It seems a day doesn’t go by without the media reporting the impacts of cyber attacks involving large corporations or government departments, yet little has been discussed around the risk of attacks on small businesses. Securing small businesses can be daunting. When you examine the security solutions available, almost all are designed for enterprise businesses with large IT departments and big budgets. However, Small businesses are as much at risk of cyber attack or data loss as large enterprises, perhaps more so.
In 2017 in the UK private sector over 99% of businesses were Small to Medium Businesses (SMBs), defined by those that employed less than 250 employees [1]. That’s a significant amount of business, that accounted for 60% of employment and 51% turnover. With the potentially less established control environments that operate in this space, it is an attractive proposition for cyber-crime.
Large enterprises can struggle to attract and retain [2] the required capabilities in an employment market where demand outstrips supply. How then can SMBs ensure they are prepared against the threats they face?
Threats to SMBs
Whilst this list is not exhaustive, these are some of the common threats organisations face.
Ransomware/Malware
Ransomware continues to be a popular choice for many attacks, simply as it is a “net far and wide” attack. Whilst ransomware promises the release of your data on payment, not all provide the capability to support this claim. WannaCry saw the evolution of ransomware to an internet worm, meaning that it did not require user intervention.
Malware is a broad term for all malicious code, of which ransomware is one variant. Others include software that provides remote access into business systems, or collects banking credentials and financial information.
Malware is often controlled by a central command service, known as Command and Control (C2). C2 services can send instructions and change the purpose of the malware depending on the infected business.
Phishing
Phishing has long been a successful approach to gain access to sensitive information, as it plays on human nature. An email offering a refund, or an urgent security alert, it entices user to click on the link or attachment. Phishing can also be combined with malware, having users inadvertently install malicious software, potentially allowing the attacker access sensitive information.
Email Impersonation
Email impersonation has been a growing trend over the last few years, mainly due to its simplicity. Individuals are either registering similar domains to their targets, or simply spoofing them. The emails, often appearing to come from an executive, are asking employees to transfer funds for a “urgent” or “secret” project. Other occurrences see customers either being targeted or impersonated through similar approaches. These will ask for payment details to be updated or funds to be withdrawn from an account.
Insider Threat
Insider threats relate to employees who have authorised access to information and systems. These individuals may look to extract and sell information or impact business processes. Employees may be disgruntled or coerced into taking this action by external factors.
Third-Party
Third parties can simplify business processes or remove menial tasks from SMBs day-to-day responsibilities. However the risks associated with their involvement in your business processes needs to be considered. For example, what information or assets are left unsecured after hours, when cleaners are attending to your office space.
Responding to Threats
So, without scale of capability or budget that large enterprises have, how can SMBs respond to these threats. Actually there are some simple steps that SMBs can take to help reduce the likelihood and the impact of these threats.
Education and Awareness
As discussed in our Security Awareness article [3] it is a widely acknowledged and accepted that staff, and their behaviour, is an integral part of any security posture. According to the Verizon Data Breach Investigation Report 2017 [4], 51% of data breaches involved malware and 66% of malware was installed via malicious email attachment. Helping your staff understand how to identify suspicious emails, links and attachments, whilst providing them with a process to report them is an excellent first line of defence. Develop and communicate clear desk policies and ensure staff know how to protect information they collect, manage and transmit.
Do not forget to include your clients in your awareness campaigns. Inform them of the risks they face, how you will engage with them to protect their interests. Ensure they are aware of how they can report suspicious activities to you.
Understand your Data Landscape
Understanding your data landscape is central to any efforts to defend against cyber and privacy risks. Having clear sight of where your most sensitive data resides ensures you can effectively protect it. Targeting investments will make the most of your security budget and delivering real demonstrable benefit.
Furthermore, during a potential security incident, being able to confidently state what information is at risk will ensure you can quickly and effectively respond to any potential data loss. Knowing who is impacted will ensure you know the course of action you need to take. This will also reduce the time taken to identify any potential requirements for notification under your regulatory or legislative landscape.
Using the data landscape, access requirements can be reviewed to understand who has access to sensitive information, either directly or indirectly, and what risks this presents. Considering which teams have access to what data, or where printed information may be left unsecured, will help focus improvements to business processes.
Focus on the Basics
Cyber Security Ventures Market Report [5] states that the global cybersecurity market was worth $3.5 billion in 2014, and was expected to exceed $120 billion by the end of 2017. This naturally attracts a lot interest from vendors and service providers, all wanting to be part of that opportunity. This can lead to technology confusion, as companies try to navigate the overwhelming choice, deciding where to invest.
Organisations need to focus on the basics first. Many of the data breaches reported include in some part simple vulnerabilities that could have been addressed.
Review your patch management processes, do you proactively update the software used within your estate. Are services tested for known vulnerabilities [6], or is assurance of this sought from those that provide the service.
Ensure anti-virus controls are maintained, both in terms of the software and any required signature updates. Ensure all incoming data is scanned for malware, including email, web traffic and file transfers. Configure this control to scan files on endpoints and removable media before they are read, known as On-Access scanning.
Improve account security using Two-Factor Authentication (2FA). 2FA requires an additional step when accessing systems or services. This additional step is something you have, such as using your phone to receive a code via SMS or an installed app. Especially where cloud services are used, 2FA is simple to implement and will ensure only authorised individuals can access your companies data.
Prioritising against your data landscape will help focus efforts, and reduce residual risks.
Incident Response
Regardless of the preventative controls any organisation puts in place, there is no guaranteed way to defend against all threats. Therefore it is vital organisations document, test and update response plans regularly.
Identifying what actions to take, who to engage and what capabilities you require will ensure you can effectively manage any impacts. Furthermore, being clear on who you will need to notify and how quickly will avoid regulatory sanctions. Practising your response plans will ensure stakeholders know their role, and will make any live incident run more smoothly, greatly increasing your chance of a positive outcome.
Recovery processes should be well documented, including backup requirements, testing these regularly to ensure their integrity.
Cyber Assessments
Whether you have an established security strategy, or are in the process of defining one, cyber assessments are a valuable tool. There are a number of standards against which assessments can be performed. Both the National Cyber Security Centre’s 10 Steps to Cyber Security and the Cyber Essentials scheme are a good starting point.
Using one of these approaches will enable an organisation to identify gaps in their maturity and prioritise their remediation programme.
Security for Everyone
Security is not just for the large enterprises, in fact through data breaches reported in the media, you will notice they often struggle. This often boils down to the scale of the estate, both logical and physical, and the existence of legacy services. This can result in efforts being prioritised incorrectly or vulnerabilities being overlooked.
SMBs have an advantage in some respects as their environments are more contained, locally or with third parties. Conversely, SMBs may struggle to attract and retain the capabilities to even understand the risks they face day-to-day, requiring them to take a different approach.
Enter the Virtual Chief Information Security Officer.
To talk about the steps you can take to secure your organisation, large or small, against the threats you face, get in touch with us: info@icaconsultancy.co.uk
As part of our Assess services the Cyber Security Posture Review (CSPR) helps organisations understand their current maturity, identifying risks and providing recommendations.
As part of our Assist services the Virtual Chief Information Security Officer (CISO) provides on-demand access to the capabilities required to respond to the threats of today and plan for those of tomorrow.