Most of us have heard of encryption. It’s that recipe for secrecy that techy types talk about all the time. But for many of us, that’s where the knowledge ends.

However, for small businesses looking to improve cybersecurity, encryption can be a vital weapon in your arsenal- and one that isn’t so hard to understand. Here’s a simple explanation of what encryption is, why you need it, and when to use it.

What is encryption?

Although encryption, much like ‘the blockchain’, can seem like another one of those unfathomable technical terms, it’s actually pretty simple.

Encryption is most commonly used to protect data in transit and at rest. Ever sent a Facebook Messenger or WhatsApp message? That uses encryption. Or, a payment using online banking? Also encryption. How about buying something from a web store? You guessed it, encryption again.

You get the picture. Encryption is used everywhere in our daily lives, but how does it work?

In non-technical terms, encryption is a way of randomising data so that only an authorised recipient can understand the information. Encryption converts plaintext – for example, the text in an email between you and a colleague – and converts it into ciphertext, a string of random numbers and letters. To unlock the real message or data, you need an encryption key, which is a set of mathematical values that only the sender and the recipient of the message know, like so:

Photo PixelPrivacy

The principle is much the same as a password, but better (as we’ll see).

Why does your business need it?

So we’ve covered, in very simple terms, what encryption is. The next question is why should SMEs be using it? It’s easy to assume that if you’re not a huge multinational, processing reams of sensitive information, that your standard security tools such as firewalls and secure passwords are enough to protect your data. However, there are three key reasons why this isn’t the case.

Cyber attacks are on the rise

It’s likely not news to you that cybersecurity threats to SMEs are on the rise. Barely a week goes by without another news story or set of figures released to that effect. Indeed, the Federation of Small Businesses estimates that SMEs are collectively subject to almost 10,000 cyber-attacks a day.

A recent report from cybersecurity experts, Malwarebytes, reveals that detections of new malware continue to increase by 1% year-on-year.

A big part of the problem is the ever-increasing volume and variety of malware out there. A recent report from cybersecurity experts, Malwarebytes, reveals that detections of new malware continue to increase by 1% year-on-year. This might not sound like much, but when we’re talking about detections in the tens of millions, it soon adds up.

In this environment, it’s getting harder and harder to stay ahead of the threat. However, adopting encryption can act as a strong second line of defence. For instance, someone in your organisation accidentally clicks on a malware link in an email (something we’ve all done at least once), potentially exposing your data to an attacker. Using encryption means that they won’t be able to read whatever they find without a key, meaning your data is safe.

You’re using a cloud service

Cloud computing is now a vital part of the daily operations of most SMEs. And if you’re doing business entirely in the cloud, and don’t store any sensitive data on employees’ devices, you’re safe, right? After all, the likes of Amazon, Google, and Microsoft spend billions of dollars a year on the security of their cloud services.

Unfortunately, this is only partly true. Obviously storing your data in a cloud is far better than having everything on vulnerable systems, but that doesn’t mean it’s entirely safe.

To give an example, let’s say you use a cloud-based platform like Office 365 for your everyday operations. A would-be hacker can still intercept your data as it moves between your device and the cloud. As we’ve already mentioned, this is unlikely if you’re working with a reputable cloud provider, but it’s not impossible or even that uncommon. Using strong encryption can help protect you against this by adding another layer of defence.

Passwords aren’t the be-all and end-all

Now, you may be thinking ‘but my business has a clear password protection policy and we regularly change our passwords for laptops and devices, surely that’s enough?’
Not quite. While it’s true that a strong security policy can help protect your business against regular theft and even less sophisticated cyberattacks, it’s not enough to protect you from the really harmful stuff.

Hackers are always finding a way around even the strictest security policies and new methods for cracking passwords appear all the time. To be totally sure, you need an a solution that allows you to completely encode everything on your device. This means that even in the event someone does manage to break in, all they’ll be able to extract is random gobbledegook that’s little use to anyone without the right encryption key.

How do you use encryption?

Finally, let’s take a look at how you can use encryption to protect your business. Encryption can take many forms. How you use it will depend on what you need it for, but some common uses include:

End-to-end encryption – This guarantees data sent between two parties cannot be viewed by anyone else. Most of the internal communication tools such as Slack or Google Hangouts will come with this as standard, but it’s worth checking whichever messaging tool you use.

Cloud storage encryption – A service offered by cloud storage providers that transforms your data or text using an algorithm and stores it safely in the cloud.

Encryption as a Service (EaaS) – EaaS represents the next step up from cloud storage encryption. It’s the perfect tool for small businesses who want to use encryption but lack the resources to do manage it themselves. EaaS subscription models typically include full-disk, database, and file encryption.

Of course, these are far from the only uses of encryption. You can also use it to protect certain fields on your website, encrypt everything leaving or entering your web server and a hundred other things besides. The above are just the most common applications for SMEs.

Data is more important than ever to SMEs. In fact, in our data-driven economy, it’s often the most valuable asset a business possesses. Basic cyber-hygiene such as encryption can go a long way towards helping you protect it.

Show your customers you value their data by getting certified in Cyber Essentials, the UK government scheme that covers all the fundamentals of cyber hygiene.

We’ve all gotten those emails before. Congratulations! You’ve won a £100,000 voucher from Argos. Click here in the next three hours to claim your reward!  We want to believe them. They just might be real. And that is exactly the mentality cybercriminals are taking advantage of. 

These kinds of scam emails are known as phishing attacks- and they are everywhere. According to Verizon’s 2020 Data Breach Investigations Report released this week, they made up nearly a quarter (22%) of all cyber breaches this year. 

We’ve seen an even greater rise in these over the past three months as hackers preyed on widespread anxiety by impersonating official sources like the US Center for Disease Control, the World Health Organisation, and various government offices offering ‘updates’ and ‘alerts’ around the virus.

Phishing attacks fall into two broad categories. They are usually trying to persuade you to click on a link that will lead to a spoof site and require you to enter personal data (credit card details, personal or bank information, etc), or to download malware onto your device (either through a link or an attachment).

Many of these phishing emails can be extremely convincing. Even EasyJet fell victim this week. So how can you protect your business, your employees, and ultimately your customers against them?

Training employees how to recognise the warning signs of phishing emails is the best way to prevent these kinds of attacks and might be the best solution for smaller businesses.

While there are a few great pieces of anti-phishing software out there that use email filtering to detect and flag suspicious email addresses and malicious links or attachments, the most convincing phishing attacks often slip through the net of even sophisticated software.

Something smells fishy here: spotting the signs of a scam

Read carefully

Copywriters at big companies spend a lot of time crafting emails and there’s often a noticeable lack of quality with phishing scams. A few tell-tale signs include:

• Generic greetings – Dear user..
• Urgent deadlines and calls to action – Click now or your home insurance will expire!!
• Grammatical mistakes and spelling errors – Plese download the attached file to keep Your Account open. If it doesn’t seem professional, it probably isn’t.
• News that is too good to be true – We’ve found a cure for the coronavirus. Click here to order your safety kit.

Check the email address

Be sure to check the email address as well as the name of the sender. Although phishing scams often use the name of someone you know or a company you work with, the email address won’t match up. If it’s from @gmail.com address, for example, it’s probably not a legitimate organisation.

Question their professionalism

Remember that real brands will never ask you for personal details over email or force you to their website.

Think before you act

Above all, just take a moment to pause before you interact with any email. Before you click or download anything, reflect for a second by asking: do I know this person? Have I actually ever bought anything from this brand? How does the World Health Organisation have my work email address? Why can’t Karen from Accounting spell correctly?

An ounce of prevention is worth a pound of cure

As attacks become more sophisticated, it’s almost inevitable that you or someone you know will fall victim at some point. But following basic cyber hygiene can help reduce the harm of these attacks. 

A simple way to mitigate against phishing attacks that steal credentials is to enable two-factor authentication on your accounts right now. Two-factor authentication means that when you log in you need both a password and a second form of confirmation (like a text to your mobile, for example).

Having this extra layer of security means that even with your username and password, the hacker will not be able to access employee accounts.

If an employee or business realises they have been breached, they should immediately take action by changing their personal password or disconnecting their device from the network and alerting employees in the rest of the company.

People can help prevent the spread of these large-scale attacks by immediately reporting suspicious messages to Suspicious Email Reporting Service (SERS): report@phishing.gov.uk which support’s the government’s Active Cyber Defence programme.

Looking to improve your cybersecurity but not sure where to begin? Start by getting certified in Cyber Essentials, the UK government scheme that covers all the fundamentals of cyber hygiene.

News articles have continued to highlight the impact Brexit could have on UK businesses in 2020. With everything from visas to regulations and import taxes, businesses face a lot of uncertainty in the coming years.  

However, despite Brexit continuing as a hot topic in business media, surveys have found that it is not the most pressing issue on business leaders’ agendas. Instead, data protection topped the list. 

The first half of 2019 saw data breaches leave 4.1 billion records across the world exposed, and they are continuing to occur on an almost weekly basis in the UK. The rapid sophistication of cyber attacks is leaving an increasing number of UK’s businesses vulnerable to these potentially devastating breaches.

80% of CEOs concerned about cyber threat

PricewaterhouseCoopers conducted a recent survey to gauge the key areas of CEO uncertainty and how they are taking action to address them. The findings found that eight out of ten CEOs are concerned about the threats posed by a cyber attack. 

This concern emerges among a growing abundance of news stories reporting enormous data and security breaches at top companies and organisations, which end up costing them hundreds of thousands in compensation. 

One of the most publicised cases of 2019 was the British Airways breach in which the details of about 500,000 customers were stolen by hackers. As a result, BA was charged a fine of £183 million.

This is a corporate example, but even small businesses are at risk of fines for violating GDPR data protection laws. If you’re wondering if you’re GDPR compliant, CyberSmart offers a simple, non-technical path to GDPR certification.

The public wants to know businesses are protecting their data

Media coverage and market research make it clear that cyber attacks are only going to increase in frequency in 2020, both in the UK and the rest of the world. But this is not just an issue for CEOs. 

The media attention garnered by cyber attack stories have made data regulations and privacy a key issue amongst the general public, who place an increasing premium on companies that take protection of their data seriously.

It’s more important than ever to show that businesses showcase their cyber security certifications and GDPR compliance. 

Pressure from consumers has been further motivation for CEOs to consider data privacy and compliance with data regulations as two of their top issues. 57% of respondents to PwC’s report cited public fears over security as a key factor.

Cyber security starts at the foundation

However, 2020 is expected to see more CEOs focusing on the configuration of their business in order to meet the requirements of cyber resilience. In the increasingly digital landscape of the future, cyber security will no longer be an added feature for organisations to incorporate as an afterthought, but rather a critical feature to be in-built into a business’ infrastructure.

As cyber attacks continue to pose a significant threat to UK businesses in 2020, it has never been more important for companies to ensure they are compliant with data protection laws and agreements. 

CyberSmart several ways that even small businesses can take precautions against cyber threats. Our Cyber Essentials and Cyber Essentials Plus certification offers simplify the process of keeping businesses up to date with UK laws while CyberSmart Active Protect secures your company devices around the clock. 

In addition, we offer products for IASME GDPR compliance enabling you and your company to meet protection standards and have peace of mind in your service.

The number of cyber attacks have been increasing year on year. So far, 2020 doesn’t look much better.

January proved ominous, with a series of successful cyber attacks on organisations across the globe. Here are just some of the attacks over the first month of 2020:

Royal Yachting Association (RYA)

The UK’s national organisation for the yachting community became aware of a digital attack on 17th January. Online user account data was compromised and as a result, all members of the organisation had to change their passwords immediately.

A statement issued by the RYA said: “On 17 January 2020 we became aware that an unauthorised party accessed and may have acquired a database created in 2015 containing personal data associated with a number of RYA user accounts.

“Our investigation into this matter is ongoing and we have engaged leading data security firms, including forensic specialists, to assist in our investigation.”

Mitsubishi Electric targeted by Chinese hackers

One of Japan’s largest defence and infrastructure groups, Mitsubishi Electric, was also hit by a colossal cyber attack in the first month of this year. The attack was blamed on a Chinese group, who may have gained access to information on government agencies and business partners, as well as the personal data of 8,000 employees and job applicants.

Chief Cabinet Secretary of the group, Yoshihide Suga said in a statement that the Japanese Government was informed, while also confirming that “there is no leak of sensitive information regarding defense equipment and electricity.”

Detroit data breach exposes workers and residents

The email system of Detroit City Government was breached on 16th January. Although less than 10 email accounts were affected, some of the accounts contained sensitive information that could be exploited by cyber criminals. Luckily, most of the email data was encrypted.

The city’s Chief Information Officer, Beth Niblock said: “At this time, there is no evidence – and it is highly unlikely – that any of this personal data was accessed. However, out of an abundance of caution for privacy and security of our employees, the city will be offering credit monitoring services for a period of one year.”

Make a cyber security New Year’s resolution

If your company’s New Years resolutions didn’t include improving cyber security, then these attacks should provide a wake-up call. Being cyber resilient is critical to company health.

A surefire way to prove your house is in order is by achieving cyber security accreditation. The UK National Cyber Security Centre’s cyber essentials or cyber essentials plus accreditation schemes are the best way to do this.

Cyber attacks happen virtually every day, and the impacts data breaches can have on SMEs can be catastrophic. Falling foul of GDPR legislation  can result in fines, loss of trust in your company and ultimately loss of revenue – so it pays to be compliant. 

However, what about the other organisations in your supply chain? Do they require access to your data or systems? Could your security become compromised as a result? While you might have the right cyber essentials in place, can you say the same about your suppliers? These are just a handful of questions all company decision-makers should be asking. 

Supply chain attacks: a history 

Supply chain attacks are nothing new. In fact, one of the largest data breaches in history (when the US-based retailer Target had the credit/debit card information of up to 40 million customers stolen) happened when the firm’s POS system had been infiltrated via malware that came via a supplier. In 2013, attackers used the “trusted” connection between the supplier and Target’s system to gain easy access. 

Putting appropriate controls in place 

All SMEs should understand the risks suppliers may pose and should ensure the supply chain is subject to the appropriate security controls. A good starting point would be to request all suppliers show evidence of having attained “Cyber Essentials” certification – the UK’s recommended security standard. However, this might even be insufficient for high-risk suppliers, who need to go one further and get “Cyber Essentials Plus” accredited.

Mitigating against risk 

As a company, you need to decide which controls you insist upon your suppliers having before you decide to continue doing business with them. If suppliers are unwilling or otherwise unable to comply with these requests, you need to consider whether you can put procedures in place to protect your data that allow you to continue forging a working relationship with them. 

Cybersecurity is one of the biggest threats faced by SMEs in the UK today, and its impacts on every entity within a supply chain, from top to bottom, are far-reaching. It’s therefore imperative for all elements of the supply chain to work together to maintain the strictest possible security measures. 

Find out more 

If you’d like to know more about Cyber Essentials certification or are concerned that your business might not be adequately protected against supply chain cyber-attacks, why not contact Cybersmart today? A member of our team will be happy to discuss your requirements or arrange a security audit of your current systems.