As statistics show, the cyber security threat landscape has continued to grow and become ever more complex, businesses of all types should make 2017 the year when they leave behind the “it won’t happen to us” school of thought and resolve to take action to protect themselves against the cybercriminal.
High profile breaches and hacking attacks such as those suffered by TalkTalk, Mumsnet and Tesco Bank make the headlines, however, too many small businesses in the south west have fallen victim to various cyber threats – losing data, losing money and suffering disruption.
Why will my business be a target?
Forget the Hollywood image of the 15-year old hacker sitting in his bedroom writing malicious code for kicks. Cyber crime pays and cyber criminals are a clever, market aware and fast growing community.
It takes great effort and skill to carry out attacks on the ‘big names’ and yes, a successful attack can bring great reward. But the majority of cyber criminals target the ‘low hanging fruit’ – small businesses who don’t believe they are at risk and as a consequence do not pay sufficient attention to protecting themselves.
The 2015 UK Government Information Security Breaches Survey showed that 74% of small businesses suffered a security breach. Not all these breaches were the result of external actors, 38% were attacked by an outsider, but 31% suffered a staff related breach and 50% of the worst breaches were caused by human error. Sobering statistics.
How can my business be attacked?
In almost every case an attack will aim to deliver malware. Ultimately, cyber criminals are attempting to gain financially or by harvesting confidential information.
The range of attacks available to the cybercriminal has become vast. However, there are certain threats that are more common where small businesses are the victim.
Social engineering is the process of manipulating people into taking an action that will be of benefit to the cybercriminal. Social engineering is at the heart of many of the attacks aimed at small businesses such as phishing, CEO fraud and the delivery of ransomware as described below.
Most people will be aware of the term phishing. Victims receive emails, apparently from bona fide organisations, which will urge them to click on a link or open an attachment. The link will take the unwary to a website where they will either be encouraged to provide confidential information or they will have unwittingly opened their device to malware. Similarly, opening the attachment will expose them to malware.
Browsing the Internet
The Internet has become a prime attack vector. Victims may download malware by simply browsing websites as attackers inject malicious code into legitimate websites or create accurate but fake versions of popular sites, this is known as ‘malvertising’.
Social networking sites are a prime target for cyber criminals. By including malicious links in posts, creating fake profiles or hacking legitimate ones, attempting to dupe users into installing fake apps or posting bogus offers for free goods, scammers are able to target a large audience and gain financial reward or harvest confidential information.
A further risk is the amount of personal information users post about themselves online. Scammers use information about our work and personal lives to aid their social engineering techniques and increase their chances of success.
What are the risks and consequences?
- Malware infection – malware can harm your business in a variety of ways, installing viruses, Trojans, spyware. All of which ultimately could lead to disruption and financial loss.
- Ransomware – malware that will encrypt data or render devices unusable. Once downloaded a demand will be made for payment to decrypt the data or restore device capability.
- CEO Fraud – a result of phishing and social engineering resulting in bogus emails from a senior executive persuading a colleague to perform a task that benefits the scammer – often leading to financial loss.
- Loss of company or client data – the new GDPR data protection regulations will impose serious penalties for a data breach. A data breach will also cause disruption and may lead to damage to your business reputation.
- Lost working days and cost as the consequences of the attack are remediated
What measures should we take?
The scope of attacks available to the scammer requires a multi-layered defence strategy:
- Review your security measures and potential vulnerabilities.
- Strong protection for Internet use – a well configured, enterprise class firewall.
- Enterprise class anti-malware that is always patched and updated.
- Anti-exploit software to provide defences against the latest threats.
- Always use latest versions of your software and applications, these updates contain important security updates.
- Well written, clear policies for your staff encompassing IT usage, data protection and social media use.And, a critical area that is too often overlooked – staff awareness training that provides your team with the knowledge to help protect your business against cybercriminals. Training should start with induction and be regularly reviewed.
Finally, seek expert advice.
TL 01209 340030
This article first appeared in the Dec/Jan issue of Business Cornwall magazine. To subscribe, click here.