By Sungard AS
News reports of cyber-attacks tend to focus on corporate giants and high-profile brands. But a worrying trend is emerging among small businesses, which are now experiencing the kind of cyber security incidents once reserved for larger organisations.
If you're under the impression that your business is too small to be worth targeting by hackers, think again. With fewer technical resources and less time and budget than your larger rivals, your organisation may be seen as an easy mark.
Cyber criminals know that your weakest link is likely to be your people, who can be targeted with phishing emails and social engineering tactics. Hackers may look for a way to get into your company by obtaining legitimate credentials, so their activity is less likely to be spotted than more-conventional hacking techniques. Or they may exploit your company to gain back-door access to the larger companies you do business with, where bigger rewards are up for grabs.
Losing valuable data can have a devastating impact on a company's finances, customer base and ability to grow. A Cyber Streetwise and KPMG survey of 1,000 small businesses (PDF: Small Business Reputation & The Cyber Risk, 2015) revealed 60% of respondents had experienced a cyber breach. Of those, 31% reported brand damage in the aftermath, 30% said they had lost clients as a result, and 29% admitted it had impacted their ability to win new business. Cyber security is not a nice-to-have, nor a stable door to be bolted after hackers make off with your horse.
Four steps to prepare your business for cyber attacks
Admittedly, expensive cyber security solutions may be beyond your financial reach. Larger businesses tend to snap up the best security talent amid a skills shortage, and limited resources can constrain staff education programs. But the biggest problem facing small businesses is complacency about the likelihood of an attack in the first place, and the scale of the impact on their finances and reputation. So how do you prioritise cyber security when your day-to-day focus is on operations and business growth?
Step 1: Assess your assets
Not all information is equal, so you need to close attack paths that are low effort and high return. Identify what it is you're trying to protect, and the extent to which it's under your control. Let's say you have a product inventory and a customer database. Both are important, but if a breach occurred, the latter would probably be more critical since it contains personal and competitively sensitive data, so that's where security resources should be prioritised. Revisit your data retention policy (or draw one up if you don't have one) so you're not throwing stretched resources at protecting low-value information. And ask yourself whether an application's management interface really needs to be accessible to the public internet, or whether a particular plug-in is needed any longer.
Step 2: Think like a hacker
Know thine enemy. Not everyone can afford to hire an "ethical hacker," but you can at least familiarise yourself with all the types of malicious threats your business might face – spoofing, the multitude of DoS attacks, ransomware, etc. – and how they're evolving. Make one person responsible for reviewing cyber-security risks within your business and mounting a reasonable level of defenses against external attacks and malware, and hold them accountable. If you lack the internal resources to carry out regular penetration testing – the practice of attempting to exploit vulnerabilities in your computer systems, network or web application– online tools are available. The beauty of automated scanning is that your security efforts can be scaled economically and effectively as you grow.
Step 3: Prioritise people as well as systems
One mantra security professionals cite is "never trust the user." Regularly educating your workforce about cyber security is a key preventative measure: Figures obtained by Egress Software Technologies in 2016 via a Freedom of Information request showed human error accounted for 62% of data breaches, outstripping insecure webpages and hacking. Cyber security training is not a one-and-done exercise for new hires: Anyone can easily infect their computer or network with a single innocent click on a suspect link, and cyber threats evolve continuously. And while it may seem sinister, you also need to be careful about to whom you grant administrative access to customer or personal data, since it's not uncommon for attacks to be launched or originated by inside sources.
Step 4: Look beyond your own four walls
Growing organisations increasingly rely on cloud applications and infrastructure to run their business. The larger, more reputable software vendors offer the kind of enterprise-level security that would be beyond affordable reach. Take an honest look at your in-house capabilities and determine whether any of your systems could be better secured by proven third-party service providers.
Hosted environments have dedicated security specialists with the tools and expertise to provide round-the-clock threat protection, or you can opt for pay-as-you-go managed security services such as firewalls, data hosting and vulnerability assessments. Remember however, that while outsourcing relieves you of the tactical tasks of managing systems in-house, responsibility still lies within your own business in the event of a security breach, so do your due diligence before engaging a provider.
You don't have to be a giant corporation to be vulnerable to cyber attacks. But to quote Mark Twain, "it's not the size of the dog in the fight – it's the size of the fight in the dog". We learned some tough lessons in 2016 about the alarming growth and creativity of cyber attacks, so businesses must start applying the hard-won learnings of the past to protect their future growth.