tashatuvango - Fotolia

Anatomy of a cyber attack – the risks facing small businesses

A small business owner tells the story of how a cyber attacker nearly brought down her firm, and the expert who helped her highlights the lessons learned

In 2013, Lee Moore experienced a seven-month cyber attack on her small business. With the help of Richard Henson, senior lecturer in computing at The University of Worcester, she and the business recovered, but her experiences show how small firms doing business in the internet-connected world are under threat via their website. 

Cyber attack: Lee Moore’s story

When I was setting up my business, I was pleased to engage a web developer who was responsive to my naïve confessions of ignorance and indifference to cyber matters. Recommended by a friend, who did not suffer fools gladly, and liking the website he had designed for her, I felt confident in his abilities.

I followed his first instructions to never turn off my computer or wireless router. I believed his explanation that computers were vulnerable to being accessed by viruses when they were switched off because antivirus software would not have installed the latest updates. He also said I would be saving electricity as more was used when computers/routers are switched on and off daily. He insisted I pay him by card via his website. 

I now know I should have questioned more, and I certainly did not know keeping my router switched on would allow him to harvest my IP address. As the router was connected permanently to the internet, the IP address would remain the same, making it easier for him to impersonate me, if he so wished. 

Impatient to get online and trade, I allowed myself to be groomed perfectly. I had no idea how vulnerable my nascent business, brand and myself were to a cyber attack

There was little written about cyber crimes in the press. Organisations advising new startups do not educate budding entrepreneurs about the cyber threats to their businesses, nor recommend including IT security strategies or information risk assessments in their business plans.

Web developer is an apt description, for he spun his web around me very carefully. My trust allowed him to do so. 

Over the next two years, he purchased my domains. He hosted my personal and corporate websites and email accounts on his servers. He set up my social media accounts. He acquired and gave me the usernames and different passwords to use to access the accounts. He was so friendly and helpful that I allowed the professional relationship to become personal. He would share some personal information and I would respond with mine.

After I told him my husband was terminally ill, I received an email informing me that my website was out of date and vulnerable to hacking. He countered my displeasure at being told I needed a new website after less than two years with a warning that my site could infect other sites on his servers and bring them down. As an incentive, he offered me a discounted price of £1,250 for the new website. 

Distracted by grief over the death of my husband and not wanting the hassle of looking for another web designer and fearing harm to others, I consented. I paid the £1,250.

Email threats

Within 24 hours of the new website going live, I received a demand for five days' unspecified extra work, plus first notice of a 25% increase in fees. 

My protest at this unexpected imposition of charges was met with an email threat to “pay or test me if you will”. It felt menacing. I asked Trading Standards to mediate, but their intervention was met with further threat, via their representative, to “tell Lee to pay or test the servers if she will”.  

Before I could reply, I discovered I could no longer access my social media accounts, my personal and corporate websites or my emails. The web developer had changed all the passwords. My websites had been replaced with one-page notices informing visitors that my company and I were active and persistent debtors and I was a high-risk person to do business with. 

He had also used search engine optimisation techniques to make my name appear consistently at the top of all internet search engines, and inserted a banner containing his logo between photographs of me on Google. Visitors who clicked on his logo were taken to a page on his website where he repeated his defamatory comments about me and my company.

Unable to trade, I offered to pay the disputed monies into court and for him to sue me and the company. He ignored my proposal and posted abusive tweets about me. 

I set up new email addresses and a new company, but he found them within 48 hours and harassed me with offensive emails. As fast as I blocked his email address, he would set up another to hound me. 

Using my brand, he registered a domain and company at my home address. He used the domain to create another webpage repeating that my companies and I were debtors. He added my new company name to all the defamatory web pages about me, which he refreshed daily for six months. 

Web developer is an apt description, for he spun his web around me very carefully. My trust allowed him to do so
Lee Teresa Moore, small business owner

A Trojan was later found and removed from my PC. Although there was no evidence that the Trojan was responsible, files on my laptop had been encrypted without my intervention and many emails vanished.

The police said these were civil, not criminal, matters. 

I approached solicitors, who quoted £15,000 for one injunction – I needed three. Legal costs would have reached six figures. 

Many months after the attack began, and after numerous requests from my MP, the police visited my attacker. He gave them photocopies of pages from my Twitter account with tweets purportedly from me being offensive to him. The police withdrew. 

Richard Henson helped me to deal with and recover from the impact of the attack.

Cyber lessons learned: Richard Henson's response

You don’t know what it’s like until it happens to you. 

Lee’s experiences were horrific on a number of levels. I have been involved in providing a voice on cyber security matters for small businesses for some years, and thought I had encountered all angles in my interactions with small businesses. This could be categorised as an asymmetric example of an insider attack. I was surprised to find that a web developer could so easily do so much damage to a business and its owner.

Lee was being offered a service, without the safeguards associated with such a service. An internet service provider (ISP) and website developer – which may be the same person or organisation – is trusted to an alarming degree, for no particular reason other than they can provide the service. There are no safeguards in place to protect small businesses against their web/internet provider, other than their rights as citizens under the Consumer Protection Act (1987).

There are no UK regulations relating to the practice of being a web developer, and no UK-based professional body, other than the BCS, The Chartered Institute for IT. 

It is vital to small businesses that there is some means for checking quality of a web services provider. In the absence of evidence such as league tables, it often comes down to word of mouth.

Lee was blindsided by this supplier because he was more knowledgeable on many aspects of the internet and web applications than she was – as would be the case for many small business owners. People might have some knowledge of the Data Protection Act (1998) and the Computer Misuse Act (1990), but few businesses have such awareness. 

In the absence of regulations the perpetrator was able to misuse his knowledge at any time, and probably made a calculated risk that he would be able to cover his tracks, knowing that with no evidence there would be no case.

The Computer Misuse Act has had surprisingly few convictions over the years. It was drawn up before mobile phones were digital, and was only amended in 2006 so they could be unambiguously regarded as computers. Despite the hype about rogue states, recent research on origins of cyber attacks on UK businesses suggests that over 70% are initiated in the UK.   

SMEs need cyber security advice

The police approach to cyber crime based on the four Ps – prevent, protect, prepare, pursue – illustrates the importance of keeping businesses informed of potential cyber risks. 

But the police do not have the resources to gather evidence to secure a conviction under the Computer Misuse Act for every small to medium-sized enterprise (SME), so the business will either have to gather the evidence themselves or employ someone to do so on their behalf. 

Breaches of the Data Protection Act are a matter for the Information Commissioners Office (ICO), which may surprise a small business owner, since theft of a digital asset is as much theft as the illegal procurement of a physical asset.

The priority of the business will be to get up and running as soon as possible, involving both technical and legal knowledge to know what computer-based evidence to preserve before moving on. However, it would be good advice for any small business to read the government’s Cyber Essentials overview, and follow the steps advised. Businesses already caught out will be easy targets and must take the steps to reduce their vulnerability.

I was surprised to find that a web developer could so easily do so much damage to a business and its owner
Richard Henson, University of Worcester

It is the responsibility of the business to exercise due diligence when engaging a service. Current advice to startup companies about obtaining a web presence generally does not include securing information, checking qualifications, checking whether suppliers are registered with the ICO or taking utmost care when choosing a website designer and ISP. 

If startups are not forewarned, they are unlikely to look for problems, especially when there is so much else to do to get the business running smoothly.

The issue of data breaches and cyber crime should be of interest to computing and legal professionals, not just as a service to small businesses, but also as a business opportunity in its own right. 

An IT-savvy lawyer or legally trained network expert can ensure evidence to secure conviction can be obtained and stored in a suitable way for later presentation in court, if a breach does occur. A new breed of IT professionals that advise small businesses may already be emerging, but the process needs to accelerate, and there will be many more unhappy experiences and unpunished cyber crimes in the meantime.

Points to consider when setting up a business online

Lee’s case in particular highlights some important points to consider. The web developer had her username and password for uploading to a web server on the internet. People really do need to think before giving a username/password to anyone. Such a combination will be a key to their online identity and open the business owner up to identity theft.

Allowing the web developer to have the username/password combination places that person in a position of trust, perhaps without going through all the steps a company would be expected to go through to establish a good business relationship. The breaking of such trust would be difficult to detect and sanction against.

The web developer also often produces the website for the business and manages that website on the internet – yet none of this is subject to external regulation. The industry is self-regulating and there are no standards for judging whether the developer is a secure or even a good programmer. A technically poor website will be bad for the business’s reputation, and will potentially leave data open to cross-site scripting, SQL injection or other common vulnerabilities.

The web developer often advises on choice of router and configures the router for the small business. This should include changing the password from a default value, but again gives the developer greater control over the business. 

There are also issues such as wireless routers, hacking, switching off, IP addresses and health. Businesses need to be aware of these matters and dealing with them should be a matter for a registered professional. A kite mark, or something similar, as a minimum standard for web developers – similar to Corgi for gas service providers – could be the way forward.

According to government research in 2011, an estimated £27bn per year is lost from UK businesses and individuals through cyber-related crime

An equivalent figure for 2014 isn’t available yet, but with the increase in both e-commerce and hacker activity, it is unlikely to have gone down. 

This seems a far cry from the government’s objective of “making the UK one of the most secure places in the world to do business”.

There is much to be done. Small businesses and the police need support. The UK certainly does not lack expertise, and this needs to be harnessed urgently.

Read more about SMEs and IT security

Read more on Hackers and cybercrime prevention