks are often unsecured, meaning it is easier for somebody to intercept data from your device. Additionally, attackers often establish fake Wi-Fi networks, with believable names (e.g. CoffeeShopWiFi) to trick you into a false sense of security.


Prepare for An Attack


Finally, total cyber resilience involves being prepared for if the worst was to happen. Incidents can occur even with the best defences, so having a plan in place helps you to respond quickly and minimise damage to your organisation.


  • Creating an incident response plan means you will not waste time working out what to do if something happens. The ECRC have an incident response plan template you can use to get started.

  • Include key contact details for your IT company if you use one, insurance if you have it, and Action Fraud which is where you report it.


The bottom line is that cybercrime is not reserved for large corporations, whilst small businesses may not have the assets of a national or international company, they can be seen as easy targets by cybercriminals.

Whilst ransomware is a daunting topic, taking these free, practical steps are a fantastic way to improve your cyber resilience and greatly reduce your chances of becoming a victim of cybercrime.


The ECRC offers a wealth of guidance for SME’s, schools and charities, and the NCSC and Action Fraud are a great resource for accessing free, in-depth up-to-date information about all things cybercrime. Investing just a few hours into learning about cybercrime and improving your cyber resilience today could save your business thousands of pounds tomorrow.


How can the ECRC support?


By joining the ECRC as a free member, your organisation will be supported in making the small changes that make the biggest difference when it comes to cyber resilience. Becoming a free member means you will receive the latest cyber resilience guidance via email, which will drip feed you ways in which you can improve your cyber resilience without costing any money.


The ECRC website also contains several links to helpful National Cyber Security Centre (NCSC) resources, which are all free, up-to-date, and easy to use. Tools such as Exercise in a Box and the NCSC Cyber Action Plan are particularly useful in terms of identifying areas where you could improve your cybersecurity. They also have many informative guides that are sector specific, which will give you useful and detailed information.


If you would like more information about how the ECRC can help your organisation specifically, please book a chat with us today!


Reporting a live cyber-attack 24/7:


If you are a business, charity or other organisation which is currently suffering a live cyber-attack (in progress) please call Action Fraud on 0300 123 2040 immediately. This service is available 24 hours a day 7 days a week.


Reporting a cyber-attack which is not ongoing:


Please report online to Action Fraud, the UK’s national reporting centre for fraud and cybercrime. You can report cybercrime online at any time using the online reporting tool, which will guide you through simple questions to identify what has happened. Action Fraud advisors can also provide the help, support, and advice you need.


Alternatively, you can call Action Fraud on 0300 123 2040 (textphone 0300 123 2050)


the eastern cyber resilience centre

Comments

The contents of this website are provided for general information only and are not intended to replace specific professional advice relevant to your situation. The intention of The Cyber Resilience Centre for the East is to encourage cyber resilience by raising issues and disseminating information on the experiences and initiatives of others. Articles on the website cannot by their nature be comprehensive and may not reflect most recent legislation, practice, or application to your circumstances. The Cyber Resilience Centre for the East provides affordable services and Trusted Partners if you need specific support. For specific questions please contact us.

The Cyber Resilience Centre for the East does not accept any responsibility for any loss which may arise from reliance on information or materials published on this document. The Cyber Resilience Centre for the East is not responsible for the content of external internet sites that link to this site or which are linked from it.

bottom of page