“It’s not a question of if you’re going to get hacked, but when you are going to get hacked.” Those are the words of Verizon CEO Lowell C Macadam, and no one knows this better than he does. Just four months after his company acquired Yahoo!, it was discovered the security of all three billion of its user accounts was breached during a single attack back in 2013.
Despite disconcerting incidents like these occurring more regularly, research shows that many businesses remain woefully unprepared for cyberattacks. A UK government survey found that 68 per cent of company boards had received no training in how to deal with a security breach.
One issue may be that executives are reluctant to invest in expensive technology without knowing with certainty that it will be an effective defence. After all, if tech giants like Yahoo! can’t keep hackers out, what chance does the average company have?
It’s true that some defences aren’t cheap. Annual subscriptions to sophisticated monitoring systems like ProtectWise – which records all your network traffic and allows you to rewind and play it back for security analysis, like a virtual CCTV system – can have starting prices in the tens of thousands of pounds.
But the good news is that many cyberattacks are easily preventable with simple measures. This year’s prolific WannaCry ransomware attack, for example, exploited a weakness in old Microsoft software, for which the company had already provided a security patch.
There are plenty of other cheap solutions out there too. Here are five every business should consider:
1. Anti-virus software
Yes, threat-detection and management software can be expensive, but there are numerous options out there for smaller businesses with scant resources. Big-name companies such as Kaspersky, McAfee and Symantec provide small business solutions that cover up to 20 to 25 devices for an annual subscription fee, starting from as low as £115. Services available include data-loss prevention and automated backups, as well as anti-virus and spyware, firewall and privacy protection.
You’ll get what you pay for, so it’s important to consider the cost of your defences versus the potential cost of an attack. For instance, Kaspersky’s cloud-based Endpoint Advanced product costs £760 a year for 10 users. But when you consider the results of a recent survey by the UK’s Department of Digital, Culture, Media and Sport – which showed the average cost of cyberattacks was £1,570 for all companies, rising to £19,600 for large ones – £760 may not look so bad.
2. Staff training and free information services
Before you even consider investing in threat-detection software, bear in mind that most security risks don’t come from criminal gangs or hostile foreign governments – they come from within. Employee negligence – like leaving a laptop on a train – or malicious acts by staff members accounted for two-thirds of cyber breaches in data analysed this year by Willis Towers Watson. Just 18 per cent were directly caused by an external threat, and extortion accounted for only two per cent.
StaySafeOnline.org is a free online resource with reams of advice on how companies can protect themselves, including suggesting staff-training techniques. Social-Engineer.com provides some free advice to managers, too, often via podcasts of security-expert panel discussions. It also sells sophisticated staff-training modules that simulate real-life attacks.
3. Web performance and security services
Any business with a website that hasn’t installed a performance-booster like Cloudflare or Incapsula should probably think about doing so now. These ‘freemium’ services – free with paid upgrade options – sit in front of your website and block malicious attackers who could tamper with content or shut the website down.
With Cloudflare, there are three levels up from the free version: pro, business and enterprise. But installing the free one isn’t a bad starting point, especially since the company celebrated its seventh birthday last month by offering free protection from distributed denial-of-service (DDoS) attacks, where hackers crash websites by flooding them with traffic.
Other features offered by these services include allowing users to block specific IP addresses or hostile bots by confronting visitors with a CAPTCHA – a prompt that makes you type in the letters of distorted image, which are unreadable by machines, before gaining access to a website.
4. Identity theft protection services
A dodgy character impersonates a senior company official and tricks an underling into depositing money into their account. Incidences of this practice – technically known as business email compromise – are rising at an alarming rate. According to the FBI, losses from these scams rose 1,300 per cent between 2015 and 2017.
Attacks are becoming more sophisticated, too, as criminals go beyond simply creating spoof accounts and actually hack into company email networks. A cheap way to combat the problem is to introduce tight messaging protocols, such as forcing staff to reply to the CEO in a new email, rather than just hitting reply.
But for businesses that want more stringent defences, companies such as Experian and Lifelock offer credit-monitoring and alert services – for around £113 per year – as well as emergency response plans should customer data be stolen.
5. Cheap, clever smartphone apps
With so much crucial data now being carried on mobile devices, which are all too easily lost or stolen, it’s crucial to keep them secure. Fortunately, the apps universe is now brimming with novel solutions.
Password managers such as 1Password can vastly improve security by remembering unguessable passwords for you – so there’s no risk of creating a chain of security breaches by reusing the same ones for multiple logins. It can also generate passwords for you.
Then there are the likes of Signal, which can provide free end-to-end encryption for all communications, so you can protect the most sensitive conversations from prying eyes and ears.
Last but not least, there’s Keeply, which allows workers to store sensitive information like passwords and photos in a separate part of their phone. It even provides ‘face lock-down’ , where the app closes when a phone is placed face-down, and a ‘fake PIN’ feature that makes the app look empty to unwelcome users.