The last couple of years have accelerated the digital transformation of many businesses. Pandemic restrictions forced us to think creatively, be more innovative and, in many cases, digital adoption has played a big role in that.
As a specialist small business lender, we’ve seen our customers use their funds to invest heavily in technology – setting up e-commerce sites, implementing CRM systems, adopting cloud technologies and trialling digital marketing strategies. While these are all fantastic improvements and of benefit to a business, they can also open you up to additional risks if the right systems and methods aren’t in place to protect these channels.
As technology becomes increasingly sophisticated, so too do the methods used by cybercriminals. Between 2018 and 2021 alone, incidents of cybercrime more than doubled, according to findings from the 2021 HP New Zealand IT Security survey.
Smaller businesses that don’t have the funds to invest in professional cybersecurity can be particularly vulnerable. With targeted attacks on the rise, they need to be especially vigilant to protect your business. The good news is there are some really simple steps any business can take to make sure their cyber defences are robust enough to weather things like phishing attacks.
Look out for emotional messaging
Phishing attacks are sometimes called ‘social engineering’, because they play on people’s emotional responses in order to manipulate them into disclosing personal or sensitive information. Often this involves a sense of urgency that puts pressure on the reader to open links. This is a common way that bank fraud is done.
For example, an email might say: ‘Payment on a bill is late and service will be cut off in 24 hours if a certain amount isn’t paid.’
Attackers like to take advantage of the fact that small businesses tend to have lots of different suppliers. By making contact using a supplier email that asks the business owner to update the supplier’s bank account details, they can divert the next payment to the attacker’s bank account. This activity is becoming more and more common.
To protect yourself in this situation, give the supplier a call and ask them directly if the request is legitimate. This simple check can save large sums being paid to the wrong accounts – and your supplier will thank you as well.
Another emotional ploy used by cybercriminals can be to lure businesses with something that sounds too good to be true. Trust your gut – if something feels off, it probably is. Make a call to double check or tell someone else in your team.
However, attackers are pragmatic. They are unlikely to try to lure you with the promise of millions of dollars. More likely, they will approach the scam by sending emails that might go unnoticed in the context of your day to day business operations. Foster a cautious mindset among your team to avoid becoming a victim of cybercrime. It’s also a good idea to get into the habit of reporting the malicious emails using the mail application’s ‘report spam’ or ‘report phishing’ options. The more scams are reported, the better service providers can protect your business using filters and security settings.
Two factor authentication or 2FA
Using one password across multiple accounts, despite being ill-advised, is still common. But it’s all that stands between your sensitive personal or business data and a cybercriminal.
2FA adds an extra layer of protection by asking users for an additional credential when logging into an online business account – most often a code sent by email or SMS, or generated by an authenticator app. Many apps now have this as an option which you can enable, and it’s definitely worth doing.
One thing to consider is the rise of sim swapping, which makes using SMS codes more risky than other ways of doing 2FA. Using an authenticator app, which generates new codes every minute, makes it much more difficult for an attacker to gain access to your accounts. There are a number of free apps available – including Google’s authenticator app, and Authy.
Password managers add an extra layer of protection
By using a password manager, you can generate strong, random and longer passwords that you don’t have to remember, and store them securely. This is a great way to protect your small business from basic password vulnerabilities, and they are easy to set up.
Keep your systems up to date
Companies like Google and Microsoft stay on top of new bugs that could leave your device vulnerable to attack. They generally release fixes very quickly and push them out in updates. If you don’t install the updates when they are released, you remain unprotected – but by enabling automatic updates on your device, you won’t have to worry about it, or deal with pesky notifications reminding you it’s time to install a new update.
Backup, backup, backup
There are numerous scenarios in which having a good backup system in place can save you from the nightmare of falling victim to a cyberattack. Be proactive in ensuring your devices are backed up so that if disaster strikes, you’re not locked out of vital business records.
The cloud is there for you, and even if you get locked out of your computer by a hacker, data stored in the cloud ensures you can still access it from other devices. Cloud computing is more secure than on-site servers and handy for sharing files remotely too. Common cloud storage services include Dropbox and Google Drive.
While your business is small and your budget is too, you don’t have to be left vulnerable to cyberattacks. By taking these easy and inexpensive precautions you can avoid a few common traps. If you’re after more detailed guidance, this NZ CERT guide to common threats is a good starting place for small businesses to protect themselves from further cybersecurity incidents.