Procurement · 25 February 2016

HR, ransomware and invoices: You need to expect to be hacked

Many vulnerable small firms are still getting the basics wrong

Trustwave EMEA Systems Engineering Manager Oli Pinson-Roxburgh spoke to Business Advice about the increasing sophistication of hackers and how small firm owners are making themselves vulnerable.

With one in four small business owners falling victim to fraud in 2015, and Action Fraud estimating that such attacks cost SMEs almost £20bn each year, the bosses of small firms are increasingly turning to experts for advice on how to mitigate the threats posed by hackers.

Trustwave was acquired by telecommunications giant Singtel in 2015, and includes teams of “ethical hackers” looking for loopholes to close as well as forensic experts who work backwards from a security breach to find out what went wrong.

“Lots of small organisations aren’t able to detect fraud until a bank or a client points it out to them, especially if it isn’t having an impact on the bottom line. Sometimes it takes companies more than six months to realise. In the most extreme cases, breaches go on for years. And the longer it takes for them to be noticed, the higher the clean-up costs,” Pinson-Roxburgh explained.

“The motivation of hackers who target small companies tends to be opportunistic rather than targeted. They will send out junk links to as may people as they can, especially HR managers because they are used to getting CVs so are more likely to open attachments,” he added.

Pinson-Roxburgh has seen a rise recently in the use by hackers of ransomware – software which encrypts the hard disc of the target computer and denies a user access to their data unless they agree to pay a hefty ransom. He was also of the belief that fraudsters are becoming increasingly businesslike in the way they work, and explained: “There’s a whole industry providing managed services for hackers and subscription-based tools which deliver returns of thousands of per cent.”

Yet in spite of the increasing professionalisation of attackers, he believes that many vulnerable small firms are still getting the basics wrong. Pinson-Roxburgh highlighted the importance of simple steps like putting strong password policies in place, removing the guest accounts which are automatically configured on Windows terminals, and installing patches and updates as soon as they become available. “The more measures you put in place, the more expensive it is for hackers to target you. These business-minded individuals are looking for low hanging fruit, so deterrents are important.

And crucially, preventing fraud is about behaviour as well as technology. He explained: “You need to make it easy for people to make good decisions. We’ve had finance directors emailed directly by fraudsters posing as suppliers, asking them to send over money, and some of these emails sound very legitimate. There should be a process in place to make sure individuals can’t transfer company money in response to such an email, and staff need to be encouraged to take a more defensive stance.

“In my experience, people don’t ask enough questions. There’s a real mindshift change needed. Business owners need to assume they’re going to be hacked, and be looking out for malicious attachments or unusual friendship requests on social media platforms. If you have customer data which you’re the sole custodian of, that is a big responsibility, so be on guard.”

In order to get staff to engage with education around fraud, he recommended providing training which will also be useful outside the workplace in helping workers protect their personal data.

If the worst does happen, Pinson-Roxburgh urged small firm owners to treat the source of the electronic data breach as if it were a physical crime scene. “If you think a machine has been compromised, don’t switch it off but do separate it from your network. Try not to remediate the damage yourself – leave it to the professionals. If you do change anything, document it and pass the information on.”

He also emphasised the importance of honesty in situations where the potential losses from fraud extend to other people. “You don’t need a massive PR machine to recover from a situation where you’ve lost customer data, but you do need to be open and tell people about it. Business owners who deal well with security breaches find they are forgotten about; those that hide things get found out and lose the trust of their customers.”

For more advice on how to protect your micro business from swindlers, check out our fraud series.

Sign up to our newsletter to get the latest from Business Advice.



Hannah Wilkinson is a reporter for Business Advice. She studied economics and management at Oxford University and prior to joining Business Advice wrote for Kensington and Chelsea Today about business and economics – as well as running a tutoring company.

On the up