Data breaches can be devastating for SMEs. In May 2018, cybersecurity firm Kaspersky found that SMEs lose an average of $120,000 (£95,000) when they suffer a breach – measured by costs associated with improving security infrastructure, reputational damage, and increases in insurance premiums.
Unsurprisingly, considering these high costs, the US-based National Cyber Security Alliance found that 60% of SMEs go out of business in the six months after suffering an attack. Additionally, despite it being large companies that make the news when they fall victim to an attack, cybercriminals often target small businesses.
Data leaks are only likely to become more costly. The introduction of GDPR allows authorities to levy a fine of up to €20m or 4% of a business’s annual global turnover on companies found to have not done enough to protect customer data.
This rule change is why BA has just been given a proposed fine of £183.39m after suffering a massive data breach. To put this in perspective, the previous largest fine for a data leak – the one given to Facebook after the Cambridge Analytica data scandal – was only £500,000.
If you run a business in the UK, then you need to take data protection and cybersecurity seriously.
In this article, Ben Swindlehurst MD of CyberX UK – a firm that provides SMEs with bespoke cybersecurity solutions – will provide some much-needed guidance on the steps companies should take to secure their company.
Understand the Vulnerabilities
The first step, according to Ben, is to understand the risks:
“Business data is at risk from two main types of attack. These are data breaches – when an outsider gains access to sensitive data – and ransomware, which is when the attacker stops you from accessing your data. Both issues can be devastating. It’s crucial that those who run businesses have a good understanding of what each type of attack is and how it can occur.”
1. Data Breaches
In a data breach, an outsider gains access to a company’s confidential information. The data itself is generally unharmed, meaning SMEs often don’t notice someone has accessed it until it is too late.
Data breaches are usually caused by hackers who take advantage of vulnerabilities within a system to gain access to sensitive data in a database. These weak points are often employees – who are targeted with phishing emails to encourage them to give up their login credentials – or out-of-date software or firmware with known vulnerabilities.
What is Phishing?
Phishing is the practice of sending fraudulent emails to gain personal information from individuals.
The emails often appear to come from trusted sources, but will direct the user towards a link where they will be encouraged to enter their user credentials. Alternatively, the target may be prompted to download malware onto their computer that allows hackers to track keystrokes.
Targeted forms of phishing, such as spear phishing (when an attacker targets a specific person) or whaling (when an attacker goes after a company director) use social engineering techniques to convince the victim to hand over their credentials. These techniques include using personal information gained from public social media profiles or an organisation’s website in the email, or adding a sense of urgency to their request.
Phishing is used in a variety of cybercrimes, including fraud, distributing ransomware, and data breaches. According to the 2018 Verizon Data Breach Investigations Report, phishing and the similar technique of pretexting is used in 93% of data breaches.
The problem appears to be getting worse. According to Microsoft’s Security Intelligence Report, the number of phishing attacks increased by around 250% in 2018.
One of the biggest issues for organisations is that it only takes one employee or related party to fall for a single phishing email for the hackers to gain an access point into the business. Because of this, it is crucial that all employees are fully aware of what phishing is and how to avoid it.
2. Data Loss
Data loss is when a business loses access to its important data. It can be caused by attacks such as ransomware or by non-malicious actions such as files being deleted by accident or hard drives suffering damage.
Unlike a data breach, when a business suffers from data loss the attacker doesn’t gain access to any of the data. This means the effect on customers may not be that damaging. Nevertheless, it can be devastating for businesses which rely on data to operate.
What is Ransomware?
Ransomware is a type of malware which attempts to stop a user from accessing their files. The attacker then demands some form of payment to unlock the files. Of course, there is no guarantee that the attacker will stay true to their word.
There are many types of ransomware, from those which show an easily removed pop-up, to those which completely encrypt a user’s hard drive. The latter type is almost impossible to recover from.
Ransomware usually appears when a user clicks a malicious link sent in an email or when they visit an infected website. Pop-up adverts can be used to direct victims to infected sites.
Ransomware hit the news in 2017 when the WannaCry attack affected over 300,000 computers across the world in the space of a few days. The attack encrypted the data of those affected and demanded payment in Bitcoin. Organisations affected included the NHS, Nissan, and Renault.
The malware took advantage of people using out-of-date operating systems which were no longer receiving security updates, particularly users of Windows 7. Estimates of the total cost of the attack range from hundreds of millions to billions of pounds.
Six Steps to Protect Your Business’s Data
Unfortunately, once an attack has occurred it is often too late for an organisation to do anything to protect itself. It is, therefore, important companies take steps to secure their data in the first place.
In this section, Ben has provided us with six steps that businesses can take to begin to build secure processes to look after their data.
1. Educate Employees About How Attacks Occur
Criminals often target an organisation’s employees when looking to run an attack. Because of this, it is essential that employees are fully educated about the signs they should look out for.
Employees are often targeted via email. To combat this, directors can train employees to look out for signs that an email may be malicious. Here are some of the red flags.
- Emails from people you don’t know or aren’t expecting an email from.
- Emails that claim to be from people you do know, but that come from an email address you don’t recognise.
- Fake URLs that are designed to look like real ones. For example, a hacker pretending to be a bank employee could use www.hsbc.co.uk.fakesite.net instead of the real www.hsbc.co.uk.
- Scammers can also use URL shortening software or Unicode domains to hide the real address.
- Phishing emails may contain unusual wording or spelling mistakes.
- Scammers will often use email addresses from an email provider like Gmail or Microsoft. For example, email@example.com instead of firstname.lastname@example.org.
After teaching employees about the signs, you can test them using Google’s Phishing Quiz. In this quiz Google shows examples of emails and asks the user to spot whether they are a phishing email or a regular email.
2. Back up Your Data
The easiest way for an organisation to protect itself from data loss is to simply back up its data. This way, even if it loses the original, there will still be a copy of the data.
Data can easily be backed up to a second hard drive. If your company chooses to back up in this way, you should identify important data and then set up a schedule to ensure you are frequently backing it up.
There are many programs available that will automatically back up your data on a nightly basis. You should also think about where you store your copies. Keeping them in the same place as the original will put you at risk of losing data in a theft or a fire.
Alternatively, companies could use a secure cloud-based system to back up their data. These services reduce the risk of data being lost due to a physical incident, although they can put you more at risk of data breaches via hacking.
3. Keep All Software Up to Date
It’s very important that businesses always update to the most recent version of any software or firmware they use.
Cybersecurity is often a game of cat and mouse between hackers and developers. When hackers discover a vulnerability in a program they can exploit, developers roll out updates that close these vulnerabilities. This means if you don’t keep your software up to date, you may be open to attacks. We mentioned previously how the WannaCry ransomware was able to take advantage of out-of-date operating systems. However, this isn’t the only example of cybercriminals taking advantage of out-of-date software.
In the 2017 Equifax data breach, criminals gained access to sensitive data on around 142 million people in the US. They did so after taking advantage of a vulnerability in a web application the company used.
To make matters worse, the developers of the application had released a fix for the security hole two months before the breach occurred. However, Equifax had not updated its software which meant it left itself open to hackers.
4. Enrol in the Government Cyber Essentials Scheme
The Cyber Essentials Program is a government-backed scheme that provides education to help those in charge of organisations take the steps required to protect their business. It covers hacking, phishing, and password guessing. It can help organisations protect all their cyber equipment including PCs, handheld devices, and server and networking equipment.
Companies which have demonstrated that their IT set-up meets the standards set by the scheme receive Cyber Essentials certification. There are two types of certification available. The first is the self-assessed Cyber Essentials. The second is Cyber Essentials Plus, in which verification is carried out by an independent body.
5. Scan Your Network to Keep it Secure
Keeping attackers out of your network is an important way to cut the risk of data loss or data breaches.
You should have a firewall that will block malicious incoming connections from entering your company network. Additionally, you should ensure that all computers have antivirus software installed on them with real-time scanning. This will reduce the chance that an employee will accidentally download a malicious program onto a work computer.
As mentioned above, many cyberattacks are initiated via email. A good way to combat these attacks is to use a strong email spam filter. This can stop malicious emails from reaching employees.
A final step is to ensure that your Wi-Fi network is secure by using a strong password. Also, if you regularly need to allow outsiders or customers access to your network, think about setting up a split access point that separates your company network from your public one.
6. Develop an Information Security Policy
An information security policy is a set of rules that members of an organisation have to follow to keep the organisation's data secure.
It should anticipate where the data risks are and identify steps that employees should take to mitigate these risks. It will also contain a set of steps that the organisation will take in the worst-case scenario that it falls victim to an attack, thereby limiting the effect of said attack.