Nobody wants to spend their time dealing with the fallout of a security incident instead of building up their business.
Approximately one in seven people in Europe and the United States are self-employed, often realizing their dream to be in charge of their own destiny and having more freedom and control over their careers. But with nominally more freedom to shape the trajectory of their future comes extra jeopardy. This often means little or no sick pay and holiday/parental leave and in the IT realm a lack of support of an IT department, something most salaried workers take for granted.
This is particularly acute when it comes to cyber-risk that sole traders or proprietors are facing. If you run your own business, you will be on the radar of threat actors taking aim at your funds, sensitive client information and potentially even your intellectual property. Understanding where the risks are and how to build resilience are key. No sole trader wants to be spending their time dealing with the fallout of a breach, rather than building up their business.
What’s at stake?
The bottom line is that cybercriminals want to make money. And in general, more money can be extorted and stolen from businesses – however small – than individuals. But threat actors are also largely opportunistic. That means they go after the low-hanging fruit – those online accounts that aren’t properly protected, devices that have no security software installed, or PCs that aren’t running the latest operating system, browser and other software versions.
There is little publicly available data on the volume of breaches impacting sole traders. However, it stands to reason that with fewer resources and little or no in-house IT support, they’ll be more exposed to cyber-threats. Consider how the following could affect your business:
- A ransomware attack that locks you out of your business files, including any synced cloud storage.
- An attack where threat actors steal and threaten to leak your most sensitive files, and/or sell them on the dark web. This could include highly regulated personally identifiable information (PII).
- Account takeover attacks via password theft or “brute force” techniques. The hijacked business account could be used in follow-on phishing attacks on clients or even business email compromise (BEC).
- Malware designed to harvest logins to your online corporate bank account in an attempt to drain it of funds.
The impact on the sole trader
The challenge for sole traders is not only limited IT resources. There’s arguably a bigger impact to corporate reputation and the financial bottom line which is harder to recover from. Clients may have little to lose in walking away following a serious breach – especially as working relationships are often informal.
That’s not to mention possibly the biggest direct impact of a serious cyber-incident on a sole trader: productivity loss. The time that a self-employed business owner has to spend cleaning up their IT environment and recovering from a major cyber-attack, is time they aren’t able to spend serving their clients.
How to keep your business cyber secure
According to UK government figures, just a fifth of the country’s micro-businesses have a formal security strategy. Yet the average cost of breaches over the previous 12 months was calculated at over £3,000 (US$3,740), which could be a significant outlay for companies of this size. That’s why sole traders should take some time out to get the security basics right, by focusing on the following preventative measures:
- Back up your business-critical data: This means first working out what’s important enough to backup, and then choosing a backup solution. Cloud storage (i.e., OneDrive, Google Drive) is a useful option as backups are automatic and there’s no need for an upfront investment in hardware. Most major providers have capabilities enabling you to restore from previous versions, even if ransomware spreads to cloud data. However, for extra peace of mind, it may be worth also backing up to a removable hard drive, and ensuring it is left disconnected until needed.
- Install anti-malware software: Choose a product from a reputable vendor and ensure all PCs and other devices are covered. Be sure to keep automatic updates switched on so it’s always running the latest version.
- Keep all PCs and devices patched: Make sure all operating systems and other software are on the latest version by switching on automatic updates. This means they’ll be patched against the latest exploits.
- Keep accounts secure: Use only strong, unique passwords, stored in a password manager, and switch on two-factor authentication whenever it’s offered (social media, email, cloud storage, router etc). This will mitigate the risk of phishing, brute force password-guessing and other attacks.
- Protect your mobile devices: Keep all software up to date, install security software, and don’t download any apps from non-official app stores. Make sure the devices are locked with a strong passcode or a solid biometric authentication method and can be remotely tracked and wiped in case of loss or theft.
- Build a plan for when things may go wrong: This “incident response plan” doesn’t need to be exhaustive. Just know which IT services your business relies on and have a handy list of contacts to get in touch with if the worst-case scenario happens. This will speed up recovery times. Keep a paper copy of the plan handy in the event that systems are forced offline.
- Test your resilience today with the National Cyber Security Centre’s Exercise in a Box and Cyber Aware
Above all, awareness is key. Simply by reading this article, your business will be in a better place. Put the above best practices in place to keep your business out of reach of opportunistic adversaries.
by Phil Muncaster, ESET