A business owner’s (brief) guide to cyber security

While the digital revolution has brought a range of benefits for business owners, it’s also brought a new era of risk online.  Government data from 2024 found that half of businesses (50%) and around a third of charities (32%) report having experienced some form of cyber security breach or attack in the last 12 months.

In 2023, small businesses employing between 11 and 50 people showed the steepest rise in targeting among all companies surveyed, up 42% since 2019. However, much of the damage is avoidable.  Many of the vulnerabilities facing business owners can be mitigated with basic ‘cyber hygiene’ best-practices that close loopholes that could otherwise be exploited. Here we’ll cover the main threats facing SMEs and how to protect yourself and your customers online.

The Threats You Need To Know

Cybercrime comes in many forms, usually masquerading as mundane digital interactions. A key part of protecting yourself online is developing a mindset of thinking twice when something doesn’t feel right.

• Phishing: Phishing attacks are one of the most common forms of cybercrime, especially in the UK, affecting 96% of businesses that suffered an attack of some kind. Phishing involves bad actors impersonating trusted contacts to deceive recipients into clicking suspicious links or giving sensitive data.  These attacks can be sophisticated, faking sender email addresses to look like an existing correspondent for example.
  
  
• Data Breaches: With more and more data stored online, there are more chances than ever for unauthorised access to occur, with last year seeing a 17% increase in data security incidents in the UK. These breaches involve the unauthorised access to, or acquisition of, sensitive, protected, or confidential data. These can be as simple as sharing data via email with the wrong recipient, or an external party gaining access to your internal file storage and discovering customer financials.
  
  
• Ransomware: While rarer than other forms of cyberattack, threats from ransomware are growing, with  5.3 million people from over 700 organisations affected last year. In these incidents, cybercriminals access and lock access to key files or systems, demanding a ransom to restore access. These attacks can cripple operations, preventing access to crucial information and systems until the demanded payment is made or the issue is resolved through other means.
  
  
• Malware: A broad category that includes various forms of malicious software designed to infiltrate, damage, or disable computers and computer systems. Malware can steal, encrypt, or delete data, alter or hijack core computing functions, and spy on users' computer activity without their knowledge or consent.

How To Stay Safe Online

Your business is only as safe as your weakest link – it only takes one team member to click on the wrong link and your whole system may be vulnerable. Cybersecurity is very much a team effort, so staying safe starts with a consistent policy, documented, visible and followed by all team members.

Key elements to consider include:

Take Passwords Seriously

Strong, unique passwords are fundamental to good cybersecurity hygiene. While it can be a pain to regularly update unique, complex gibberish phrases for each app, using the same password across multiple accounts significantly increases the risk of a security breach.

• Password managers: Secure apps that use unique passwords or biometrics to store a range of logins – can make the task of managing multiple apps simpler.
• Implement two-factor authentication (2FA): This adds an extra layer of security by requiring a second form of verification, such as a code sent to your mobile phone or other device.

Controlling Access and Profiles

Modern business software allows you to define access levels within your organisation, controlling the flow of information between stakeholders.

• Tailor user access based on roles: Limit access to sensitive information based on individual role requirements.
• Monitor sign-in activities: Watch for sign-ins from unusual locations or devices to detect potential security threats.
• Avoid using public Wi-Fi for work-related tasks: If necessary, use a Virtual Private Network (VPN) to secure your connection.

Keeping Software Up-to-Date

Software providers often release updates to address security loopholes once they’re discovered – when a popup appears telling you it’s time to update, it’s normally for a good reason.

• Regular updates: Ensure all software, including operating systems and applications, are updated regularly.
• Firewalls and anti-virus software: Use reliable firewalls and maintain updated anti-virus software to defend against malware, spyware, and ransomware attacks.

Data Hygiene

Minimising the data you store reduces the risk of a breach, so only collect and keep the data essential for your business operations.

• Data minimisation: Regularly review the information you request and hold from customers to ensure you’re not exposing data unnecessarily.
• GDPR compliance: Systematically delete outdated or unnecessary information to reduce the risk of compliance violations and data theft.
• Encrypted communication: Utilise encrypted communication to safeguard data at rest and in transit, making it unreadable to unauthorised individuals.

Building Your Cybersecurity Plan

Safeguarding your business data is not optional in today's digital landscape. But with a strategic approach and focused measures, you can significantly reduce your risk profile.

1. Identify Risks: Conduct an assessment of all sensitive information and processes within your organisation, including customer and financial records. Analyse potential risks associated with your hardware, software, and workflows to gain a clear understanding of your vulnerabilities.
2. Establish Consistent Policies: Where you find risks, implement steps to mitigate them This includes strong password protocols, guidelines for device usage (especially for remote work scenarios), and procedures for responding to and reporting anything suspicious. Consider these policies the foundation of your cybersecurity framework.
3. Implement Role-Based Access: Restrict access to sensitive data based on each employee's role and responsibilities. Not every employee requires access to all information. Implement strong, unique passwords and consider multi-factor authentication for an added layer of security.
4. Fortify Your Network: Protect your network with firewalls and intrusion detection systems. These act as essential safeguards against unauthorised access. Ensure all software and firmware are consistently updated to address known vulnerabilities and security patches.
5. Develop Backup and Recovery Strategies: Implement a regular data backup schedule and verify the effectiveness of your recovery plan to make sure your business can quickly recover from data loss or system failures.
6. Conduct Regular Audits and Assessments: Schedule periodic reviews of your cybersecurity measures to identify and address potential weaknesses.

Secure Your Finance Processes

Haines Watts work with businesses of all sizes to help them build value-driving, secure and scalable financial processes. We’ve tested the tools and run the risk scenarios from start to finish – to find out how you can safeguard your data in a changing world, why not reach out to one of our experts?