With reported cybercrime in the UK thought to cost business £29 billion per year, it is vital that SMBs are prepared. It may be easy to assume that cybercriminals are targeting large companies and will leave the smaller operations alone, but this is not always the case.
Companies in the UK were hit with over 230,000 cyberattacks in 2017 alone. Many such attacks are not specifically targeted. Instead, they are simply sent out to as many organisations as possible in the hopes of causing the maximum level of disruption. In these cases, everyone from government organisations to startups is a potential target.
Finding the funding to increase cybersecurity defences could be understandably challenging for small businesses that are running on tight budgets, but the impact of a data breach could be far worse. With this in mind, there are still a number of measures SMB owners can take to protect themselves from an attack without having to dramatically increase their security spend.
The most important form of defence is to make sure that the simple steps are taken care of, so be sure that your business network is protected by a firewall and antivirus software. This is the core of an effective setup, as it will help to protect you from existing dangers and spot new threats before they are able to attack. On top of these, a VPN service will give you the added benefit of end-to-end encryption for your data, protecting users on devices that are used for mobile working.
Most security software will either update automatically or prompt the user to install the latest patches and updates as they become available. Hackers will then begin to target devices with out-of-date software and exploit known vulnerabilities using targeted malware.
While the process of installing updates is often quick and simple, it needs to be completed across every device on your network. As such, it should be a requirement of a bring your own device (BYOD) agreement to keep devices updated. Office-based devices can be updated by their individual users, but your IT team should also double check and chase any users who are running outdated software.
While the fear for many is of high-profile, targeted attacks, the reality is very different. In fact, less than half of all data breaches are caused by a malicious attack. 88 per cent of data breaches reported in the UK over the past two years were the result of human error. In other words, a lack of employee awareness around the risks of online activity, and insufficient training. While we live in an age of technology, that doesn’t mean everyone is an expert on security measures.
Though many staff are likely comfortable browsing online or dealing with emails, few will have the same level of confidence when it comes to the finer points of digital security best practices. Training for all levels of ability is a key step to staying protected. After all, even if you have the finest security software in the world, it will still not be enough if your network is breached thanks to simplistic passwords being used on your accounts.
Staff should also be able to identify potential threats and understand the company procedure for reporting them. Spearphishing attacks, where hackers send emails impersonating reputable companies requesting information, are on the rise and getting increasingly hard to detect. It may look like a legitimate email from a bank requesting you reset your password, but by not identifying the hallmarks of a suspicious email, your employee may have inadvertently given away access to your data.
By training staff around the importance of strong passwords and identifying suspicious activity on their devices, you can not only help to set security at the forefront of everyone’s thinking, but minimise the chances of a simple mistake having awful results.
Monitor access permissions
The rules set in place by GDPR have focused attention on how data is held and used by companies. Rather than looking at this as red tape, it is an excellent opportunity to re-evaluate your security precautions.
Keeping backups and knowing where all of your most sensitive data is stored should now be standard practice. Cloud storage solutions are a great way to keep data both accessible and secure, and can add another layer of encryption to protect this information from unauthorised third parties.
Equally important is to consider the inside threat. Sensitive information and documents should be only accessible by the people who require them. Just because someone ranks highly in the company does not necessarily mean they should have direct access to documentation on that strength alone. The fewer people who have access privileges, the fewer opportunities there are for a breach.
This policy should also be stringent on ex-employees and contract workers. Access should be granted to only the essential documents, and then revoked as soon as it is no longer required.
Create a response strategy
Preparation is the essential element for creating a response to cyber threats. By planning ahead, your team will not only be on the lookout for threats, but should an attack happen, a clear security policy outlining the protocol in the event of a breach ensures that damage is contained quickly and kept to a minimum.
A crisis response document should consider the range of attacks that could occur and how to manage them internally, but also what information needs to be detailed for clients, partners and the general public in each instance. Responsible planning and a transparent response strategy will be valuable in terms of preserving reputation and business, should a breach occur.
As with security software, your response planning documents should be updated on a regular basis to ensure that they remain up to speed with the latest developments and advice on best practice.
Cybersecurity does not have to be expensive and complicated. The best way to make sure that your business is not an easy target is to identify small areas of weaknesses that can be overlooked, such as outdated and vulnerable software. These are the source of most cyberattacks and, by plugging these holes, you will be ensuring that you are well protected. Consider running a tool like the AVG IT Security Health Check to identify your current strengths and weaknesses, and keep improving from there.
Ultimately, a company with a strong security culture and understanding will be significantly less likely to fall victim to human error, and will be better placed in the face of a malicious attack.
Guy Oakley, Global Web Director, Avast Business
Image Credit: Den Rise / Shutterstock