Startups that regard themselves as too small to be targeted by cyber crime are putting their businesses at considerable risk. Two thirds of small UK businesses were attacked by hackers in the past two years.
This assumption, combined with a lack of cyber awareness and dedicated IT teams, makes startups tempting targets to well-funded networks of cyber criminals.
Unfortunately, the result of poor cyber security is only apparent after your startup has been hacked. When your sensitive data is leaked, your office locked down and your business at a standstill, it’s too late.
Cyber assaults could mean the difference between sink or swim, especially when considering the loss of trade, legal consequences and damage to your startup’s burgeoning reputation.
Plus, when new data protection laws are introduced next year, complacent businesses risk fines of up to £17 million, or 4% of annual turnover – whichever is greater.
But there are simple ways to protect your startup from a cyber crime crisis and even basic precautions can dramatically reduce the risk of your business being hacked.
Defend against phishing
Everyone knows that you shouldn’t click a link in a suspicious email but people still fall victim to phishing scams. The sophistication of these techniques has increased and malicious emails remain an effective way of introducing malware into startups.
Ransomware, which only recently was used in a global cyber attack targeting the NHS amongst others, is on the rise and typically gains access to businesses by phishing unsuspecting employees. Once access is gained, ransomware quickly locks down devices connected to your office WiFi.
Ransomware also encrypts data and files on your computers, rendering them unusable unless you get access to a cryptographic key. Of course, your attackers will gladly sell you the key - for a price. Without it, you’re out of luck. An average computer would take over six quadrillion years to crack the RSA 2048 encryption typically used in ransomware.
However, the risk can be mitigated. Ransomware relies on an end user, i.e. someone within your startup, to ‘let it in’. This is usually achieved by opening an infected (but legitimate in appearance) email attachment.
Because ransomware relies on an action from within your organisation, it’s down to you and your colleagues to prevent ransomware. You should educate your staff to have a healthy scepticism of every email they receive. Take a look at this Citizens Advice page to educate yourself and your colleagues.
You should also ensure you have backups of your data on an external hard drive or cloud service. As ransomware can render your files and data unusable, backups are a crucial safeguard.
Educate your colleagues in cyber security basics
Cyber security is only as good as your most uniformed employee. This means that, without a drive to educate colleagues in basic cyber security know-how, any security measure your startup implements is ultimately undermined by human error.
Employees are the first and sometimes only line of defence against a cyber attack, but it takes just one person to open your business to hackers. Through proper cyber security training you can quickly reduce the risk to your startup.
Consider making cyber security training part of every employee induction, ingraining the importance of security from the start. Even a basic level of cyber security knowledge can make the difference between security and your new starter flooding your startup with ransomware.
Alternatively, consider bringing in an expert to educate your business on cyber security basics, or to help you respond to an attack. Look for professionals with industry-standard qualifications, like GIAC’s GCIH certification.
Update your WiFi settings
WiFi routers straight out of the box are not secure, so if you don’t recall updating your settings, you’re vulnerable to hackers right now. To bolster your defences, make sure your WiFi is secure and encrypted.
Setting up your router to require a strong password for access will go most of the way to reducing the threat of brute force attacks, hacking programs that attempt to guess your password by testing thousands of combinations in seconds.
You’ll also want to enable WPA2 (WiFi Protected Access) encryption and avoid the now legacy WEP encryption.
With WPA2 enabled, cyber criminals might be able to detect your traffic, but it will be scrambled by the encryption and impossible to decipher. Every router will support WPA2 and with better security, there’s no reason not to use it.
Many employees take advantage of Bring Your Own Device (BYOD) policies and they’re vital for most startups. However, if left unmonitored they can be an awkward compromise for security.
No matter how many security controls you put in place for your office computers, you cannot control personal devices. You cannot stop a colleague from clicking a suspicious link outside of work hours. And without the right BYOD policies you cannot stop malware being brought inside the business, bypassing your firewall and other hard-earned security tech.
Startups should endeavour to provide company-owned and monitored devices for employees who need to work on the move. For more information on implementing BYOD policies, take a look at this comprehensive blog post.
Investing in business-owned machines for employees might be a tough value proposition for some startups, but the cost of a data breach or ransomware attack is far greater.
Encryption sounds technical but it can be implemented by anyone and the advantages are huge. Simplified, encryption is the process of scrambling text/data to make it unreadable to unauthorised users. Encryption can be used on files, folders as well as USB drives and data in the cloud.
If a colleague working on a sensitive project loses their BYOD device, unencrypted data stored on it can be accessed. Hackers will not need to know your login details to access this sensitive data. However, if this data is encrypted, they’ll be stopped in their tracks.
For an in-depth look at encryption, take a look at this great introduction to encryption for small businesses.