For any organisation, maintaining a presence online is increasingly important for success in today’s digital economy. Whether it is used for making sales, advertising products, or explaining who you are and where to find you, having a website of some description allows a company to be accessible around the world. However, with 32% of SMEs becoming the victim of a cybercrime in 2022, websites also provide another potential vulnerability for criminals to exploit. Whether you are a market dominating multi-national company, or a local sole trader, having a secure and protected website is very important for your cyber resilience.
Many small business owners do not see themselves as being at risk of a cyber-attack, either not understanding how they could be targeted, or seeing their business as having less to offer a criminal than those of a bigger size. However, in many cases it is not the individual nor the organisation that is being targeted, rather the vulnerability that has been identified. Like an opportunistic thief walking down the road and trying to open car door handles, if a criminal can see a way in, they will take it regardless of the business size.
Cyber criminals tend to have two main target assets when committing a cyber-attack, which is sensitive data and financial gain. Considering both money and data are found in almost every single organisation across the world, nobody is exempt from being targeted. For a retail business, regardless of what they are selling, they are likely to have some form of sensitive information, such as financial records, billing addresses and purchase histories. This can either be stolen for use in its own right, to commit further offences, or to help craft a convincing and sophisticated attack against the business. Additionally, if there is a physical shop as well as a website, it is likely that the two are linked in some way. For most retail businesses, the physical shop is as dependant on its IT and systems as the website is, and the data from both likely feed into the same place.
For smaller businesses and sole traders in particular, the topic of cyber security may have not been considered in detail. However, with the average direct cost of a cyber-attack being around £1000, a figure that grows alongside the size of the company, it is definitely a necessary consideration.
How can I protect my business from cybercrime?
One of the most important steps in building cyber resilience is increasing awareness around phishing. Phishing is a common way for cyber criminals to install malware or access systems, and it works by tricking the victim into clicking/downloading disguised malware or revealing sensitive information. This is often done via email, and can range from being obvious and poorly executed, to well disguised and highly sophisticated. For business owners interacting with a network of customers and suppliers, phishing can often go unspotted, particularly for those who aren’t aware to look for it.
Common features of a phishing attempt include urgency, mimicry, and errors, meaning that when receiving an email or request, it is important to take the time to consider what is in front of you. Instead of taking the name at face value, look at the specific email address that has sent the message and check if it is from the person it says. For any messages requiring immediate action, think about what you are being asked to do, and contact the person or organisation that it claims to be from directly to check the legitimacy. Additionally, do not click any links or attachments that you are unsure of. Finally, read the message thoroughly and consider the spelling, grammar, and tone of the message. Think about whether it reads like you would expect it to and look for any spelling or grammar mistakes that indicate it has come from elsewhere. For more advice on phishing, you can visit the NCSC’s website here.
What about my website?
To help prevent a cyber-attack, it is also important to keep your website secure from exploitation. For sole traders, micro businesses, and small enterprises, using a service like the ECRCs First Step Web Assessment (FSWA) is a valuable investment into securing your website. It is a fixed cost service, and a £30 discount is available to charities and micro-organisations.
The first action a threat attacker would take before targeting a business is reconnaissance, looking for any markers of vulnerabilities they could exploit. The FSWA uses passive and active techniques to examine your website as a criminal would to search for these vulnerabilities. The passive techniques are those which gain information about the website without actively engaging with it, whereas the active techniques include using automated scans to identify vulnerabilities at a high overview level.
What FSWA assesses:
• Domain and DNS records
• SSL Certificates
• Email protections
• Security Headers
• Outdated components
• Directory discovery
• Sensitive data exposure
• Vulnerabilities shown through automated scan
At the end of the assessment, you receive a short, non-technical report to show you the risk to the site, as well as mitigation measures you can take to reduce these. This allows you to improve your security and encourages further discussion on additional steps you can take to keep your business secure.
For SMEs, the FSWA is a good option because it keeps the cost to a minimum and is the perfect starting point for those who have not considered their cyber security in detail. It is one of several affordable services provided by the ECRC, the others including Security Awareness Training, Internal Vulnerability Assessments, Corporate Internet Investigations and Security Policy Reviews.
The cost of these services are kept to a minimum in order to be accessible for SMEs, which is made possible by the fact that they are delivered by students employed by Cyber Path. Through Cyber Path, university students are trained and mentored by senior ethical hackers, to deliver selected services and work with staff to build their cyber awareness. This not only benefits the organisations they are helping, but also supports the cyber talent pipeline, giving future industry leaders invaluable hands-on experience.
What should I do now?
Becoming a free member of the Eastern Cyber Resilience Centre is a great first step for those wishing to improve their cyber resilience and bolster their knowledge. As part of your free membership, you become enrolled onto our ‘Little Steps’ programme; a weekly email series giving you actions that improves your cyber resilience, delivered in a way that is digestible and accessible to a non-technical audience.
Additionally, there are many free resources available that can be accessed on our website. For example, ‘Exercise in a Box’ was created by the NCSC as a preparation tool for businesses, enabling organisations to find out how resilient they currently are to attacks, and piloting their response to various threat scenarios in a safe environment. The NCSC also have other free resources and frameworks such as their ‘Cyber Action Plan’ and ‘Small Business Guide’, all of which deliver up-to-date, accessible guidance on staying safe and informed against cyber-crime.
If you are interested in finding out more about how an FSWA could help you, or simply want to know more about cyber resilience and what we do at the ECRC, why don’t you book a chat with us today?
Reporting a live cyber-attack 24/7:
If you are a business, charity or other organisation which is currently suffering a live cyber-attack (in progress) please call Action Fraud on 0300 123 2040 immediately. This service is available 24 hours a day 7 days a week.
Reporting a cyber-attack which is not ongoing:
Please report online to Action Fraud, the UK’s national reporting centre for fraud and cybercrime. You can report cybercrime online at any time using the online reporting tool, which will guide you through simple questions to identify what has happened. Action Fraud advisors can also provide the help, support, and advice you need.
Alternatively, you can call Action Fraud on 0300 123 2040 (textphone 0300 123 2050)
