You may think that you, and your business, are unlikely to be targeted by scammers, and it’s understandable to think that way. You don’t use a computer all day and are unlikely to have ‘IT infrastructure’.
You likely see yourself as a small business and feel that your data is not particularly valuable to scammers or attackers. But cyber crime now accounts for approximately 50% of all recorded crime and being able to target small businesses in volume is an ideal scenario for a scammer.
The reality is the opposite.
Your data (and that of your customers) and systems are still at risk. Scammers looking for a quick win will go after the size of a vulnerability, not the size of the company, and from their perspective it’s a case of ‘the smaller the company, the easier the target’ – and the trade is a current target.
Earlier this year, GCHQ published its first ever findings on cyber security for the UK construction industry illustrating the growing need to raise awareness in the sector. While larger construction firms are likely to have firewalls and training in place to try to reduce the risk moving forward, smaller businesses and sole traders remain at high risk.
We talk to cyber expert Chris White, Head of Cyber & Innovation at the South East Cyber Resilience Centre (SECRC), a police-led, not-for-profit partnership that provides businesses in Hampshire, Isle of Wight, Sussex, Surrey, Buckinghamshire, Oxfordshire and Berkshire with guidance, tools, resources and professional cyber resilience.
“In the ever-evolving landscape of digital business, the threat of cyber crime looms large, regardless of the size of your organisation. Small and medium-sized businesses (SMEs) often find themselves particularly vulnerable targets for online criminals. As a serving Police Officer, I’ve witnessed first hand the devastating impact cyber attacks can have on businesses. It’s a stark reality: fail to prepare, and you’re preparing to fail. The importance of robust cyber defences cannot be overstated.
“Cyber security, or Cyber resilience as we now prefer to call it, is not solely the responsibility of an IT team; it’s a collective effort that involves every individual within an organisation. Understanding the basics of cyber resilience and one’s role in maintaining it is paramount to safeguarding not just the company’s assets but also its reputation and the trust of its customers.
“Statistics paint a sobering picture: cyber crime now accounts for approximately 50% of all recorded crime. Recognising the severity of this threat, 9 Cyber Resilience Centres have been set up across England and Wales. The primary objective? To equip organisations of all sizes with the skills and knowledge necessary to defend themselves against online attacks, thereby fostering an environment where the UK is the safest place to live, work, and conduct business.
“Membership in these Cyber Resilience Centres is entirely free. Upon joining, organisations receive a comprehensive information pack comprising various cyber resilience services and products. Additionally, they are offered a free consultation to assess their current cyber resilience posture and explore further assistance that the centre can provide.“
What is classed as ‘data’?
You may be surprised at the type of information you could be targeted for, how you could be targeted, and why.
These are some examples of data you are likely to hold that a scammer would be interested in:
- Customer bank or credit card details
- Personal addresses
- Entry door and alarm codes
- Any and all information to find and enter your customers’ virtual or physical addresses
In a nutshell, the data you hold is a conduit to your customers – to breach this data could put a customer at risk, enable them to sue you, and cause you irreparable reputational damage.
What is cybercrime?
Think about the threat of cybercrime in terms of a house. You have ‘Norton’ or ‘McAfee’ installed which protects your front door. But if someone wants your data, they will come through the floorboards, the ceiling, the chimney, the windows.
The reason why the trade is being targeted is because scammers know that the industry doesn’t take it as seriously as it should. Small trades are an ideal target for a scammer to take £50 off 3,000 people in one day for a quick win! Barely noticeable, until you add it all up.
These are some examples of types of cybercrimes:
Supply chain scams
Business owners can be incredibly trusting about their supply chains. This could be a site cleaner being bribed to insert a USB pen into a computer in the office after hours – in fact 99% of businesses don’t lock down their USB ports and scammers are aware of this!
Or consider when you pop out to pick up supplies – and you log into a merchant’s open Wi-Fi to check your messages or order confirmation. A hacker can tap into open Wi-Fi – and you then carry the infection home with you, so that the hacker can access your home system as well.
Spear-phishing
You may have heard of ‘phishing’ which is where an email or text is sent out randomly in the hope/knowledge that someone will pick it up and click or pay for something they shouldn’t.
Spear-phishing is very targeted. The scammer knows who he is targeting, likely the owner of a business. That could be you. You may be targeted for a fake email alleging to be from your usual supplier, it may look identical, but it isn’t from them. They could even call, maybe offering you a refund as they overcharged you and requesting your bank details. Or you could receive a text asking you to pay an outstanding invoice.
Ransomware
Many don’t realise that ransomware is quite literally holding you to ransom while the scammer has control over your systems or data.
The scammer will encrypt your data, leaving you with a message on your computer or mobile phone wanting something around £10,000 or more in Bitcoin to release your data. This can become even more sinister when personal threats are made to you or your loved ones.
If you couldn’t contact your customers or contractors for days, or weeks, on end, could you do your job? It’s important to protect yourself.
The importance of password security
Password security is an easy-to-fix essential component of good cyber health. Whether using a mobile phone or laptop, whether for personal documents, system log ins or social media – switch all of your predictable, short passwords like family or pet names, and the ever-popular password ‘passw0rd’ to something harder to crack.
Test the strength of your password here. This is a popular site that will tell you how long it would take to crack your password. A password like ‘Charlie’ would be cracked instantly, where an abstract password like ‘deskhatsunshine2022’ would take two hundred million years! And an exclamation mark to the end and you’re safe for two hundred billion years.
Choose your new password using the recommended length for security and check it again.
How secure are you?
Marvin Hatchwell, commercial manager at the Howden Oxford branch, offers some further advice…
“Ultimately, the responsibility is yours. Scammers know that most tradespeople do not have any protection on their mobile devices, in particular.
“One way to look at cyber security is to consider your car, or van. Who is responsible for driving it safely, making sure it’s locked up, roadworthy, insured – is it the manufacturer, or is it you?
“Now think of data as you would your tools, or money – how locked up is this information?“
Support for the trade
It’s important to consider the implications – and financial cost – of a cyber-attack on your business, whether small or sole trader. Help is at hand for small businesses with a SECRC information pack that includes guidance and free of charge cyber security resources. You can find your nearest Cyber Resilience Centre here.
If you would like to talk to Howden about business insurance, including cyber insurance and whether it’s right for your business, give Marvin Hatchwell from our Oxford branch a call on 01865 253 870.