The security mistakes SMEs cannot afford to keep making
on 20 Mar, 2019
In recent years, data breaches have become such a common headline that major companies seem to be notifying their customers on a weekly basis. In 2018 it felt as if nobody was safe as breaches hit companies including British Airways, Marriott Hotels and even Facebook - the social media giant suffering a number of breaches in the past year, seeing the data of over 100 million users put at risk.
But data breaches are not exclusive to large companies. Away from the headlines, the reality of cyber attacks is that they are often not targeted at just one company, instead aiming to create as much disruption as possible. This means that SMEs may have to deal with identical attacks, but without the resources and dedicated IT staff of larger businesses. The result of this is that 60% of SMEs that are hacked go out of business within six months.
So, what can SMEs do to maximise their protection against cyber threats? Thankfully, most successful attacks are not due to incredible technological advances, but by exploiting companies that fail to maintain the basics of security. A good example of this is how the NHS suffered at the hands of WannaCry by using outdated operating systems.
By identifying the areas where simple mistakes could take place, SMBs can minimise the risks to their business that come from cyber attacks, without having to spend a fortune on increased defences.
Not training all members of staff regularly
While the technology and strategy around cybersecurity is continually evolving, human error remains the most common way to gain access to sensitive data. As important as antivirus software is for monitoring and removing threats, preventing them remains a predominantly human responsibility.
To minimise the risk of users being tricked by phishing attacks into handing over sensitive information, it is vital that every member of staff is fully trained on cyber security, best practices and company policy should a breach occur.
With the rapid growth of mobile working, the responsibility for device security has shifted from the IT specialists maintaining a traditional office network to the users who could be accessing company data from anywhere in the world. By ensuring all staff are trained to sufficient levels, the chances of personal errors leading to a breach can be reduced significantly.
But a single training session will not be enough. New threats and changes to software can mean that best practices may need to be adjusted on a regular basis. By providing regular training updates, staff will be able to quickly adapt to new developments and become increasing confident when identifying potential red flags.
Failure to patch quickly
Applying an update is a simple task but it is not something that should be ignored, even if it is an inconvenience. The 2018 Small Business Cyber Risk Report from Hiscox revealed that not only had 47% of SMEs across the UK, Europe and US been the victim of a cyber attack in the previous 12 months, 44% of those suffered multiple attacks.
In most cases a patch is released to protect against a new vulnerability that has been identified and is expected to be applied as quickly as possible. But with so many devices on an office network, this is no easy task. Factor in IoT and smart devices such as speakers and thermostats, and applying updates can quickly become a very time-consuming task. This might be managed in a small business by only updating quarterly. However, hackers are aware of this type of strategy and as soon as a new patch is announced, hackers are likely to seek out those who have not yet updated. This means that it is vital to ensure that every device that can connect to your office network is updated as soon as updates become available.
Again, responsibility for this can be shared among users by giving this task to the member of staff using each device, allowing IT staff to focus on shared devices such as office routers and printers.
Not restricting access permissions
One of the simplest ways to protect sensitive information is to restrict the number of people who have direct access to it. Despite this, many companies give admin privileges to insiders based on their position in the company rather than their direct need to access the data.
While a phishing attack may give hackers control of somebody’s account, if this user does not have access permissions, the attackers may have to try another strategy to access the data they are looking for.
As a simple and extremely cost-effective method of improving security, SMBs should ensure that every users’ access is purely limited to the information they require for their tasks. When implementing this policy, it is important that it applies at all levels of the business and also to freelancers, contractors and former staff members, who should have their access removed as soon as their work is done. This will mean that the only people with total access will be IT staff, minimising the opportunities for data to fall into the wrong hands.
Failing to secure endpoints
The IoT industry is growing rapidly and its impact is being felt in business as much as domestically. In 2018 it was estimated that there were some 272 million connected devices in the UK alone. With that number set to reach 625 million in the next five years, ensuring that each of these devices is secure is crucial. A network is only ever as strong as its weakest link, which means that even the most inconsequential device has the potential to become a backdoor to your system if it is not correctly set up.
With so many devices in use, all endpoints should be kept as secure as they would be if they were being used in the office. This can be done with an endpoint security tool and mobile device management. MDM is an effective way to monitor every device and provide remote access, ensuing that the latest updates are installed and that devices can be tracked, locked or even wiped should they be lost or stolen.
Without clear explanation, staff might be reluctant to allow their employer to install tracking software on their personal devices. The justification for using this type of software needs to be clearly set out in training and explained precisely in a bring your own device (BYOD) policy that staff agree to before being allowed to access company data on their devices.
Not backing up
It is a mantra as old as the personal computer – always back up your work. Unless something goes wrong it is a rule that is easily ignored, but with an estimated 65,000 attempted attacks on UK SMEs each day, this could be the most costly mistake SMEs can make in their security setup.
One of the most common forms of attack is ransomware. Once it has entered the system, data will be collected and encrypted. Users can then only get that data back if they pay the ransom demand. This is terrifying enough, but almost half (45%) of those who agreed to pay still did get their data back, or received it in an unusable state.
Luckily there is a very simple solution to avoid this nightmare scenario, keeping full data backups. As many as 72% of ransomware victims are able to keep hold of their data if they have kept regular backups.