As digital technology creates opportunities for independent merchants to do business more effectively, it also brings significant risks to companies without a well thought out cyber security strategy – NMBS chief executive officer Chris Hayward discusses.
The increased use of digital technology, particularly since the pandemic, makes it hard to imagine businesses that aren’t in some way dependent on it. But the opportunities this technology creates also present risks for the sector and without the proper expertise and training in place a company can be in the firing line of malicious actors whose primary goal is to disrupt, steal or even bring a company to a complete standstill.
Research in 2019 by the National Federation of Self Employed and Small Businesses revealed small businesses are collectively subject to almost 10,000 cyber-attacks a day, while a study by the Department for Digital, Culture, Media and Sport last year suggested that 38% of UK small businesses have suffered a cyber breach or attack in the past 12 months.
The risk to companies without a cyber security policy in place is significant. But small and medium-sized merchants can take steps to protect themselves, their business, and their clientele, even without introducing substantial IT infrastructure and resources devoted to fighting cybercrime.
On many occasions companies have suffered attacks from malicious hackers who have created disruption by simply sending out an email that looked legitimate but was anything but. Nevertheless, with the right processes in place attacks like these can be caught, monitored, and reported.
Risks and threats
But what are the threats and real-world risks for a company that doesn’t have sufficient measures in place to protect against cyber-attacks?
As we’ve already discussed, the major threat is not about the tools cyber criminals use, it’s about their end goal. The tools include malware – software created to cause damage, disruption, or give criminals access to a computer system, and ransomware – a type of software created to blackmail an organisation by blocking access to a computer system until a ransom is paid, such as the ‘WannaCry’ virus which hit multiple companies worldwide in the spring of 2017 and included an attack on the UK’s National Health Service. Then there’s phishing – the attempt to trick a company’s biggest asset, the employee, by doing careful research on the company, finding out who works there, getting their contact details, looking them up on social media and then using all this information to attempt to get sensitive data the perpetrator can use to their financial advantage – which is their end goal.
Many of our SME NMBS members report difficulty in resourcing cyber security expertise. But a range of basic safeguards is necessary to ward against data breaches and financial loss, as well as the associated clean-up costs. After all, an attack can be much more costly, resulting in lost productivity and business disruption. Longer-term, this can cause reputational damage, harm to a company’s customer base, and potential regulatory action and financial penalties in the event of a data breach.
At NMBS, cyber security has long been a high priority. Currently, we’re working towards the government-backed National Cyber Security Centre’s Cyber Essentials accreditation – demonstrating the highest level of commitment to cyber safety through systems, policies, and procedures.
The protection we put in place also passes on to our members and our commitment to cyber security means we’re also supporting them in taking their own steps to make improvements wherever needed.
What can merchants do?
Within cyber security, we have what’s called the Cyber Kill Chain which is the seven steps that make up a cyber-attack. Reconnaissance (scanning off networks, researching the company, looking up employees on social media); weaponization (creating the virus, finding a route to delivering it); delivery (such as via emails with dangerous links); exploitation (exploiting software gaps or operating systems); installation (installing the virus or malware on the asset); command & control (controlling a computer system remotely), and then once the attacker has control of a system they can complete their overall goal.
The National Cyber Security Centre (NCSC) has advice and guidance for businesses, but merchants can also start by taking the following essential steps to protect against cybercrime:
Staff training – recent reports have indicated that 95% of cyber security threats have been caused by some form of human error. Making sure all staff understand the risks, the basics of cyber safety, and what they need to do if they suspect a cyber-attack has occurred is vital. This will stop the reconnaissance and the delivery elements of the Cyber Kill Chain.
Keeping software up to date – keeping operating systems, third-party software, and infrastructure up to date will protect against the exploitation element of the kill chain. These updates contain vital patches with security updates.
Employing good password practice – it seems obvious, but many cyber-attacks have taken advantage of overly simple and easily-guessed passwords. A random passphrase rather than a single word, combining several unrelated words into a phrase, provides much stronger protection. Ensuring password policy is up to scratch and that passwords are regularly changed will prevent an attacker from completing the installation and exploitation of the kill chain.
Investing in anti-virus and firewall software – although at a cost, this will help protect company systems against many of the risks identified, with automatic updates to take account of new threats as they emerge. Firewalls will block out unwanted traffic from attack vectors, protect against Distributed Denial of Service (DDoS) attacks and prevent attackers from completing the first stage of the kill chain – reconnaissance.
Backing up data – To protect against reputational damage and financial loss, it is imperative to keep an up-to-date backup of a company’s entire system off-site. This will ensure that should the worst happen the company’s processes and functionality will remain intact.
If your business has been the victim of a cybercrime or online fraud, you can report it to the police using the Action Fraud website or by calling 0300 123 2040.
As published by Builders Merchants News which you can view here.