What do Hackney Council, Amex, Scottish Environmental Protection Agency, Foxton’s Estate Agent, Mersey Rail, Furniture Village and the Salvation Army all have in common? They all went public when hit by a ransomware attack in the first half of 2021.
That is not a complete UK list, and there are many more companies which have commercial motives for not going public. Add to this the thousands which were scammed, bought stuff that never arrived, had their accounts hacked and their private information leaked to the dark web, then the scale of cybercrime is clearly out of control.
Many of the companies we talk to as business consultants want to bury their head in the sand. It is too hard, won’t happen to them, costs money they don’t want to spend and they are too busy. And everyone is doing something – but not necessarily enough or the right thing. When our own business was impacted, the virus got in despite our protection and Cyber Essentials Plus accreditation. So what went wrong?
This is such an old story. And it happened to us. Three people get an email purporting to be from a client with a link to a file share. It was credible that the client would do this. The file share asked for a Windows password, and someone entered it. Human error is usually the root cause.
The upshot was that all the people we have ever emailed – our clients, prospects and associates – got the same email purporting to be from us. So a little egg on face but no financial loss. Our computers were all virus-free as the naughty code used a password to access Office 365 servers to replicate itself. But it could easily have been much, much worse.
That email from us could have said anything. Telling our clients that our bank details were different, carrying a fake invoice or a different virus? What if it had a pornographic image or something promoting terrorism? Or maybe they accessed our shared drive and made some malevolent changes or made public some information that was sensitive? In any case we took the bait and some of our clients will too.
The internet is full of helpful information and there are lots of companies able to help with set-up and accreditation. But here are my top seven tips for micro businesses.
- If you use Microsoft 365 or something similar, insist on stupidly complicated passwords that no one can remember. We were compromised because someone was “in a hurry” and multi-tasking. If the password is too hard to remember then, on the odd occasions where you do need to enter it, you’ll need to take the time to find it and type it slowly. That time to reflect is important. (Don’t save this password in your browser as that defeats the purpose). And look up how to switch your audit log on – it lets you see who has opened or edited files but it is turned off by default.
- Buy a spare laptop. That means you can get quickly working no matter what. Whether it’s a hardware failure, problem with an update or a virus, having a spare cuts out the hassle of trying to fix something or go shopping when you really need to get on with the day. Remember that computer supplies have been impacted by Covid, and could be again, so you don’t want to be faced with delays and high prices.
- You must use Cloud storage like OneDrive or Google Drive. Local backups are better than nothing, but viruses can infect them too. Besides, do you really check that your backups are all fully working? And how would that work in a fire, flood or theft? The cost of Cloud is buttons.
- Don’t log on as Admin. Macs and Windows have two types of log on, with the difference that only Administrators can install programmes and change some settings. Downgrade yourself to an ordinary user and you remove the risk of installing something malevolent.
- Get paranoid about free programmes. You have something a bit quirky to do and want a free solution? There is free software for just about anything, and you can save a few pounds on something that is just a one-off task. But what else might that software do? It is making sure your mp3 collection has the right album covers, but it is also sending your passwords to North Korea? Even if the programme cost you money, it still doesn’t make it safe. Only install reputable software, and don’t mix personal with work.
- Turn the power off. Ten years ago your PC was sure to crash once a week, but now they are much more stable. There is a risk that a virus just lives in memory. Your full virus scan won’t find it because it is not on the hard drive. So when you knock off for the weekend, save the planet and kill off memory-resident viruses.
- Keep your software up to date. Every programme on your PC has a weak spot which a malware wizard might exploit. Do I really mean every programme? Google “MS outlook hack”, “Adobe hack”, “CCleaner hack” or “Chrome hack”. The other programmes are not “safe” – it is just that no one has found and exploited the weakness at scale yet. Fortunately most companies fix problems fast, and sometimes the weakness is found before it impacts users.
“You don’t have to run faster than the bear to get away. You just have to run faster than the guy next to you.”
The bad guys on the internet are not targeting you. They are just looking for anyone with a weakness. Mostly that is a human weakness, sometimes it is technical. If you keep your head in the sand then the bear will catch you.
Four in ten businesses (39%) and a quarter of charities (26%) report having cyber security breaches or attacks in 2020 (UK Govt Statistics). That’s slightly down on 2019 but a lot higher than 2018, so it seems to be getting worse not better. The nature of the breaches seems to be getting worse too.
The news is naturally about corporate data leaks and ransomware attacks on charities and the public sector. There is a lot less about local business having their eBay sale proceeds being redirected or their credibility undermined with a data leak. But don’t think that because you cannot see the bear he hasn’t seen you.
Andrew Pollard is a Director of Falkirk-based Ahead Business Consulting.