An Avon and Somerset Police campaign is providing small businesses with simple tips to help keep themselves safe online.
A Bristol charity which was attacked by cyber criminals is telling their story and urging others to protect themselves.
“I lost everything I’d been working on for the last six years. They wanted money from us to get our data back but we refused to give in to their demands.”
These are the words of Emily Eden (pictured), finance officer for the Bristol and South Gloucestershire Circuit of the Methodist Church. In June 2015, the charity was advertising a job vacancy on its website. An unassuming email landed in one employee’s inbox labelled “job application – please see attached CV.” The attachment was a compressed zip file. After clicking it, every document she opened on her computer was transformed to “gobbledygook.” It had been encrypted. The charity had a backup of all its data on a server but unfortunately the employee had been working from the backup. This meant the malicious software infecting her computer spread to the main store and onto other computers in the system. All their financial data was transformed to illegible code.
She then found a suspicious document on her computer. It was a message from the criminals. “It was laughing at us. It said they had targeted us and we had a certain amount of time to pay them money, and they would give us a ‘key code’ to get all our data back,” said Miss Eden, who is based in Bristol.
They had been attacked by ransomware – a malicious piece of software which blocks access to a computer system or data until a sum is paid. “We didn’t entertain the idea of paying them. There was no guarantee they would’ve given us the code. Then we would’ve lost our money as well as our data. But it was a moral thing for me.” The financial team of the circuit had to start from scratch and are still recovering. “I lost it all: emails, invoices, letters, spreadsheets, and a new project we’d been working on. The ransomware just ate it. What’s worse, we were being audited two months after the attack and we had nothing to give them.”
Now, she’s offering advice to other charity’s and businesses, to avoid them falling victim to a similar attack. “It’s not like we weren’t prepared. We had a good system set up with a server, regular back-ups, firewalls and a malware system. It was just a very busy time and it was a simple mistake that anyone could make. It was lots of little things that led to us being vulnerable to an attack. When it happened, I had so many sleepless nights worrying about what we were going to do. Sometimes I feel like I’m drowning, even now. Something like this could completely destroy a small business or charitable organisation. We just want to make sure it doesn’t happen to anyone else.”
They reported the crime to the police and implemented some new systems to prevent future attacks. Now, the charity takes a daily backup of its data on a small removable hard drive, as well as a copy of the backup, and keeps it in a fireproof safe.
“My biggest tip of all though would be for people to just think a little more about the things they’re doing on a daily basis, and to be less trusting online. If anyone is targeted by a similar attack, I’d urge them to report it. We were taken very seriously by the police and received a lot of support. If more people report online crimes, the information creates a picture which could lead to the police catching the people behind it.”
Detective Superintendent Sarah Davenport, force lead for online crime, said: “Ransomware is one of many pervasive and damaging online crimes which have affected a wide range of organisations. We are urging local business owners and employees to take simple steps to keep themselves safe because know online criminals love small businesses. In fact, they’re one of the most vulnerable groups when it comes to cybercrime. Owners have often invested their livelihoods and hearts into the company but may think they need an IT department or huge budget to protect themselves. We want people to know, you don’t need megabucks to protect your business from threats – education; awareness among staff members; and layers of protection are arguably the best ways mitigate risk. As part of our online crime awareness campaign, we have provided advice for small business owners and employees which we hope will prevent people from falling victim to these threats.”
Avon and Somerset Police offer their top five tips to small businesses for keeping safe online:
For general help and advice about e-safety, visit www.getsafeonline.org, which has lots of information for individuals and families, or read the ’10 Steps to Cyber Security’, which contains for advice for businesses.
The Government also offers the Cyber Essentials Scheme, to help small businesses achieve a reasonable level of protection and provide the correct foundation to develop from: https://www.gov.uk/government/publications/cyber-essentials-scheme-overview.
Businesses with a solid knowledge of online threats, can join the CiSP (Cyber Information Sharing Partnership) - a secure platform for UK-registered companies or other legal entities which operate networks and would like to share threats they have identified and benefit from the sharing of information and advice. The South West regional part of the platform is being formally launched on Thursday 19th May, by the South West Regional Cyber Crime Unit. For further details on CiSP, visit https://www.cert.gov.uk/cisp/
Victims of cybercrime can report online to Action Fraud at: http://www.actionfraud.police.uk/