The business of hacking is also a fast-moving one, meaning cyber security has to be one step ahead of the criminals at all times. Although the infrastructure is there to protect businesses from cyber-crime whether organisations actually implement the systems or not can make the difference between being cyber secure or vulnerable to attack.
Why do small businesses need cyber security?
Small business cyber security is an important topic at a time when all businesses, regardless of size are currently trading online. All businesses, regardless of size should have cyber security at the top of their to-do lists as they all hold data that could be valuable should it get into the wrong hands. Additionally, all businesses have files and data that if were inaccessible could have a massive impact on the business.
The data many small businesses hold includes:
- Customers’ personal details (name, DOB, address, email).
- Customers’ payment details.
- Intellectual property which could be priceless.
- Customers’ medical details.
Since the world was forced to take the majority of their business practices online in March 2020, pickings are more attractive to cybercriminals and this is made easier by small businesses who may skimp on cyber security, as they undervalue their data’s worth to a cybercriminal.
According to Verizon Data Breach Investigations Report, up to 43% of all data breaches were with small businesses, and another study carried out by Keeper Security and the Ponemon Institute show the number of small businesses who fell victim to a data breach rose from 58% to 63% between 2018 and 2019.
One of the reasons that small businesses are hit so often by cybercriminals is because they are small. They don’t have the large budgets and experienced security teams that the global enterprises do and therefore they are easier to crack.
Sure, a cybercriminal would like to earn $5m from one hack but a few thousand pounds is still a great return for what is a few minutes’ work. A few minutes work for them, but a major headache for you.
- With a ransomware attack not only will your files be encrypted but you will also be asked to pay a substantial amount in ‘ransom’. Even after you’ve paid you may not gain access to all of your encrypted data.
- Depending on the nature of the attack this could result in business downtime for hours or days. How many days could your business afford to not function?
- If client data is lost or breached not only could you be liable for fines or legal claims, but your company reputation could be destroyed which could end up threatening the viability of your business.
With the majority of business carried out in the cloud or over the internet, without appropriate cyber security procedures in place your business could potentially be attacked from all angles including mobile devices, Internet of Things devices, emails, individual workstations, networks, SMS messaging and networks.
The only way to protect your business is to ensure all these vulnerable entry points are locked down to the hackers. And if you are not sure what should be the focus consider what data from your business you would be comfortable knowing was for sale on the dark web.
How can companies protect themselves from cyber-attacks?
Preparation is the key to cyber-attack protection and therefore knowing what the top security risks ) make it easier for your company to protect against them. The most common cyber-crimes that could threaten your business include:
- Phishing – Where an apparently legitimate looking website or email encourages the user to divulge sensitive information.
- Hacking – Infiltration into both emails and entire networked systems. Read our guide on How to Prevent Hacking here.
- Malware and ransomware – Where software is loaded onto your system and can encrypt or corrupt your data.
- Social engineering – Building a relationship with the ‘victim’ to gain trust and then ultimately useful information.
Once you are aware of the threats you can then develop a security policy to protect your company from them. By following these simple ways to prevent cyber-crime you can reduce the threats to your business.
- Staff training – By training staff on what they can do to be more security-aware can make a big difference. Training on how to protect against cyber-attacks can include:
- Having complex passwords and not writing them down.
- The dangers of phishing emails and smishing texts.
- The escalation procedure if they are concerned about anything.
- Staff culture – ensure staff have password protected hardware, and don’t leave screens accessible to third parties onsite in the office or in their home working environment.
- Keep software updated – Software needs to be updated regularly to ensure weaknesses and bugs are fixed. Often this can be automated centrally so users don’t have to do anything.
- Install security software – All hardware should have up to date anti-malware, anti-ransomware and anti-virus software as well as a firewall. These should be updated regularly.
- An effective asset-management system – This ensures that the whereabouts of all hardware (PCs, laptops, mobiles etc.) is known and can limit the potential risk of mislaid hardware, although with mobile devices all staff should have passwords enabled and be aware of the procedure should they lose it.
- Threat monitoring – Most cyber security support companies like CiS can offer round-the-clock threat monitoring which can identify potential threats before they materialise and can therefore block them.
- Monitor access – When setting up staff on the network ensure they only have access to the things they need and things they are authorised to access.
- Clear onboarding and offboarding procedures – Setting up new starters with the right permissions and access are just as important to security as ensuring ex-staff members no longer have access to the company’s network.
- Incident Response Plan – If you should get attacked, you should have an incident response plan in place which identifies what to do, who should be doing what, and who should be contacted. If the procedure is clear the threat can be neutralised quickly.
For further advice go to our guide: How to Maximise Network Security.
How can you protect business data against security threats?
Cyber attacks can be disruptive and can cost money and lost time with the company network being down – but there can be the added threat that client and company data is in the hands of an unauthorised third-party to do with as they will.
So, in addition to doing everything possible to prevent a cyber-attack in the first place data protection should be the next key thing on your list. Some tips to protect your data are;
- End to end encryption – When sending data over the internet by encrypting it only the recipient can access it as they will have the encryption key. This means it can’t be infiltrated on the way by unauthorised third parties.
- Restrict admin rights – By ensuring that admin rights to data are only provided to authorised personnel can protect data from becoming lost, deleted or accessible to unauthorised people.
- Multi-factor authentication – If all data systems are protected by multi-factor authentication, even if hackers have acquired the password, they would still need biometric data, a one-off code or a physical authentication key to gain access.
- Don’t rely on cloud security – When storing data in the cloud don’t rely on the inbuilt systems of the third-party supplier. Add extra layers of your own security.
- Always back up data – Even if data is stored in the cloud, you should always back up data regularly and store it somewhere different from your normal network.
Why should businesses invest in cyber security?
Once it is accepted that all businesses, regardless of size and industry are attractive to hackers. it is time to consider the importance of cyber security and its role in prevention.
Investing in cyber security doesn’t have to be expensive or time-consuming, and the infrastructure may already be in place, meaning all you need to do is implement a robust security culture within your business. For example:
- Ensuring all staff are trained on how to spot and avoid phishing campaigns.
- Training staff on good password etiquette (strong passwords, not recorded in an accessible place, and all devices should be password protected).
- Educating staff on safe internet use on mobile devices and within the home environment.
- Ensuring all software currently loaded onto workstations and portable devices are updated and running on the latest operating systems.
- Ensuring Admin rights on PCs are only given to the IT team.
Simply reinforcing systems and processes in place as well as prioritising the education of staff can greatly improve your cyber security. And in fact, having a strong cyber security culture in your business is a great on-going asset as often data breaches and malware attacks are actually caused by human error – such as someone clicking on a phishing/smishing email link without thinking of the consequences.
However, the majority of small businesses could and should do more to protect their business and their data from cyber-criminals. The key is to have a long-term strategy in place, as cyber-security is an ongoing ever-evolving threat. For example, in 2021:
- There will be increased cloud breaches due to the rising number of businesses working remotely, with attacks on homeworkers increasing five-fold in the months following the first UK lockdown.
- Fintech targeted cyber-attacks are on the rise with a 238% rise in 2020.
- With more Internet of Things being a part of daily life, they are becoming another target for cybercriminals.
- With the widespread rollout of 5G the issue of mobile devices having to switch between 5G, 4G and 3G as signals drop in and out will leave the devices vulnerable to weaknesses in these networks.
These increased threats are in addition to the high-risk malware and ransomware attacks, general disruptive viruses, disgruntled inside personnel and natural disasters. All businesses need to be aware that data security is pretty fragile and therefore investment into cyber security is a no-brainer. A financial outlay that could potentially prevent your business from being attacked which could lead to bankruptcy.
So, with the increase in data breaches for companies of all sizes, there should really be a matching upsurge in cyber security processes. However, a report carried out by Ermetic states that nearly 80% of companies surveyed had suffered at least one data breach over the past 18 months with more than 43% experiencing ten or more breaches.
But through putting together a clear strategy based on robust data regarding weaknesses within your infrastructure, the potential risks and the most appropriate solutions these cyber risks can be reduced meaning your data and your business is protected.
Even the largest companies, with the biggest budgets get targeted, so as a small business you should simply go for the best security measures you can afford and can maintain. If you have the budget you could enlist the help of a cyber security consultant or outsource your cyber security services to a company like CiS to ensure it is up-to-date and your data is protected.
Can cyber-attacks be prevented?
While not every threat can be prevented it is better to protect your business as much as possible and increase your chances of preventing cyber-attacks. One of the biggest threats to cyber security is complacency. Many small businesses feel they are not ‘interesting’ enough for the cyber criminals as they are too small. This is simply not true – cyber criminals are interested in any system they can gain access to. According to the Small Business Committee, more than 70% of cyber attacks were actually with small businesses with fewer than 100 employees.
A report from the Department for Digital, Culture, Media and Sport, also stated that in 2019 there were attacks on 32% of all UK companies.
So, although it is not statistically possible to 100% protect you from an attack, if your company is proactive when it comes to cyber security, implementing as many measures as you can and training your staff to be vigilant then you will reduce the risk of being the victim of a cyber-attack. You are only as strong as your weakest link – identify what that is and strengthen it!
If you need help identifying your security weakest link and improving your company’s protection against cyber crime then contact the team at CiS today.