The way in which data breaches are reported in the media does create real fear among small business owners about the consequences of falling victim to a data breach. In recent years, big names including the NHS, Talk Talk, Equifax and Yahoo show just how even huge organisations with vast IT budgets can suffer from a cyber-attack.
And these are just the brands whose breaches are publicly reported in the media…
Let’s be clear: businesses aren’t to blame for falling victim to cybercrime, whether it is a targeted spear phishing attack or routed in generic malware. As we’ve seen, some of the biggest and most tech-savvy brands can fall victim to such attacks.
Dig more closely, however, and one truth is revealed: it isn’t falling victim to an attack which is the problem – experts agree it is almost an inevitability – it’s the way you deal with a breach when it happens which makes all the difference to the extent of its impact.
That said, the old adage about the savannah holds true when it comes to tackling cybercrime. As an antelope, you don’t have to run faster than the lion – you just have to run faster than the antelope next to you.
Cybercriminals will choose the obvious targets. Simply closing the most obvious back doors into your network can make a breach much less likely.
And if you build the right deterrents and reduce the problems posed by the human factor you can shut more obvious avenues for attack. This, in itself, makes your business a less obvious target.
While businesses aren’t to blame for the actions of cyber criminals, they are responsible for making themselves less vulnerable. And, crucially, having the right processes in place to deal with a breach when it happens.
The different cyberthreats of which any business needs to be aware fall into four main categories: people, process, technology and physical.
The threats which fall under the categories of people and process can largely be dealt with by the application of common sense and by awareness training, although technology can play a role in helping to mitigate them too. Technology threats have to be met with technological solutions – even if that is just basic housekeeping such as ensuring upgrades and patches are kept up to date.
Meanwhile, physical threats are amongst the most often overlooked; one penetration tester speaks of working for a high-profile tech company where he compromised essential systems not from his keyboard but by having some of his team dress as window cleaners and gain access to the main data centre.
Let’s take a look at some of the most common types of threat and how to deal with them.
Phishing – sending fraudulent emails that appear to come from a reputable source in order to gain sensitive information or access to other systems. Coaching staff to look for and recognise fraudulent emails is the best way to deal with this threat. This way, even if some do slip through your email security staff know not to open them or click on links. Make sure they know how to report a problem.
Social engineering – using deception to manipulate individuals into divulging confidential or personal information; effectively grooming in a professional environment. Again, staff training and strong processes should be your main line of defence.
Spear phishing – while traditional phishing attacks are more scattergun in nature (sending lots of emails out in the hope some engender action) spear phishing is a more targeted approach to sending fraudulent emails to gain sensitive information, often targeted at senior executive and business or financial leaders – so make sure your senior leadership team also take part in your security awareness training.
After all, they're the more attractive targets for cybercriminals as they have access to more sensitive information and can authorise actions such as payments.
Zero day exploits – when attackers exploit a known vulnerability, this is known as a zero day exploit. Clear processes for keeping track of vulnerabilities and maintaining regular and prompt updates and security patching are the best ways to eliminate the risk associated with this type of attack.
Man in the middle attacks – processes for ensuring staff use properly-secured connections when connecting over public Wi-Fi can help to reduce the risk of man in the middle attacks.
Disgruntled former employees – clear processes for on-boarding and off-boarding (for technology, devices and people) can help to ensure that there aren’t any “back doors” to your network that haven’t been adequately closed.
Malware – maintaining good update procedures and implementing effective technology solutions including anti-virus, anti-malware and firewalls are the best way to protect your network against malware. Make sure your mobile devices are also covered.
Denial of service attack – building a resilient network and protecting the outer perimeter of your network with secure firewalls will ensure that denial of service attacks, where an army of botnets seek to overwhelm your systems, don’t disrupt your operations.
Access control and security – controlling who has access to your buildings and, in particular, computer resources is another vital element of any security strategy. If we think of the example of the window cleaners again, it becomes clear that even physical threats can be limited by putting security awareness training and robust processes in place. And locks too!
It’s true that the threats are multi-faceted, but they don’t have to be complex.
Perhaps some of the most effective ways to tackle these four types of threat are through training. Plus, it’s really important to have the right processes in place. People need to know what to do when things go wrong – because most analysts agree that when it comes to cyber security it isn’t a question of “if” but “when”.
We recommend establishing clear reporting systems for all staff. Part of this is education for all staff – not only helping them how to report issues, but also to spot them in the first place.
There are two steps you could take right now for your business to ensure you're less vulnerable - or at least faster than the next gazelle...
The first is to check that your organisation has the basic cyber security measure in place by certifying yourself in the Government's Cyber Essentials Scheme. The second is to put a programme of ongoing cyber security awareness training and testing in place to educate your people. It's a no-brainer!
If you’d like to know more about Cyber Essentials or Cyber Security Awareness Training, please contact our team.
For more general help and advice about cyber security issues, our consultancy team is on hand to offer support and advice. You can reach them at 0808 164 4142.