We’ve all heard of many high profile Cyber breaches. Companies like TalkTalk, Sony and Ashley Madison have all hit the headlines as the victims of embarrassing attacks. There are many cautionary tales like these but it seems that many small to medium-sized businesses still don’t believe that Cyber criminality will affect them. According to research conducted for the Government, just 27% of medium sizes enterprises deemed Cyber security to be worthy of Board level scrutiny. Perhaps this is because SME businesses don’t believe they will be targeted. The same study, however, also revealed that 74% of SMEs suffered a Cyber breach during that same period – up from 60% on the previous year. It has been suggested that this increase is because SME’s present the perfect target for a certain breed of Cyber criminals: the type of criminal that doesn’t fancy taking on the sophisticated security measures deployed by large enterprises when there is easy money to be made elsewhere. This is costing small businesses huge sums. The government survey revealed that the average cost of the worst security breaches is between £75,000 and £311,000 but simply looking at the monetary value doesn’t paint a true picture of the real impact, the intangible after-effects of business disruption, the loss of potential sales and intellectual assets, as well as the potential damage to company reputation which have far-reaching implications.
The growth of Ransomware
One of the fastest growing attack vectors causing the above damage is Ransomware, this type of attack involves criminals breaching a company network and encrypting corporate data, which employees are then denied access to until a ransom is paid.
A lot of companies think they need technical solutions, whereas often what is just as important is regular staff training around Cyber threats and how to spot phishing emails. The response to Cyber threats shouldn’t just be owned by the IT department; it’s the responsibility of the business. It has to be everyone’s responsibility, as anyone can click on the wrong email and leave the whole business vulnerable.
The weakest link
With individuals often seen as the weakest link in the corporate armoury, criminals are using any number of methods to trick employees into letting their guard down. Tactics include the use of cloned email addresses which can look almost identical to an internal company communication. One such incident saw a PA almost conned into believing her managing director had requested a bank transfer. Other techniques have included ‘brute force’ attacks – where hackers try a large number of password combinations to try and gain access to your system.
Hackers are out there, with extensive resources at their disposal, looking for computers to compromise. As much as any anti-virus and anti-malware software is there to prevent these things from getting through, the criminals are adapting. There’s often an attitude among SMEs that it’s not going to happen to them because they’re not a big target but everybody is a target by virtue of them having IT and being online.
In the eyes of the Cyber criminal it’s just an internet address and if they can get in they will probe to see what they can do, regardless of the size of the business or IT estate. If a company’s system has vulnerabilities, they will find them.
When it comes to ransomware, there are cases where companies have managed to combat this by finding relevant unlock codes on the internet but it appears most businesses end up paying the ransom. More astute businesses have a formal Cyber Incident response plan which normally entails enlisting post Cyber incident external specialists which should be further supported by DR and Business Continuity plans.
Some tips to avoid becoming a victim:
- Adopt the right attitude. Define the company’s Cyber posture and right-size the Cyber Security investment
- Implement GRC controls over IT, that monitor the right IT/Cyber KPI’s
- Train end users. Invest in training and awareness. Make Cyber thinking part of BAU
- Put policies in place. Review all processes, procedures and policies and establish a solid GRC position that has authority and independence.
Co-founder & CEO, Edge IT Group