As October marks Cyber Security Month, there’s no better time for small businesses to take a look at their handling of company data
Lets take a look at the current cyber threats small businesses face and the importance of ensuring company data is protected. Technology over the past few decades has become an increasingly integral aspect of the workplace.
From email correspondence and financial transactions, to professional networking and collaborative work documents, businesses rely on technology to be connected at all times and conduct work effectively. However, when these lines of communication are threatened or even compromised, it can have a disastrous effect on the business.
One of the most high profile cyber attacks came when telecoms giants, TalkTalk, had its personal details hacked in 2015, which resulted in a record fine of £400,000 for the security failings. Similarly, Three Mobile was also victim to a cyber attack which saw more than 200,000 people’s information exposed.
However, it’s not just big businesses who need to worry about cyber security. No business is too small to be at risk of a cyber security attack, it does happen to small to medium business too. Last year, SME Boomerang Video was fined £60,000 for leaving itself vulnerable to hack attacks, and other SMEs, such as software company PCA Predict, have experienced cyber attacks in recent years. These examples are the tip of the iceberg and emphasise the need for businesses to protect virtual interests from malicious attacks with strong security.
Familiarise yourself with today’s cyber security threats
According to the Cyber Security Breaches Survey, nearly half (43%) of all UK businesses had reported cyber security breaches or attacks in the last 12 months. These data breaches have resulted in lost files, software, system or website corruption, and even loss of assets or intellectual property.
The most common cyber security threats include scammers impersonating a business, the sending of fraudulent emails, and viruses and malware. Research from the Cyber Security Breaches Survey also found that the average financial impact for businesses in the last 12 months came at a cost of over £3,000, which can have a substantial effect on a small business’ revenue.
With the recent implementation of GDPR in May this year, this also means businesses have to report any breaches to the ICO (Information Commissioner’s Office). As a result, the fines have dramatically increased which could also mean the average cost of data breaches rise even further in the coming years. The impact of a data breach since the introduction of GDPR can also be greater with the ICO being able to stop a business from processing data in the future.
Data leak protection
One of the most rampant and personal threats to cyber security is data leaks, which can be extremely damaging to both an individual or business. All businesses hold a range of data, from customer insight to employee data which often contains sensitive information which can easily be put at risk if businesses don’t take a number of steps to protect.
The number one way that businesses can ensure their data is protected from any leaks is by limiting the amount of personal information available in the public domain.
There are however, many other ways businesses can minimise their personal risk of exposure. One way is by setting up a ‘burner email’, which is essentially a dummy email account that businesses can use when signing up for a site or service that they don’t want to give their real email address too. The bonus of a burner email is it can be set up so that any replies are forwarded automatically onto the real email address, but it gives businesses the security that their email address isn’t being shared around.
If a business is concerned their email account may have been compromised, there is an online tool called ‘Have I been Pwned’ which allows users to search across multiple data breaches to see if an email address has been compromised.
Another cyber security threat for businesses is ransomware, which is a type of malware that encrypts a business’ data and is only unlockable in exchange for a large fee. While data saved on computers can be at risk from ransomware, these types of cyber attacks have also risen in prominence with the prevalence of cloud services for storing data.
More and more businesses are opting to use the cloud to store their data. However, there seems to be a misconception that storing data in the cloud is much safer and more secure than your computer’s hard drive. To protect against attacks from ransomware, businesses should ensure that valuable data is backed up in multiple places. This shouldn’t be limited to cloud services, but also locally and on a portable hard drive.
While malicious software may be constantly developing, security software is adapting to cope with these threats too. That’s why it’s so important that a business keeps its antivirus software updated at all times.
However, a common misconception is that all antivirus softwares are able to cope sufficiently with ransomware. Businesses need to ensure they invest in a specific ransomware protection software that can adequately protect against a cyber attack. One option is the Intercept X by Sophos which uses deep learning malware detection to safeguard against the widest range of attacks, and also supports existing security or antivirus software.
Advanced social engineering tactics
The crime of phishing has been around as early as the 1970s when John Draper created the infamous Blue Box used to hack telephone systems, known as phone freaking. As time has past, technology has advanced but so too have the methods that phishing is conducted.
Phishing is the process of fraudulently attempting to gain an individual’s information to exploit the account that data is associated with, ranging from accessing emails through to banking accounts.
With the rise of artificial intelligence, criminals no longer need to be personally involved in this process but can actually automate these attacks now.
To ensure a business doesn’t become victim to a phishing scam, businesses should avoid opening or responding to unexpected emails which ask for personal information. This can also be supported by a business not posting too much personal information online, as an opportunist scammer can (and may) use this information to convince of their legitimacy when contacting business.
The impact of cyber crime on your business
A lack of focus on cyber security can be greatly damaging to a business. There is the direct economic cost of such attacks to the business, such as theft of corporate information, disruption to trading or even having to repair affected systems all resulting in financial loss. As well as the physical impact, cyber security breaches can also cause reputational damage.
With a lack of faith in the security of the affected business, customers will be more inclined to venture elsewhere, resulting in a loss of sales and profits.
Aside from the direct impacts of a cyber security breach, there are also legal consequences to deal with in the aftermath. Failure to manage a customer’s personal information in light of the recent GDPR can result in regulatory sanctions. This is regardless of whether the negligence originates from the management or employees of a business.
All businesses, no matter its size, needs to ensure everyone involved in the company is up to date on the latest cyber security threats and the best methods for protecting data. The best way to do this is with regular training of staff as well as using a framework to work towards with key goals for achieving a standard which ensures the risk of a data breach is minimal. One such standard, backed by the National Cyber Security Centre, is Cyber Essentials businesses can get an accreditation for.
With October marking Cyber Security Month, there’s no better time for businesses to be prioritising taking action against potential cyber security breaches.
About the Author
Scott Bordoni is Operations Manager and Data Protection Lead at Sync and GBM. He is responsible for ensuring and maintaining GBM’s compliance with Data Protection standards and the GDPR. Also responsible for managing and maintaining our policies, processes, performinginternal audits, and certifications / accreditations (such as Cyber Essentials).