Once in a while something comes along that makes running your own business that little bit harder than it already is. An unexpected – yet probable – IT issue sent me reaching for the aspirin recently. The cause of my headache? My business office 365 got hacked and sent out over 50k emails. Microsoft blocked my outgoing emails for days until they understood the root of the breach. I’m lucky. It could have been so much worse: my system might have locked me out altogether. But this unfortunate incident is a clear example of why micro and small businesses need cyber security as much as the big boys do.

The breach that I suffered formed part of a bigger malicious phishing campaign. Something I came to realise later when I saw this article: https://www.bleepingcomputer.com/news/security/microsoft-office-365-admins-targeted-by-ongoing-phishing-campaign/

How can you tell something not-quite-right is happening? Here are the indicators that I had:

  1. Messages from strangers telling me that they’d received corrupted emails from my domain
  2. Notifications from Office 365 of a change in the number of licences
  3. Sent emails going undelivered

When such a breach happens, you don’t know why. But you ask for help and have to tell people. The first reaction you get is always: you must have done something stupid. And indeed, at this point, you feel stupid. ‘Did I open an attachment, or use the same password for everything or have ‘password’ as my password? These questions and more flit through your brain.

Sophisticated Threats

The threats these days get ever more sophisticated. In my case, I had a good password and a unique one. What’s more, I’m careful and never open an attachment or click on a link that doesn’t come from an email or source I recognise.

And yet, I could have done more and got my business better protected. For instance:

  1. I could have had a multi-factor authentication enabled on my Office365
  2. I could have had an additional admin created in Office365 to which I have full access, but which is set up on a different email address to my working every-day email.
  3. I could have removed Office365 admin privileges from my standard account

When this all happened, I contacted JP IT Solutions, who look after VE’s IT. They discovered various email addresses created on VE’s account. They also discovered extra licences added to the account. The upshot there is that instead of my usual £12 bill it would be more like £112.

Had I not got my contract signed earlier this year I’d have had no means of preventing that from happening.

Unfortunately, as a business owner, you need to understand IT. I share your pain. I told myself for years that IT is for others, like you have to be a different species to do IT. But know that IT is for everyone and even when our businesses grow to the point when we outsource or have a permanent IT person or IT department looking after the systems, ‘the responsibility for security stays with the enterprise’.

The conclusion or moral of this story is that you can learn from my bad experience. As they say, what doesn’t kill you makes you stronger.

As a small business, we tend to think that we’re not important enough to hackers, so we leave cyber security at the very bottom of the ‘to do’ list.

But, take my advice and bring it to the top. Here is a basic cyber security check list. I don’t say that ticking off this list will give 100% protection, but you’ll make a hacker’s life more difficult and, at the same time, your own life easier:

Cyber Security check list:

  • Have you removed admin privileges from your day-to-day work account?
  • Do you have a malware detection system on all your devices: laptop, desktop? It’s free on Windows
  • Do you have up-to-date Antivirus on all your devices: laptop, desktop?
  • Do you have encryption on all your devices: laptop, desktop?

What I learnt from that recent IT disaster, is this:

  • Do NOT feel foolish – it can, and does, happen to anyone.
  • Definitely go and ask for help.
  • That, as a business, you need IT support and should also get a cyber security audit done as a preventative measure. Prevention, after all, is better than cure.

Where to go for preventative help

I went to Foresight Cyber. Based on recommendations made to me by them, I’ve been able to make my business cyber safe.

I urge you, in the strongest terms possible, to do the same.

  • Have you removed admin privileges from your day to day work account?
  • It’s free on Windows