If half of your neighbourhood was burgled, would you reconsider your security by fitting a decent door lock, window locks, an alarm system or perhaps even upgrading the family Chihuahua. Of course you would, but why are so many business owners ignoring and downplaying the risks of cybercrime when three quarters of the UK’s small businesses have been victims of a security breach.
Having attended a very informative talk by Surrey & Sussex Cyber Crime Police Unit recently, an event arranged by the Surrey Chamber of Commerce, there were a number of interesting facts. An alarming 74% of SMEs have had a security breach in the last 12 months and 50% of small businesses who are victims of cybercrime close as a direct result of the breach. More concerning is that only 33% of businesses have a formal cybersecurity policy.
Sadly, very few people outside the IT industry attended the event even after Surrey Chamber of Commerce had widely publicised it to their members. This is a real concern because cybercrime is a massive threat to all businesses and especially smaller ones. IT security needs to be addressed immediately, sticking your head in the sand is definitely not the solution.
Small businesses are unlikely to be the victims of state sponsored cybercrime, it is far more likely to be teenagers hacking businesses for fun or common criminals who have latched onto cybercrime as easy pickings. The biggest concern is that conviction rates for cybercrime are practically nil but there are some basic precautions that every business owner should take.
Secure Passwords
With the right equipment and knowledge, it could take less than a second to force a password. But classic social engineering could be even easier, you would be amazed how easily people divulge their passwords and other confidential information. Don’t use the same password for multiple accounts, rather use a password manager to create and store passwords.
Two Factor Authentication
It might seem a pain to have to generate a code on your mobile to access a site, but it’s a whole lot easier than dealing with the aftermath of a hack. Besides, this can be combined with a password manager to be easy-to-use, but highly secure.
Device Security
Not a week goes by without some new major vulnerability being discovered in software or even hardware. The manufacturers and vendors work frantically to create patches, but it is up to the user to make sure that all devices (including smartphones) are constantly kept up-to-date and monitored. After all, the Wannacry ransomware virus propagated through the NHS in two and a half hours, cost UK taxpayers £92m and was traced back to one PC which hadn’t been properly patched.
Backups
Backing up to a local USB drive is better than nothing, but it won’t protect against fire or theft and it will probably also be affected by malware. Also, have you actually checked that you can restore your data? Best solution is to use cloud backup which you can easily access from anywhere and leading solutions will also protect against ransomware attacks.
Monitor and Maintain Your Network
This isn’t just about ensuring that your devices and anti-virus are up-to-date, it means proactively protecting your network from external threats. This doesn’t only mean the internet, but look out for disgruntled staff and others like cleaners stealing data. Monitor all devices for unusual usage and problems.
Education
Whilst some security measures are common sense, others require all staff to be trained and reminded of secure practices and actions in the event of a cyberattack. These include simple things like not using ‘Password123’ or ‘Letmein’ as a password. About 72% of cybercrimes are committed using phishing techniques, they are becoming more sophisticated but ultimately, they all rely on people doing things they shouldn’t. Ongoing education and proactive IT security is crucial.
Mention GDPR to most business owners and virtually all will say “what a nightmare”. Probe and most will have made a real effort to comply with the regulations for fear of fines. They need to realise that they are responsible for ensuring the security of their customer’s data. So, besides protecting their own data, they have a duty to protect others. Also remember that a fine of 4% of turnover would be very costly and a serious security breach could mean the end for most small businesses.
Here is a guideline of key questions that any business owner should be answering:
- Does someone in your organisation get alerted if the software and antivirus on any of your IT devices is not updated and this includes staff mobile devices (smartphones and tablets) that are used for work?
- Is all data backed up securely in the cloud and have you ensured that you can easily access it? This includes important documents stored on desktops and laptop hard drives.
- If a staff member loses their laptop, iPad or mobile device, can you access it remotely and wipe it?
- Are you protected against a disgruntled staff member stealing key business information, corrupting it or deleting it? This is one of the most common and costly breaches and affects all sized companies.
- Is your sensitive business data only accessible to those who need it? Can you pull reports on who has accessed what?
- Are all passwords following best practice with 2 Factor Authentication used for sensitive systems? Are you sure that staff are not using the same password in multiple places?
- Do you have a managed firewall to prevent unauthorised access to your network via the Internet? Is it being monitored and updated by your IT experts?
- Do you have a cybersecurity policy and are all your staff trained on it, including how to avoid phishing attacks and what to do in the event of a suspected breach?
If your answer to any of these questions is no or you are not sure, then you need to take action immediately. For more information on many of these threats and advice on how to mitigate them please visit the National Cyber Security Centre (part of GCHQ) website.
By Cloudbox UK CEO Nick Goodenough
