The digital age, which brought the world ever closer to trade, innovation and accountability, has also brought new and dangerous cyber threats that do not recognise borders and cost businesses as much as US$525 billion every single year, according to UK officials. SMEs are not immune to cyber security attacks; any data loss or incident could have a devastating impact on the business operations and company’s reputation.
There is a common misconception that SMEs are not the target for hackers because of their smaller size and lack of relevant data. However, any information stored on your computer might be interesting to criminals. All business should be prepared for the five most common attacks; an awareness and basic understanding of these threats in the cyber world will help companies protect their digital assets.
This is an attempt to gain sensitive information while posing as a trustworthy contact; like a bank or on-line service. Phishing emails may look very convincing, with faultless wording and logos.
It is important to remember that genuine companies simply do not ask for sensitive information so staying alert to unexpected emails and training of staff are key. Anti-virus software and having spam filters turned on are also vital.
This form of malware attempts to encrypt the data and then extort a ransom to release an unlock code. Notable examples include: Locky, CryptoLocker and KeRanger that are particularly prevalent at the current time. Most ransomware is delivered via malicious emails.
Businesses should train their staff to ensure they are wary of unsolicited emails, particularly those that ask for an immediate response as these prompt employees to reply without giving it much thought. Malware protection, software updates, data backups and spreading data across different locations are also helpful; though management of a large number of IT systems can be costly and time consuming.
The potential damage from a deliberate or careless leaking of documents by staff should not be overlooked. Limiting how much data employees have access to is a key step to mitigating the size of any data leak. It is also important to consider controlling the use of portable storage devices (e.g. USB memory keys), portable hard drives and media players. In certain circumstances, businesses can also consider the monitoring of staff behaviour online.
The most important thing is to get the basics right. Up to 80% of security breaches can be prevented by having basic cyber security hygiene in place. Everybody with access to any business critical data must be vigilant, as attacks often happen through the extended supply chain, through digital channels, or through staff. Therefore, cyber risks must be considered, and skills improved, across the entire business and the economy more broadly.
Apart from trying to gain access to bank account information, credit card databases or intellectual property, hackers have been targeting “downstream” businesses in an attempt to gain valuable information. This secondary data could provide an insight into the operations of the primary target.
It may not be possible to gain direct access to a company’s systems; it might however be easier to get useful information from their suppliers. Gaining access to a legal company, for example, can provide details of participants in mergers or acquisitions. The truth is that almost all information is valuable to someone.
The primary methods to protect the business are network firewalls, data access security, and user awareness.
The nature of portable storage devices, such as smartphones, means they become targets for data thieves. Ensuring that mobile devices have pass code locks, turning on the tracking by GPS and the option to remotely wipe the device if lost could protect the data from being stolen. The use of encryption software is also highly recommended when using portable storage devices.
Keep an eye on your mobile devices and paperwork at all times. A large proportion of crime is opportunistic; taking your eye off your briefcase or smart device could result in a serious data loss.
In all these areas it is key to remember that alongside technology, well-developed processes, procedures and staff training go a long way to protecting your valuable data. For example, if someone leaves your employment, make sure you remove their access. The reality today is that you should protect your digital assets with the same vigilance as you do when locking your office door at the end of the day.
-Richard Anning is Head of IT Faculty at Institute of Chartered Accountants in England and Wales (ICAEW)