Corporations Aren’t the Main Target
The Equifax ransomware hack is currently headlining the news. 143 million Social Security numbers of US citizens have been stolen by cyber criminals, plus a spectrum of other personal information including phone numbers, email addresses and credit card details. But Equifax is a multinational corporation, so you would expect them to make the front page. How often do you hear of small to medium size businesses (SMBs) falling victim to cybercriminal activity? Not much. The reality is that SMBs are a soft target, more susceptible to hacks and data breaches. These vulnerabilities are fully exploited by artful and resourceful hackers.
Verizon’s Data Breach Investigations Report has revealed that SMBs constituted in excess of 70% of all data and security breaches. The SMBs with the greatest proportion of attacks had fewer than 10 permanent employees.
Nobody is Safe
Cybercrime isn’t selective. When a company, SMB or corporation, is subject to a hack, the victims are both the businesses whose data has been compromised and the clients and customers who expect their sensitive information to be handled with care.
A common tactic used by hackers is to access personal information, bank account and credit card numbers and addresses in order to commit identify fraud. When an individual attempts to reclaim their identity, they embark on a long, tiring road of anxiety and uncertainty. Personal finances seldom recover fully from identity theft and fraud.
In the UK, the Information Commissioner’s Office (ICO) is an umbrella organisation that handles regulations and legislation pertaining to data compliance and protection. Any SMB experiencing a data breach, whether a result of cybercrime infiltration or not, is required to file a report with the ICO within 24 hours. The ICO then instructs the company to produce a detailed inventory of the breach, and keep a log of the effects and remedial action taken. Furthermore, the SMB will be required to provide each client with a summary of the incident, the nature and content of personal data affected, the likely effect on the individual, measures taken to address the breach, and how the client can mitigate any possible adverse impact. All in all, a time-consuming and costly process.
SMBs Pay a High Price
Research conducted by the Ponemon Institute has shown that the average cost to a SMB for each record breached is £150. Multiply that figure by your number of clients, service providers, employees and anybody else associated with your company and the costs become substantial. Although the figure includes estimates for the cost of investigation, fixing issues leading to the breach, possible ligation costs and lost business, it does not cover time and effort expended in damage control. Damage to your company reputation is one consequence that is not factored in. Depending on how your clients react the breach and your company’s negligence, the damage may be irreparable.
Cybercrime can spell the end of the road for many SMBs: a conservative estimate is at approximately 60% of SMBs are out of business within six months of a notable cyber-attack. Simply put, the ramifications of an attack extend beyond the main event with the impact on productivity, reputation and profitability impossible to gauge. Further to this, SMBs don’t have same resources to bounce back from a breach that conglomerates such as Amazon and Apple do.
Research also shows that clients affected by security breaches are unforgiving of SMBs. Their reaction to breaches at large companies is somewhat more magnanimous. If a client falls victim to data loss through Citibank for instance, they are likely take consolation in the fact that their information is in the hands of a multi-billion pound conglomerate. When a breach occurs through a small online retailer, however, customers will show little mercy or understanding and leave to find a more trustworthy vendor or service supplier. Symantec’s State of Information Survey highlighted that half of SMBs suffering a data breach acquire a damaged reputation and lose clients.
Cybercriminals continue to relentlessly pursue SMBs. Symantec has stated that SMBs are the victim in 31% of all attacks. The figure was 18% a year ago. Where this number will end up in the future is anybody’s guess.
Why Cybercriminals Like SMBs
Global companies such as Equifax and Walmart have seemingly infinite resources to put in place the latest antivirus and malware security and successfully curtail the activities of cybercriminals. A company with 1 000 employees for example, may employ 20 in-house IT support engineers that vigilantly work to ensure that every device and the network are secure.
SMBs do not have this luxury and lack the financial clout and manpower. Hence a typical SMB network is less secure and more vulnerable than that of their larger counterparts. Only a few SMBs have in-house IT personnel, and for those that do, these employees are usually tied up with tasks such as trouble shooting or routine network maintenance. Being thinly spread, they don’t have the time to rigorously address network and data security.
The abundance of SMBs also makes them an enticing target for cybercriminals. In 2016 there were 5.4 million SMBs in the UK, equating to 99% of all businesses. Even in this slow-paced economy, an estimated 500,000 UK start-ups consisting of only a few employees will go into business in 2017.
Not Too Small to be Hacked
Many SMBs adopt the ‘it will never happen to us’ approach thinking that large companies are the only victims of cybercrime. The reasons are two-fold. First, cybercrime attacks on SMBs aren’t publicised by the media. Secondly, SMBs consider their data and operations to be of insufficient value to the likes of hackers.
Cybercriminals are good at what they do, and they’re getting better. They manipulate increasingly sophisticated techniques to spam, create backdoors into PCs and networks and steal data. The days of a cyber-attack taking the form of a big heist are long gone. Nowadays, the criminals are scheming and designing to the extreme. They gradually infiltrate SMBs, pilfering data and personal information in small, unnoticeable increments. SMBs who are lax with their IT infrastructure security may take days or weeks to spot the theft. By then, it is too late.
SMBs need to rethink their strategy regarding hacking and acknowledge that ‘it will happen to us’ as a probability. Recently, political ‘hacktivists’ have caused several high profile Denial-of-Service (DDoS) attacks. The hacktivist aims to ravage the IT infrastructure of large corporations or government departments. Hacktivist groups such as LulzSec and Anonymous have led the way of this form of cyber anarchy.
The CEO or MD of a SMB may hear about DDoS attacks in the news or through social media and not bat an eye. Why would a hacktivist bother to hack their data? After all, a SMB is hardly Sony or MI5. However, given the fact that there is at least one DDoS attack in the world every two minutes, SMBs must rethink their network security options.
SMBs are the Inroad
SMBs often acts as vendors, suppliers or service providers, being subcontracted to much larger organisations. Cybercriminals take full advantage of this situation and SMBs become a lucrative inroad to access the data of corporations. Large enterprises have robust IT security systems which are difficult to permeate. So, manipulating the security vulnerabilities of SMBs is a smart way for hackers to gather data that would otherwise be unattainable. The SMB becomes a Trojan horse and hackers gain backdoor access to the larger company’s IT infrastructure and data.
Due to the threat of backdoor intrusion, many companies, potential clients and partners need reassurance from a SMB about how their data will be safeguarded before any agreement is formalised. Some require the SMB to sign a legally binding report on their IT security practices. Others demand an external IT security audit before making a deal and signing a contract.
What does this all mean? In a nutshell, if a SMB is unable to provide convincing evidence of having a sound and secure IT infrastructure, they will lose potential clients, deals and partners. SMBs should expect to be vetted when doing business with large companies.
The Whole Nine Yards
There are no shortcuts when it comes to data security. SMBs need to understand the serious nature of cybercrime and go the whole nine yards to get their IT infrastructure secure. Due their ‘it will never happen to us’ mind-set, many SMBs are deluded when considering the safety of their data. McAfee and Office Depot recently conducted a survey on data security involving 1000 SMBs. Two-thirds confidently stated that their data was secure and not at risk to cybercrime.
Cybercrime isn’t the only culprit causing data to become compromised. Recently Symantec conducted a ‘Global Cost of a Data Breach’ study. The three main causes of data breaches were identified as:
- Malicious Attacks – 37%
- Negligence and Human Error – 35%
- System Error – 28%
So data breaches caused by the bad guys are only part of the picture. Data can be compromised by a competent employee making an error or by hardware or software failure. But you don’t need a fortune or to employ a team of IT specialists to adequately protect sensitive data. You can create a secure IT environment on a small budget and by applying some of the recommendations in the four steps that follow.
Step 1: Your Network Device
First off, know the hardware you have and use. You should keep a log of all devices that connect to your network. In today’s world of BYOD (Bring-Your-Own-Device) this record is essential. In a BYOD office, employees can access your network using a variety of personal devices such as smart phones and tablets. To optimise your IT infrastructure security you must know what the BYOD devices are, who they belong to, how they access the network and how they are configured.
You need to regularly review all devices and ensure that each endpoint is secure and not vulnerable to hacking. Using relatively inexpensive Mobile Device Monitoring (MDD) tools will approve or quarantine any instrument accessing your network. A trusted MDD tool will also enforce encryption settings if the BYOD is storing sensitive company data and files. In addition, the tools will be able to remotely locate and lock lost or stolen devices and instantly wipe vital company data from them.
Step 2: Educate and Train
Educating and training your staff about IT infrastructure security and best practice is a must. By increasing employee awareness to security, you will reduce the number of breaches caused by human error or negligence. Moreover, your staff will be on guard against cybercrime and potential hacking. Hackers love the ignorant and frequently gain access to networks by taking advantage of employees who are not in the know. You can help employees identify spam and phishing email. They won’t click on malicious links or download dangerous attachments that would threaten the integrity of your network.
When the story of a large company been hit by a cyber-attack makes the news, inform your staff. A Tweet or Facebook post only takes seconds. When your staff acknowledge the extent of cyber-criminal activity, they will develop an innate appreciation of the importance of IT security. Also, constantly reinforcing the dangers of phishing and spam will further increase awareness and reduce risk.
As the owner of a SMB, you should also have a policy document in place that explains IT best practice for in-house and remote workers. For example, password security underpins the stability of any system. Ensure that employees change passwords regularly and use passwords that are difficult to decrypt. Sites like ‘How Secure Is My Password’ can be used give an indication of how long it would take a cyber crook to decipher a password.
IT security policy should be integral to any new employee induction. You also need update the policy as and when changes to your IT infrastructure are made. First and foremost, ensure that the policy is religiously enforced to achieve maximum effectivity.
Step 3: Conduct an Audit
Perform a quarterly audit of your sensitive data. This way, you’ll know where it is stored and consequently how to keep it safe and secure.
Step 4: Cloud Computing and Managed Service Providers
Using cloud computing and virtualisation often provide a relatively inexpensive data security solution for SMBs. Anybody who is sceptical about the safety of the cloud needs to have a rethink. Most IT security breaches result from lost or stolen devices, cybercrime, printed documents going astray and human negligence leading to erroneous data disclosure. Would these breaches have occurred if data had been stored in the cloud rather than on laptops, smart phones or insecure servers?
It is impossible for a SMB to match the level of internal IT security applied by large companies. Nevertheless, on a limited budget, a SMB can greatly improve security by relocating systems to the cloud. Moving services such as emails, backups and shared files to the cloud will reduce your total cost of ownership (TCO). Also, you can rest easy knowing that you have a better defence against internal and external threats watching over your IT infrastructure.
Outsourcing to a Managed Service Provider (MSP) will give you additional peace of mind regarding cybercrime. A capable and experienced MSP will take control of your IT security concerns. Services countering cybercrime offered by the MSP include, but are not limited to, the following:
- antivirus and malware updates
- firewall installation and management
- patching
- intrusion detection
- log and audit trail record analysis
Your MSP can provide you with a branded risk analysis report, tailor-made for any potential client or business partner requiring an insight into your IT security measures. Having your system security endorsed by the MSP will instil confidence in those seeking to do business with you. A third party security assessment, especially one from an MSP, will show that you have proactively addressed any possible IT security risks. Your clients will be pleased to know that a MSP is by your side to manage any IT infrastructure vulnerabilities.
