For business owners, it’s becoming more and more important to avoid the ever-increasing event of cyber attacks. Worldwide this costs over 6 trillion dollars! And I know you’re now thinking, but it won’t happen to me. The reality is that the perpetrators frequently attack ‘low lying fruit’, that is small businesses which think they are too small to be attacked and have likely not invested something into their cyber protection. If you’re a small business – this means you!
The other important thing to note is that about 30% of the time, the cyber attack is caused because of staff who simply choose to not follow the process or chose to circumvent protection measures. Overall of the most very serious instances, 11% of the cause was due to staff who simply make a mistake. Didn’t mean to, terribly sorry, but it did happen. I will cover off on staff, procedures, training and education further on.
Update February 2023: Please also be aware that after the breach incidents that occurred with Medicare and Optus, new and harsher laws around data breaches have come into place as part of the Privacy Act. If you’re a small business, don’t presume you are exempt. The fines are HUGE; up to $444K for individuals and up to $50 million for corporations. Sure, if you’re a small company, it might be adjusted down to a smaller amount; but still in that area of millions. Assume your insurance will handle that? Never assume anything! I cannot reiterate enough the importance of taking this matter seriously. An attack won’t just affect your purse strings, or mean an insurance claim, it will affect your reputation. How many people do you think switched away from Optus after their incident? Optus were offering to pay people to get their drivers licenses re-done. I’ve no idea what that cost the company, but I’ll bet it was a LOT.
Avoid Business Cyber Attacks
Ensure that your software and systems are kept up to date.
Many of the larger programs have protection as part of the software and the updates manage (to a degree) known issues. These weaknesses are then exploited by hackers – who come from all over the world and often have nothing better to do than simply hack your system and steal your hard-earned funds. If this (or any of the other technical aspects) are beyond your IT ability, then talk to your IT specialist and invest a little beforehand. Remember that:
Prevention is better than a cure – and a damn sight cheaper!
Ensure your IT person has in place suitable malware, anti-virus software, firewalls and protection.
Consider ‘Endpoint Protection’ which is specifically designed for situations where you have other devices connected to your system. This includes iPads, tablets, mobile devices and laptops. Again, talk to your IT specialist.
Don’t forget to protect your email systems.
One common method is that they hack into your emails, circumvent them, change the invoice payment details and then onforward the email to your customers, now with different bank account details. Your bank cannot take money out of another person’s account without their permission, so don’t think you will have access to claw back facilities and reality is that if the perpetrators are overseas, they are beyond our laws and Government intervention.
Backups are super important, especially backups which are separated from your systems.
This means that if Ransomware comes in they may be able to lock all your files and ask for a ‘fee’ (ransom) to release your files but then you can revert to a recent backup. The thing is that I’ve heard of ransoms from $10K to $100K+. It happens relatively frequently. If you don’t feel like being held at ransom for a large sum, you’ll love it that you have reliable backup processes, which is ideally each night and automatic.
Control physical access to your systems.
You don’t want someone to simply walk into your office, plug in a USB which contains a virus and infect your system. Frequently larger companies have rules around this; why not you?
Wi-Fi security is another area to be careful about.
We all access Wi-Fi and yet can be infected when we connect. For that reason, it’s smart to not connect to public Wi-Fi without a Virtual Private Network (or VPN) which provides encryption between the device and the internet.
Encrypt your data when sharing or storing it in the cloud.
Some cloud services offer encryption.
Have different passwords.
I know people who simply use the one for all; which is very dangerous as once a hacker works out one, they will try that on everything. Be aware too, if your files are hacked, don’t have all your passwords in a Word Doc called “My Passwords”. It’s somewhat easy to hack passworded Word docs giving them the keys to the kingdom.
All staff should have their own logins and not share their passwords.
This is sensible practice for a number of reasons and should be clearly and firmly communicated to staff.
Ensure people do not download (or open) anything they don’t know and trust.
Almost daily I get scam emails with files attached from people I don’t know. Absolutely don’t open these. The same can occur when you download cute screen savers or any software from other than a reputable site. If you get an email with an invoice, always be careful.
Limit to staff what they can or cannot load/change on computers and systems.
Larger firms do this automatically, but sadly smaller businesses don’t even realise the risk they are potentially allowing their team to expose them to.
When it comes to bank details on your invoices, this one can be tricky.
Someone hacks your emails and circumvents your invoices, then how do you protect yourself? Lawyers (for years) when it came to settlements would never accept bank details via email; they would always ring to get details. Implement a system with your customers to warn them to NEVER accept a change of bank info on an invoice without FIRST ringing to confirm. You should practice the same with your suppliers and check before changing bank details. A quick phone call (especially with a larger payment) just makes good sense.
Check your reports and follow up with customers regularly regarding outstanding amount – and ideally do so via phone.
If you check your figures and what’s owing and see someone is outstanding and when you ring, they say “it’s paid” then start backtracking and checking. Losing one amount is not great; losing multiple payments starts to fall into poor financial management; you shouldn’t have left things so long it came to that.
Limit what personal information you put online.
Maybe you don’t care that people know your full birthdate, but a DOB is a key piece of information that hackers (or those who steal identities) use. We all place too much information online and trust too much to online social platforms etc. Just because someone rings up and says they are from your bank doesn’t make it so. Also be sure to particularly protect your payroll information and client credit card details!
Use Two-Factor or even Multi-Factor Authentication (or some other similar credential) where possible so that you are accessing additional security layers.
Without this, it’s often a user name and password and often the user name is your email – which means a hacker could be halfway there.
Get a specialist.
I know for small businesses, many think “I just can’t afford that” but as it becomes more prevalent, more consultancy/specialists are coming up with affordable options for smaller businesses. Before you assume you cannot afford it, do some research and investigate.
Get Cyber insurance, but be sure to read the fine print and ensure that you comply with any requirements in order to be insured.
Your business insurance broker should be able to guide you in this regard and find an option to suit your needs and budget.
Set and document your processes and procedures around cyber security and then be absolutely sure to train (and re-train) your team.
Staff can make mistakes, not on purpose; simply because they don’t know, or they don’t appreciate really how important cyber security is. It’s your job to first have some great policies and procedures in place. You then need to train your team. Finally, never assume – check (even audit) that they are following the process. Time flies, so I recommend you diarise to check this on a regular basis as this is not a set-and-forget policy. Like WH&S (Workplace Health & Safety) you need to be constantly ensuring your team are doing the right thing.
As a business coach very involved in a number of businesses I am seeing more and more often instances of cyber-attacks; this is a real and serious issue. I’m not an IT expert, but I do know we need to engage experts, have a plan, take care and teach our team about protecting our businesses from attack. If you need any assistance with business coaching, please reach out to me at my Contact page.
Disclaimer: This is general basic advice only; be sure to seek specific professional advice around this matter; no liability whatsoever is accepted by Donna Stone, Stone Business Coaching or its agents.