Learning the lessons of 2016: How SMEs can improve their cyber security practices this year
This time last year, we were contemplating 2015 as the year of the data breach. We were taking stock and trying to learn the lessons so that we could better protect ourselves and our businesses from the growing threat of hackers. And then 2016 happened.
Little could have prepared us for what has been an intense year, with cyber security becoming a critical issue with a high media and political profile.
In this article, we will explore the top cybersecurity stories of 2016, consider what can be learned from them and make recommendations for how SMEs can and MUST improve their cybersecurity practices in 2017.
First, let’s take a look back at the big cybersecurity stories and themes of 2016 and the lessons they taught us…
The rise of ransomware was the big cybersecurity story of the year.
Ransomware is, as we all should know by now, a particularly pernicious form of malware that is used by cybercriminals to extort money from businesses by locking them out of their critical files, services or even entire networks.
Once the files have been locked down, a ransom payment is demanded for the decryption key. Of course, there is never any guarantee that the files will be decrypted once payment has been made.
Businesses, universities and hospitals have all been targeted by ransomware attacks in the past year, some of which have paid thousands to regain control of their data. Shockingly, given the extent of media coverage in recent times, a recent survey by AVG indicated that a third of small businesses still had never heard of the term ransomware.
A ransomware attack can literally bring a business to a halt.
The rise in ransomware has taught us not only that we need to increase the strength of our cybersecurity defences, but also of the importance of having effective backup and recovery solutions in place to prevent total loss of critical data and ensure business continuity.
Over the past year, we have had a general shift away from traditional passwords, towards more secure login procedures.
Big names, such as Apple and Google, rolled out improved multi-factor authorisation and verification procedures, which utilise multiple security steps for the approval of certain actions and transactions. Additionally, we have seen the financial sector begin testing of biometric verification with the aim of reducing fraud. It’s clear that the old-fashioned username and password may soon be a thing of the past.
What we should take from this is an awareness that the fight against cybercrime needs to be a collective effort, led by companies and organisations but involving good practice by employees and customers also.
In 2017, businesses should be considering how they can create more secure pathways to access account information and encouraging employees, customers and associates to apply best practice in the use of these.
Previously, cybersecurity news was typically centred around hackers, whether they be criminal groups, individuals or even entire nations. However, with many data breaches involving somebody from inside the business, 2016 taught us how prevalent the insider threat now is.
Not all insider threats result from malicious intent, but some certainly do so this is something to be vigilant about.
More worrying, perhaps, is the threat that arises from ignorance or carelessness. Many data breaches can be traced back to the loss or theft of company devices, careless data sharing practices or employees falling prey to phishing scams.
It’s vital that employees have a good understanding of security risks and are kept up to date on best practice with regular training.
Businesses must also ensure that strict procedures are in place to reduce the chances of confidential data being leaked. An example of such practices would be the restriction of access to the minimum necessary number of employees. Unless it is absolutely necessary for an employee to have access to certain systems and files in order to carry out their job, it should be restricted.
We’ll have more about ‘The Insider Threat’ later this month…
2016 saw a very public debate about the issue of security and privacy, with encryption front and centre.
The clash between the FBI and Apple over access to one of the San Bernardino bombers’ iPhone data was one of the biggest tech stories of the year. We also saw WhatsApp implement end-to-end encryption to its instant messenger service, which has put pressure on providers of similar services to follow suit. With cybercriminals becoming ever more sophisticated in their methods, encryption is increasingly being viewed as a necessary security step.
As well as seriously considering the need to encrypt their most sensitive files, businesses should be looking to stories such as these as a means of gaining an understanding about the ways in which data is being shared both inside and outside of their organisations. Knowledge is crucial in the fight against cybercrime.
Perhaps the most important lesson to take away from 2016 is that no one is immune from cybercrime.
2016 followed on from the previous year’s theme of big names being brought into the spotlight, having suffered data breaches that collectively affected millions of user accounts.
Cybersecurity was also a major theme in the US presidential elections, with issues around email security and claims that foreign hackers were trying to influence the outcome of the election.
But it’s not just the big companies and high-profile targets that need to be concerned about cybersecurity. Research carried out by the Federation of Small Businesses found that two thirds of small businesses had fallen victim to cybercrime in the past two years.
We have learned that cybercriminals are increasingly turning their attentions to smaller companies, both because they tend to have weaker security defences and they can be used as a stepping stone to the networks of the larger companies they are associated with.
It is for these reasons and the fact that, according to the FSB, the financial costs of a cyber-attack faced by small businesses are disproportionately greater than those of larger companies, that SMEs must be vigilant and take all necessary steps to protect their networks.
Knowledge is one of the most important aspects in the prevention of cybercrime.
SMEs must understand that they are not immune from attacks and ensure that they keep up to date with cybersecurity news, developments and expert recommendations for best practice.
This is an ongoing process as new threats appear all the time. Employees must also be given the knowledge to help them take steps to protect the companies they work for and ensure that they aren’t inadvertently putting their employer’s networks and data at risk. Regular staff training is a must.
A good place for SMEs to start is with the government-backed Cyber Essentials scheme, which is an industry supported scheme that helps SMEs gain knowledge and protect themselves against the most common cyber security threats. More information about the scheme can be found here, but the main controls recommended are:
• Boundary firewalls & internet gateways
• Secure configuration of computers & network devices
• Control & restriction of user access to applications, computers & networks
• Keeping software up-to-date with the latest security patches
• Using malware protection software
Cyber Essentials documents provide organisations with advice and information on how to implement basic cyber security controls. Businesses can also apply for a Cyber Essentials certificate, which provides them independent assurance that they have the necessary protections correctly in place.
As well as the obvious benefit of peace of mind in knowing you are protected against many cyber threats, additional benefits of certification include being able to bid for government contracts (for which the certificate is compulsory) as well as being able to demonstrate to other organisations and customers that you take cyber security seriously.
Grant McGregor Ltd is currently undertaking Cyber Essentials training to become an Accredited Assessor for this certification scheme, We’ll update you about this very soon!
It is now generally agreed that cyber security is not simply a technical problem, but has become a business-critical issue.
Without proper defences in place, businesses risk compromised data, damaged reputations, lost contracts, substantial costs and loss of business. The smaller the business, the greater the risk that cyber threats pose to the survival of the company.
No one is immune. It’s vital that all SMEs look to improve their cybersecurity practices in 2017.
If you’d like some professional help with your cyber security planning, defences, education or assurance then contact our team at Grant McGregor today!
Image source: Freerange Stock