SME’s – Take Cyber Attacks More Seriously
Despite what you may think, cyber-attacks are a real threat to SME’s across the UK. A survey by security firm Kaspersky Lab found that many SMEs don’t believe they are at risk, with 59% thinking the information that their business holds or deals with is of little value to cyber criminals.
According to the same report last year over a third of SMEs fell victim to a cyber-attack, costing on average £75k – £311k. The government is urging companies to take cyber security more seriously. This is more apparent with the UK governments push towards Cyber Essentials, which is a government recognized baseline for cyber security.
The top threats reported are phishing, poor passwords and IT vulnerabilities
Phishing schemes are often categorized by a fake email that tricks a person into revealing their personal details. These have been around for some time but are increasingly more sophisticated. Poor passwords are also a top risk, with users often using the same or similar passwords for multiple platforms, often without ever changing them or sharing them with colleagues. So in effect if a user’s personal email or Facebook account has its password guessed often this is the same password that is used on many other services including their work account.
IT and Network vulnerabilities allowing malware or some form of virus, has effected as much as 45% of small businesses in the UK (according to a 2014 Information Security Breaches Survey). Web applications are another easy way for cyber criminals to gain access. They do this with various attacks including remote code execution, SQL injection, format string vulnerabilities and cross-site scripting (XSS). All of these are still (and have been for years) items on the OWASP top ten. (OWASP –Open Web Application Security Project, is an online community dedicated to online security).
User and staff training is essential!
Organisations must have a strong understanding of the kind of cyber breaches that may affect them. Employees at every level must understand the potential risks the business faces. In many security breaches, there is some element of employee involvement, for example unauthorised access to data or systems. As mentioned above phishing scams are still prevalent and these rely on users to gift them access.
Cyber Security presentations are a great idea to show your staff, even if they only take a small percentage of the information in (something we are all guilty of)! Another great way to keep staff on their toes and to think about the risks is to hire a company (like SafeHack UK) to conduct a “Phishing Test”. In this a campaign is created and sent to a number of business users to see how they react to a phishing email.
Plan, Do, Check, Act
Anybody familiar with quality systems will know the Deming cycle of “Plan, Do, Check, Act”. This methodology should be used in all aspects of business including cyber security. Unfortunately this means more risk assessments, however completing one to review your cyber security is vital. It allows you to plan and do the changes your system requires to become more secure and in turn for your business to be safer online. To keep ahead of security you need to keep checking and acting on the issues you find.
Prevention is better than a cure
The simple security steps as mentioned in a previous post are still as vital now as they were then and shall continue to be so. Keep on top of software updates, ensure strong passwords and up to date anti-virus. Get your endpoints and network (internet facing services at the least) scanned for vulnerabilities regularly.