Why do cyber criminals target small businesses, when there are potentially fewer rewards for them?
One reason is that when small businesses are in a ransomware predicament, they have to weigh up the costs of paying the criminals against not paying and experiencing downtime. Due to a lack of preparedness for a ransomware attack, sometimes the cost of paying the ransom works out cheaper.
Of course that has two very large consequences. Firstly, small businesses have set the precedent with the cyber attacker, in that they are willing to pay. Which means it's highly likely they’ll be targeted again.
Secondly, that small businesses are thus directly funding cyber-criminal activities, which means they’ll have more resources to try more attacks.
Plus, there’s never any guarantee that the bad guys will unlock the company’s data after they get paid. After all, they’re criminals – there is never any element of trust.
Cyber attacks on small businesses
With smaller budgets and fewer employees to help prepare for a cyber attack small businesses often don’t have the same level of resources required to bounce back as quickly as, say, the bigger players.
According a 2018 Cisco survey, 53% of all small businesses have been breached at some point, with 40% of them experiencing ‘IT downtime’ – such as the website going down or being unable to take orders – for eight hours or more as a result.
We recently teamed up with serial investor and small business champion Piers Linney to drill into the security challenges faced by this segment. Piers, famous for his time as an investor on Dragon's Den and Shark Tank, caught up with me to dissect the key issues during our Facebook Live event.
Piers Linney interview part 1
Piers Linney interview part 2
1. Technology will only go so far
With the constantly-evolving nature of cyber attacks, there's no silver bullet which will completely ensure your organisation's protection.
In fact, technology alone won’t solve the problem. You should consider the triangle approach of people, processes, and technology. Research by Cisco's Incident Response team uncovered how many cyber attacks happened with just one of these practices in place. They found that:
- Technology will stop around 26% of cyber attacks
- The right kind of internal policies will prevent 10% of attacks
- Training each member of staff on appropriate digital behaviours will only stop 4% of attacks
If these three areas of defence are tackled together, there would be a significant increase to those percentages.
2. Some cyber-security policies to consider
Speaking of basic policies, here's what we would recommend:
- Create privileged password management – so there is extra or (even better) 2FA protection for the most sensitive and valuable data
- Conduct job-specific training in security principles. For example, the finance and HR teams are more likely to have their email addresses spoofed or be sent phishing emails purporting to be from the CEO. Developers will need specific training on how to protect their code from being compromised
- Always install the latest software updates
- Have a mobile device and remote working plan which includes using a VPN
- Back-up copies of important data
- Secure your wifi network by changing the default password and never giving out the network name. Create guest wifi for non-employees
- Segment access so that users can't access data they don’t need
- Encourage longer passwords, and change them every three months
Also, if employees use their personal devices to do any of their work or use them at work, include this in your security plan. As you trust them to bring in their own devices, it’s a quid pro quo – they also need to be ok with you installing security measures on their devices (such as the ability to remotely erase them if they are stolen).
3. Creating a cyber-culture with your people
One of the most common kinds of data breach is from targeted phishing. So, make sure your email security solution has reputation-filtering to monitor links in emails – even if your system is on the cloud – and you can thwart these attacks.
Many attackers are finding ways around traditional email security solutions, but if your employee never clicks on a malicious link, the problem is solved there and then.
Cisco conducts an internal phishing test once a month to help train staff on what to look out for. We don’t admonish those who fall for it, as that would discourage employees from reporting possible breaches. It helps individuals understand their susceptibility to threats.
If you do test your workforce, ensure it's unique to the departments (or individuals) you are testing. This will help them understand how security actually affects their day-to-day.
Another tip is to show how taking cyber security more seriously at work can help their personal lives. If they know how to spot a fake phishing scam, this could help prevent them falling for online scams, and potentially their friends and family too – if they spread this message around.
Embedding a security mindset into company culture should always be encouraged, and it’s something which should come from the top down, starting with leadership.
Duo Security, now part of Cisco, has a free solution for you to create phishing emails and websites for internal testing.
4. Resilience planning and risk management
Schools practice fire drills so they know what to do in a crisis. The same concept should be applied to a cyber-response plan. Here are some tips on what should be considered as part of your plan:
- Assign responsibilities – who is doing what? Analysis, communication, setting up remote working, and so on…
- Identify a leader, a person who has a solid understanding of your business and your security strategy. Someone who is a problem solver!
- Your plan should allow fluidity, to incorporate the latest threats
- Determine the critical components of your network to replicate in a remote location
- Identify single points of failure – i.e. have a back-up plan in case a key team member isn’t available
- Create a list of the tools, technologies, and physical resources that must be in place
- Consider communications – both internal and external. Customers need to be notified appropriately, and your employees need to understand what their role is in getting the organization back up and running
Ask yourself what the damage will be to your business if corporate data made it onto the internet. Will it only cost you downtime and damage your reputation, or will it there be greater costs?
This is why it’s key to understand the value of data, as it will help you understand the true impact when breached. With new regulatory safeguards such as GDPR, hefty fines can be levied if an organisation is at fault.
5. Look to the future, but don’t strive for immediate perfection – make incremental changes
Recognise that incremental change is better than no change. This is our final recommendation for how small and mid-market businesses can drive cyber-security improvements.
In short, you should not let a desire to be “perfect” in your security approach get in the way of becoming “better.” Perfect, as in all things, does not exist.
As I mentioned at the beginning, there is no “silver bullet” technology solution that will solve all of your cybersecurity challenges. The threat landscape is too complex and dynamic. The attack surface is always expanding and changing. And, in response, security technologies and strategies must continually evolve as well.
For example, malicious cryptomining has sky-rocketed in the past year, and has fast become the most profitable way for cyber criminals to earn money. So, if your computer is running slow, have it checked to make sure you don’t have cryptomining program running in the background. You can learn more about how to spot and prevent malicious cryptomining in this blog.
To help you, Cisco Talos regularly shares a blog with the latest threat intelligence.
Also, security solutions with machine learning applications embedded mean that your infrastructure constantly learns, and can be set up to automatically deal with threats.
Have a watch of the interviews for more cyber-tips for your small business, and head to our Small business security solutions page for more resources.
About the AuthorFollow on Twitter Follow on Linkedin More Content by Hazel Burton