Published on November 11th, 2020 | by Bibhuranjan
0How SMEs can Guard against some of the biggest Cyber Threats
The modern threats of IT security breaches, stolen data or ransom attacks are a very real threat not just for large corporates but for small-sized businesses. According to a report by CNBC over half of SMEs suffered some style of a cybersecurity breach last year and can expect to lose on average $200,000 yet only 14% of SMEs are ready to defend themselves from a cyber-attack and mitigate such risks. That is just an average loss across the spectrum, losses and costs to fix the holes, compensate customers or authorities can reach millions. Most small companies cannot afford to lose these sums of money so must implement some basic IT protocols to guard against IT security threats.
Smaller firms are an easier target for hackers today because they simply don’t place sufficient focus on cybersecurity protection. They are easier to penetrate due to weak passwords, online downloads, less robust firewalls and anti-virus software and general lack of vigilance by employees when it comes to protecting their IT networks and sensitive data and using VPNs.
The perception is often that attackers won’t target their small enterprise because they are not significant enough for attackers to target. However, that’s not true as statistics show that 43% of cyber-attacks target small businesses. (Fundera.com) As attackers get more sophisticated with coding and automation, they can just as easily hit hundreds of smaller companies as 1 larger enterprise so, for them, it is becoming more lucrative.
How do small companies mitigate these very real risks then?
Read on and see some of the most common vulnerabilities in an organization and some smart ways to block third parties wanting to do harm.
- Insider Threats. The first type of threat is not from external criminals or groups, it comes from within the organization. A 2017 Verizon report put this as the cause of 25% of IT breaches. At its most innocent but no less dangerous is carelessness or neglectful treating of data and IT security. This can be controlled by something as easy as security awareness training where employees and associates are taught about security and their responsibilities for secure account logins, viruses and protocol when colleagues leave the company. When employees intentionally commit attacks themselves, then it is less easy to control but monitoring by the IT department or managers and having controls around access and logging of data access and downloads can help reduce the ease with which culprits can get away with any wrongdoing.
- Malware Attacks. These are software code that can be transferred to a device or a company network from spam emails, website downloads or connecting to infected devices. The malware code can do damage in many ways by damaging a device or giving access to sensitive information. Small companies are particularly vulnerable because they may allow staff to use their own devices to save on costs. So, having a central control on networked devices to ensure a proper level of security software exists on all devices. This is termed Endpoint Protection where viruses and malware can be detected on the devices and networks that end-users use and cleaned or quarantined for analysis by the IT department. Controls are also important on web browsing and blocking pop up and downloads from unvetted sites to avoid having malware downloaded from bad websites.
- Phishing Attacks. Here criminals use duplicitous tactics to get logins, confidential information like bank accounts or to entice users to click malware links or files like the malware in number 2. But because they prey on human vulnerability, they enjoy more success and are more prevalent. Using a colleague’s name or even email to request information gives the victim more trust in the request and so defenses are down. That’s how the criminals can bypass many of the security levels we have recommended above. The simplest way to defend against these is the education of employees on how to identify such phishing scams and escalate them to IT who can trace them or at least warn the whole organization of the threat. Also, as a minimum, email spam filters must be installed to help block such emails, the more sophisticated software can identify unnatural language or commonly used spam templates and stop them before they even reach users’ inboxes.
- Ransomware. Is holding a company to ransom by sabotaging a website, network or taking away company data. They have been particularly prevalent with small companies because they have shown more willingness to pay to get things back. Data from 2018 showed that 71% of ransomware attacks targeted small businesses with an average ransom of $116,000. Solutions to stop such attacks is again Endpoint Protection software to protect all employee devices from being compromised and data being stolen from them. And having a solid process for data backup and recovery. So, in case any data is stolen, things can carry on operating because a backup copy can be retrieved, although if sensitive information like credit card or customer addresses, the data in the hands of the criminal can still be very damaging.
- Finally, we have password strength for accessing business accounts. Many employees use weak passwords or the same password on multiple accounts because they are easier to remember. But the simpler they are the easier for criminals to decipher them. So staff training on using strong and unique passwords is a must and a simple way to reduce unwanted access to company information. Having 2 or 3-factor authentication can reinforce password security and having password generators and software tools that record the passwords for staff will encourage them to use more difficult passwords and unique ones for each application.
IT security is important to the effective running of any company big or small, and we have discussed some of the risks that small businesses face. The responsibility for safeguarding IT rests with everyone, the managers who assign budget and resources to security, the IT department and the users who are using the network and databases.
Photo by Chris Liverani on Unsplash