The UK’s National Cyber Security Centre (NCSC) is today launching two new services pitched at the country’s 5.5 million small businesses, a third of which were targeted by cyber criminals in 2022, but which frequently lack the know-how and resources to effectively respond to the threat and protect their livelihoods.
The Cyber Action Plan and Check Your Cyber Security tools form part of the latest phase of the NCSC’s long-running Cyber Aware campaign and aim to raise awareness of cyber security issues among small businesses, micro businesses and organisations, and sole traders.
“Small businesses are the backbone of the UK, but we know that cyber criminals continue to view them as targets,” said NCSC CEO Lindy Cameron.
“That’s why the NCSC has created the Cyber Action Plan and Check Your Cyber Security to help them boost their online defences in a matter of minutes. I strongly encourage all small businesses to use these tools today to keep the cyber criminals out and their operations on track.”
Cyber Action Plan is a questionnaire that guides users through a set of questions relating to cyber security basics such as credential hygiene, backups and patching. It can be completed within five minutes and, when finished, users will receive tailored advice based on their answers as to how they could improve their security posture.
Check Your Cyber Security – which can also be accessed via the Action Plan – offers free, instantaneous online testing to check the security of the user’s IP address and website and web browser, with testing for email services to be added in the near future. It does not require any software to be downloaded to the user’s system and is designed to be used by any small organisations to identify and fix security issues quickly and effectively.
Given the publicity and impact of high-profile cyber attacks such as those on Royal Mail or WH Smith, many small business owners could be forgiven for thinking themselves unlikely to be targeted by cyber criminals.
However, this could not be further from the truth, and for those who are unlucky enough to be victimised – without the support of a CISO, a security team or a forensic investigator – the experience can be traumatic.
Keri Ackling, who co-owns a small business with her husband Tom, worked hard over six years to grow Snow Windows, a small business that creates festive designs, stickers and custom stencils for people to decorate their windows at Christmas. In 2021, she fell victim to a phishing email that seemed to have originated from Instagram, where she runs a popular account showcasing her work.
“It said that now I was near 10,000 followers my account was eligible for all these other features, such as going live and blue tick verification. Since the information was accurate – our account was just a few hundred followers short of 10k – I clicked on the link and entered my email and password to verify the account. Not long after I did that I realise all the posts had been wiped from the Instagram account,” said Ackling.
“It was completely heart sinking. You work so long and so hard to build up social media pages and grow your following and everything had just gone. A fair bit of my business was coming from Instagram at this point, so the prospect of all of that disappearing was devastating.”
Later, Ackling noticed that the attacker had posted an Instagram story to her account demanding a Bitcoin ransom to reinstate her access. “There was never any question of paying it. Aside from not wanting to give into them, we didn’t have any idea how to get hold of Bitcoin,” she said. “We refused to pay the ransom and ignored the message, instead we spoke to Instagram and explained the issue. But suddenly and without warning the account was completely shut down.”
Snow Windows gets huge amounts of business from its social media accounts, and Ackling and her husband feared they might never regain access. They even started a campaign to get it back, and were featured on the BBC and DJ Chris Moyles’ Radio X show – Moyles had previously been a customer.
Meta did eventually reinstate the account and reset Ackling’s login, however, she then started to notice things going wrong with her linked Facebook account, where the business has more than 200,000 followers.
In the past 18 months, Ackling has not been able to post any adverts onto her Facebook business page, and Meta seems to have been unable to fix it.
“Back in 2019, the Snow Windows Facebook page got 273 million organic interactions during October to December. So, more than three years on we can’t imagine how much growth and business we’ve missed out on as a result of this issue,” she said.
Aiden Ryan, meanwhile, started his business Loaf Manchester as a lockdown baking project in May 2020. He now supplies bakes to cafes across Manchester, as well as Selfridges’ Trafford Centre branch. Ryan was victimised by a cyber attack against his personal Twitter account after his credentials were leaked to a dark web site.
Having been burned in this way, when setting up Loaf, Ryan prioritised implementing two-factor authentication on all his social media accounts and set up an entirely new email address.
“It’s one thing when it happens to your personal accounts where you speak to friends and family, and quite another when it’s a business account with following of 14,000 and two to three years of work behind it,” he said.
“I think ever since I started using two-step verification, I felt more confident. I don’t feel scared it’s going to happen to me, but I do know that you can always do more.
“Loaf was built through community. It was an underdog story – people want to see good things happen. Which is why I feel so passionate about this too – I want to help others in the business community recognise that this matters. Businesses are built through community and they thrive through community.”