We all hear about it when big businesses are hit by cyber-attacks. Tesco Bank, Talk Talk, and Three Mobile are prime examples of how data breaches can cost companies millions. And it's easy to think that small businesses are less of a target. But no business, big or small, is 100% safe in this era of cyber warfare. In fact, a recent report by IDC found that 71% of data breaches are now targeted at small businesses – so it's time to sit up and take notice.
There are a number of reasons why small businesses can be particularly vulnerable:
A lack of specialist security and legal expertise
Fewer processes and controls
Employees working remotely with insecure Wi-Fi
Small businesses provide a 'back door' to larger clients
Less secure websites, emails and payment processes
It can be easy to lose track of data
Here's a bit more detail about how hackers can take advantage of these weaknesses:
Exploiting human error
Malicious or not, human error is the most common reason for cyber-attacks and data breaches, with studies showing it's responsible for as many as 95 per cent of incidents. A breach can be caused by anything from employees accidentally sending sensitive information to the wrong email, losing their company smartphone, using default passwords or occasionally with criminal intent. Yet despite the risks, many small companies don't have the necessary controls, training and communication in place to mitigate against breaches of this kind.
Spear phishing attacks
One of the most common types of cyber-attack, phishing is when an attacker sends out emails to multiple recipients, posing as a reputable company. The email will either contain malware in a link or attachment, or will prompt the recipient to enter sensitive account or password details. Spear-phishing is similar but involves a targeted attack on a particular company or individual.
Despite increased knowledge about malicious or suspicious looking email links, many phishing emails are surprisingly convincing and employees are often tricked into believing an email is from a reliable source. This gives hackers a safe gateway to exploit susceptible company networks.
Vulnerable security frameworks
Small businesses often don't allocate enough resources to deploy strong firewalls and updated security patches, resulting in loss of important information if faced with an attack. Cyber security is a complex and multi-faceted issue, that requires the right technology and the right policies and processes in place. As small businesses are unlikely to have the necessary technical expertise internally, the best option is to turn to a third-party security provider to deploy strong firewalls and update security patches. But even that's not enough on its own, as the people elements also need to be taken into account, with thorough risk assessments, a cyber security policy and access controls.
Denial of service (DDoS) attack
DDoS attacks are on the increase, with DDoS for hire services making it easier and cheaper for cyber criminals to strike, bringing down websites and affecting businesses across the world. They work by flooding a company's servers with requests, so they are unable to cope and shut down. That leaves the business unable to trade for minutes, hours or even days, with potentially catastrophic long-term impacts. And it's not just big businesses that are affected – small firms are often more vulnerable due to their website architecture.
How have these threats evolved in the last year or two?
The rise of the Internet of Things (IoT) means many start-ups and small businesses are trying to establish a foothold in this new area of innovation. But sadly, most of the time these devices, including video conferencing systems, IP monitored security systems, connected climate control systems, VoIP phones and even smart bulbs, are overlooked when it comes to cyber security, making them particularly vulnerable to hacking.
And that's not all. The range and sophistication of cyber-attacks is growing all the time, just take a look at some of the biggest cyber culprits in 2016.
Here's some strategies to counter these threats:
Establishing a security-centric culture
It's easy to overlook the fact that sensitive information accompanies your employees inside and outside the office premises, and that it needs to be protected at all times. Here's some mandatory rules that will keep your data safe when your employees are on the move:
Make employees use complex passwords – see 5 password tips for better SME security
Introduce passwords that automatically expire and need to be renewed
Block access to certain websites that pose risks to the security of your data.
Implementing strong network and workstation controls
Here are some of the controls that will make a big difference to your cyber security:
Implementing a properly configured firewall through a dedicated resource
Applying current and up-to-date patches on everything, including the gadgets owned by employees
Carrying out a risk assessment with the help of a third party
Implementing SaaS-based security services, which are often less expensive than traditional software
Using secure cloud-based applications
Access controls so employees only have access to information they need
Implementing solutions like VPN (virtual private network) so remote access is secure
Implementing a disaster recovery site that can take over in case of a DDoS attack
Having a static page to keep customers informed if your order page goes offline
It's also crucial to have a thorough response plan in place for if you do get hit
Small businesses should also invest in educating their employees, including:
Why certain sites should be off limits
How to spot malicious phishing emails
Why clicking on these links can pose a serious threat
The role of human error in data breaches and how to avoid it
What to do if you suspect an attack or data breach
Most small businesses aren't aware of the amount of information that their vendors have access to and this can also pose a serious security risk. Checking a vendor's security controls should form part of the vetting and onboarding process. Things to look for include:
How your data will be stored
Access controls for the vendor's employees
Frequency of vendor risk assessment
Compliance with general data protection regulations
An insider threat can be a current or former employee, service provider, supplier, contractor, or anybody else that may be able to gain access to your confidential data. These individuals are likely to have access to sensitive information, often with the responsibility to protect it, leading to severe consequences if it turns out they can't be trusted. We've listed some simple steps your business can take to prevent employee misuse of data here.
Periodic Assessment of Vulnerabilities
Finally, periodic testing should be carried out to identify impending security risks to your network. In this scenario, third parties can be hired to do the stress testing to clearly identify any loopholes in the system, so they can be plugged before it's too late.
In today's world, it's not a case of 'if' your business will be hit, but more a case of 'when'. These steps will help to protect your business by keeping you in "prepared mode" and helping you to allocate the right resources in the right places.
And remember, if the worst does happen and you're facing the repercussions of a data breach, your final line of defence is a watertight and specialist cyber insurance policy.