Black Friday, Cyber Monday, the January and Boxing Day sales. The busiest retail period of the year is almost upon us. But while the holiday season often brings with it bumper sales figures for retailers and bargains for consumers, it also comes with a heightened risk of cyber threats. 

For example, November 2020 saw an 80% increase in the number of common email phishing scams reported. Meanwhile, the UK’s National Cybersecurity Centre (NCSC) has been gearing up for the period by releasing updated guidance for consumers on how to shop online safely. 

However, what’s often less widely discussed is the impact this can have on small businesses. Even if your business has nothing to do with retail, you’re still at risk. Here’s why and what to do about it. 

What risks does the holiday season bring? 

Before we look at the risks themselves, it’s important to note that the festive season doesn’t necessarily mean more targeted attacks on SMEs themselves. 

However, who among us hasn’t done the odd bit of lunchtime shopping on company devices or personal devices used for work? And it’s this clandestine bargain hunting that poses the problem. It gives cybercriminals a route into your business. 

Phishing scams

Phishing scams are a year-round problem. But during major retail events like Black Friday, the chances of a successful attack grow exponentially. With so many of us frantically shopping around for the best deals, our ability to spot the telltale signs of a scam often diminishes as quickly as our bank balances. 

It’s a simple but potentially disastrous equation. If you’re in a bit of a rush, you’re not in the best frame of mind for considered judgements. And, if you’re already shopping, a fake email claiming to relate to what you’re doing online might not set off the alarm bells it normally would. 

Fake online retailers 

Black Friday often comes with a deluge of fake websites claiming to sell this year’s must-have products at bargain prices. Unfortunately, most of these are simply fronts for cybercriminals to acquire consumers’ data or launch attacks. Like phishing scams, these can be hard to spot in the hurly-burly of major retail events, making a successful attack much more likely. 

Outdated software 

Again, this is a problem 365 days of the year. But the festive season provides the perfect cover for hackers to test out the vulnerabilities of popular software. 

Firstly, because technical teams’ attention tends to be focused on ensuring apps can handle the sudden surge in demand rather than security. Secondly, because many consumers will suddenly be using apps they haven’t used or updated in months, often on devices with access to your business data. 

Public and home networks

You probably have decent network protection in your physical workplace, but do your staff working from home? And does the cafe around the corner with the free WiFi that everyone uses?

Unsecure public and home networks don’t stop being a problem for the rest of the year, but during busy retail periods, when people are much more likely to shop online, the risk is heightened. It gives cybercriminals an unbelievably simple way to hack into any unsecured devices on the network. Once in, they’ll be able to get to any company assets accessible from that device. 

Weak passwords 

You’ll hear us talking about the importance of strong passwords a lot. It’s the simplest thing you can change to improve your cybersecurity. However, passwords become doubly important in busy retail periods due to the amount of traffic on popular sites. It’s the perfect setting for cybercriminals to try out large-scale brute-force attacks and find out whose passwords aren’t strong enough. 

What can you do to protect your business? 

1. Educate your team about the risks

A huge proportion of successful cyber attacks stem from human error (95% according to some) so helping your team understand the risks is crucial to avoiding them.

You should approach this in two ways: immediate education and long-term training. In the short term, educate your people on the risks outlined in this piece. It doesn’t have to be more than a short email sent out before the festive season really kicks off.

However, a quick nudge to your staff to be mindful of the risks is no substitute for long-term behavioural change. For this, you need security training. How you approach this will largely depend on your business and the cybersecurity knowledge within it but, to get you started, we’ve put together a short blog on the subject. 

2. Patch your software

The importance of updating your software can’t be overstated. Without regular updates, you leave plenty of little holes in your software for cybercriminals to exploit. So, ensure everyone in your business is constantly installing updates and patches for the software on their devices – even if it’s an app or tool they rarely use. 

It’s a simple thing and won’t take you more than a few minutes each month. But, it can also work wonders for improving your cybersecurity. 

3. Provide staff with clear cybersecurity policies 

We say this a lot but it never gets any less true. If your people don’t know what security behaviours are expected of them at work, they’ll keep getting it wrong.

Clear, well-crafted company policies on cybersecurity and data protection can go a long way to removing confusion around the subject. And, most importantly, help diminish the risk of a successful attack. 

A good cybersecurity policy should outline what employees should or shouldn’t do, offer directions on best practices, and guidance for decision making. For more on how to build one, read this.

4. Practice good password hygiene 

Like patching, this is a simple fix that can immediately improve your cybersecurity. So what does good password hygiene look like? Well, we recommend four steps:

• Use complex passwords that make it difficult for cybercriminals to guess or brute force their way in. The NCSC’s ‘three random words’ is a great approach to this
• Change passwords regularly
• Set up different passwords for different accounts, tools and software. If you struggle with remembering them, consider using a secure password manager tool like LastPass or 1password
• Use two-factor authentication (2FA) wherever possible

And, once you’ve undertaken these four steps, roll it out to your business. Create a password policy and make sure everyone follows it.

5. Use a VPN 

Last, use a Virtual Private Network (VPN) for all remote work, even those trips to the local coffee shop. If your employees are using public networks or their home router it’s likely to be far less secure than your office network. According to a report from BitSight, home office networks are 3.5 times more likely than corporate networks to be infected by malware.

A VPN can help you counter this by creating a secure connection to business systems and data, from wherever your staff choose to work. 

Want to know more about how to switch to hybrid or remote working safely? Download our guide, Cyber Safety in a New Era of Work here.

Of all the cybersecurity threats we cover, ransomware is by far the most high-profile. It often seems as though barely a week passes without another story in the news about the latest blue-chip victim.  

It’s not hard to see why the media devotes so much coverage to ransomware. It’s a rapidly growing threat. It usually includes a note of suspense as we all wonder whether the victim will pay the ransom. And, it’s claimed some of the biggest companies on the planet as its victims.

But beyond the media headlines, ransomware is poorly understood. How does it work? Why is it so hard to stop? And, more importantly, what can you do to protect your business? 

How does ransomware work? 

Most ransomware uses a special kind of encryption, called ‘asymmetric encryption'. That might sound complex, but it’s actually very simple. Like standard encryption, it uses a pair of keys to encrypt and decrypt a file. However, unlike standard encryption, the attacker is the only person with access to the key to decrypt the file. It’s this key that cybercriminal uses to hold the victim’s files for ransom. 

Or, to put it in simple terms, it’s a bit like leaving the office to find your car has been clamped and a ticket attached to the windscreen with a demand to pay £250 to have it freed. Unfortunately, that’s where the similarities end. While you might be able to remove a clamp with the help of a mechanic, it’s virtually impossible to decrypt an encrypted file without a key. 

And it’s for this reason that in most successful ransomware attacks the victim is forced to quietly pay up to get their files back. 

How does ransomware get in? 

Much like its cousin malware, ransomware comes in many forms and can enter your system in a variety of ways. However, the most common route is through email spam campaigns or through a carefully targeted attack – think March’s attack on Acer or the infamous attack on the NHS in 2017. 

Once it’s in, the ransomware drops off its malicious cargo and then searches for valuable files to encrypt. ‘Valuable’ files are usually things like Word documents, spreadsheets, images and databases. Ransomware can also exploit any system or network vulnerabilities you have and spread across your organisation and into your supply chain. 

Why is ransomware so hard to stop? 

If it poses such a huge threat, then why does ransomware continue to grow more common and payouts keep climbing? Surely someone has come up with a way to fight it? 

Unfortunately, ransomware is very tricky to counter for a few reasons.

Easy to set up

Cybercriminals no longer need to be coding wizards to launch a ransomware attack. Malware marketplaces have sprung up in the shadier corners of the internet, meaning would-be crooks can essentially order ransomware on-demand. Often all its creator will ask for in return is a share in the profits. 

Most people pay up

The success of ransomware rests on the same principle as any other type of ransom. Generally, if something is valuable to someone and they risk losing it forever, they’ll pay whatever is necessary to get it back.

Cybercriminals know this, it’s what makes ransomware such a lucrative scheme. 

It’s hard to track the perpetrators down 

Remember the old adage ‘follow the money?’ Sadly, it’s nonsense when it comes to ransomware. Most cybercrime is paid for using cryptocurrency and planned in the darkest reaches of the internet, making it very hard to track.

There are endless targets 

Wherever you are in the world, cybersecurity knowledge is low. It’s low among business leaders. It’s low among staff. And it’s low among the general public. This means potentially endless targets for cybercriminals.

As we mentioned earlier, ransomware typically enters organisations through pretty unsophisticated methods. However, ransomware doesn’t need to be sophisticated when so few of us understand what an attack looks like. 

How do you protect your business? 

We’ve painted a pretty bleak picture so far, but don’t despair. There’s plenty you can do to protect your business against ransomware. 

Training, training, training 

According to research, 95% of cybersecurity breaches begin with human error. This is especially true when it comes to ransomware, with most attacks starting through a dodgy email being opened or malicious file downloaded. 

But before we rush to condemn human failings, it’s worth asking whether your people have been trained to spot threats. After all, if your employees have no idea what a ransomware attack looks like, they’re far less likely to take the right action to protect themselves or your business. 

The best way to beat this is through training. Training can help your people better recognise and understand the threats they face. And, more importantly, learn how to counter them. 

The kind of training you need will be highly dependent on your business and the existing knowledge of your staff. But a great place to start is by reading our blog on all things cybersecurity training. 

Backup your data

As we mentioned earlier, most victims end up paying out to ransomers but there's a very simple way to avoid this. Always backup critical files and data, preferably in the cloud or on an external hard drive. That way, if you do get attacked, you can wipe your device(s) and reinstall everything from backup. 

This won’t completely remove the threat of ransomware, but it will remove the need to pay your attacker to get your files back.

Patch your software

Updating software is a hassle, we get it. There never seems to be a convenient time to reboot your device and the endless passive-aggressive reminders from your operating system can get very grating. 

However, it is important, particularly when it comes to protecting yourself against ransomware. Even the best software develops vulnerabilities over time. It could be that the software was built with vulnerabilities that weren’t anticipated at the time or it might be that a new cyber threat has emerged. Whatever the reason, software developers get around the problem by releasing security patches.

These updates fix the ‘holes’ in your software that can be exploited by ransomware. Without them, you risk giving cybercriminals a back door into your systems and data.

But the good news is all you have to do is regularly update any software or tools you use. It shouldn’t take more than a few minutes each week and it’s by far the most effective (and simple) way to protect yourself. 

Read more about the importance of patching here.  

Stick to secure networks 

Whether it’s at your favourite local coffee spot or on the train to that important client meeting, using public Wi-Fi networks is a bad idea. Most public networks have poor or non-existent security and are the perfect place for cybercriminals to snoop on your internet usage and launch attacks. 

If you need to connect to a public network for any reason, use a Virtual Private Network (VPN). A VPN allows you to connect to business systems securely and browse the internet safely, wherever you are. For everything you need to know about VPNs, check out our blog on the subject. 

Put security policies in place

It’s one thing to improve staff awareness of the threats posed by ransomware, quite another to ensure everyone is following security best practices. This is where a clear, easy-to-understand cybersecurity policy can work wonders. 

A well-crafted policy will help your people understand what they should and shouldn’t do and help them make the right decisions when faced with threats like ransomware. 

Stay informed

Last, try and keep an eye on the latest ransomware threats. To be clear, we’re not suggesting you become a cybersecurity expert overnight (unless you want to). However, having even a basic knowledge of what ransomware looks like can help prevent the worst. 

Is your business working remotely or considering making the switch? Don’t do anything without reading our guide to cybersecurity in a new era of work.

Despite the common perception, VPNs aren’t just a tool for surfing the shadowy underbelly of the internet. A VPN is a vital defence against cyber threats for anyone working remotely. Here’s why your staff need one. 

What is a VPN?

In simple terms, a VPN (or virtual private network) allows you to connect to business systems securely while using a public network. A ‘public’ network could be the free connection you get on public transport, the WiFI at your favourite cafe, or even your home internet router.

How does a VPN work? 

The best way to think of a VPN is as a ‘tunnel’, used only by you, between your workplace and wherever you’re working from. 

Rather than using the public network, a VPN routes your traffic through specialised servers and encrypts your data. When you connect to the internet via a VPN, all your data is sent through this encrypted tunnel. This has a couple of key advantages over using a public network:

Greater privacy

VPNs obscure your internet activity from your provider and everyone else. This effectively makes you ‘anonymous’ on the internet. Not only is this great for privacy, but it also means your IP address and location are invisible, making it much harder for cybercriminals to intercept confidential company data. 

Improved safety

An encrypted tunnel is very, very difficult to hack. VPN Mentor has produced some interesting research on the subject and concludes that the only way hackers can break VPN encryption is either through a known weakness or by stealing the encryption key (more on encryption keys here).

Essentially, a VPN is a pretty sure-fire way to ensure your business devices aren’t vulnerable to attacks coming from public networks. 

Why should your business use a VPN for remote working? 

We highly recommend using a VPN if you have employees working remotely, but why? You may be wondering whether it’s really necessary. After all, won’t the existing security on employees’ devices protect them? 

Unfortunately, this simply isn’t the case. If your employees are using public networks or their home router it’s likely to be far less secure than your office network. According to a report from BitSight, home office networks are 3.5 times more likely than corporate networks to be infected by malware. 

There’s also the human element to all this. Research shows that many employees, whether consciously or not, engage in riskier behaviour when working from home. For example, sharing confidential files via email instead of the usual, safer channels. Without the added layer of security a VPN offers, this confidential data could easily fall into the wrong hands.

Why you need a VPN for hybrid working too

If you’re planning on adopting ‘hybrid working’ as the norm post-pandemic, VPNs will be essential to keeping your business safe. 

Picture the scenario, one of your sales team has dropped into a coffee shop on the way back from an important meeting. They like the ambience of the place, so they decide to sit and fire off some emails and run through their sales deck while they sip a latte and munch on a croissant. To do this they need to connect to the cafe’s WiFi, an unsecured public network. 

Seems innocent enough, but on this particular day, a hacker is targeting the customers of this coffee shop. They see that your salesperson is working using the cafe WiFI, and that’s all it takes. In a few seconds, the sales deck and confidential data have been stolen. Your business is facing a choice between a PR nightmare or a hefty bill to get it back. 

How do you set up a VPN? 

The first step is to pick a provider. There are hundreds of VPN providers out there each offers slight variations on the same service. Many businesses stick with the major providers such as NordVPN and ExpressVPN and with good reason, both regularly win tech magazine ‘Editors choice’ awards. 

However, if you’re looking for the highest level of anonymity, smaller providers such as Mullvad VPN that require no payment or contact details could be the way to go. If in doubt, check out Tech Radar’s Best VPN Service 2021 list, it compares most of the major providers. 

Once you’ve picked, setting up a VPN is relatively easy. The set-up process is almost universal among VPN providers so it shouldn’t matter which you choose. We won’t go into exactly how you do it here, but this guide from The Verge covers everything you need to know. 

Want to know more about how to switch to hybrid or remote working safely? Download our guide, Cyber Safety in a New Era of Work here.