SME’s lack of awareness of the consequences of their action or inaction has always been one of the biggest issues within cyber security. There are far more companies within the UK that simply don’t know about the threats facing their business, or their own customers, compared to those that do and have technology and services in place to protect them.
Recent research by KPMG highlighted that awareness isn’t just lacking within SMEs, almost 40 per cent of FTSE 350 board members said they didn’t believe they had an ‘acceptable understanding’ of their companies key information and data assets, with 65 per cent either rarely or never review risk management policies around that information.
In the past year, the UK Government has embarked upon an education programme specifically targeted at businesses within the UK, with the ‘Cyber Streetwise’ campaign being front and centre for SMEs. As part of a Managed Security Services Provider, I have seen first hand the impact that the education push is having and its overwhelmingly positive. Whilst the Cyber Streetwise campaign isn’t perfect and does need some work, what Networks First has seen is that our partners’ and customers’ level of cyber security awareness is much greater than 12 months ago.
The UN International Telecommunications Union Global Cyber Security Index measures the ‘preparedness’ of member states in relation to cyber attacks. Currently the UK sits in joint 5th place, which is certainly respectable, but it shows that there is still a lot of work to be done to raise awareness and preparedness within the UK.
There have been numerous headlines about the latest cyber security breach; Sony Pictures, Home Depot, and JP Morgan Chase are just a few. However, what they all have in common is they’re large, well-known brands. I’d argue that these breaches are, of course, newsworthy, but it portrays a picture to SMEs that they’re not necessarily in the firing line, so to speak.
It’s not always the case though. The Target data breach, one of the largest ever cyber security breaches, happened because a third-party SME supplier to the retailer was breached to gain access into Target’s network.
What Type Of Target Are You?
In order to understand what type of target you may be, you need to understand the value of your Intellectual Property. For a small bakery or tea shop there’s likely to be very little in the way of Intellectual Property that is of value to a hacker, but your point of sale devices may be a source of income. Whereas law firms or engineering companies will have a lot of IP for the taking, but very little in the way of cash or credit card transactions that could be targeted.
It may not even be your company that’s the target, merely serving as a pivot point into another organisation’s network and nothing more. That is to say, if you connect to your customer’s network in any way to provide a service then an enterprising hacker could piggyback on that connection. Your customer is the real target, and your company’s network connection was the weak point being exploited.
The first step in protecting yourself, and your customers, is to understand what value you are to a hacker and that involves thinking about what information you keep; be it names and addresses of customers, payment card data, or even blueprints or engineering designs. Once you understand this, you’ll have a better idea of how you could be targeted.
However, the majority of SME breaches that we see at Networks First are opportunistic in nature. That is to say, your business was never a specific target, but due to yours or an employee’s actions (visiting a malicious website, downloading malicious software and so on), you are now on the hacker’s radar.
How Can You Protect Your Business?
There are a number of strategies, tactics, technologies, and training you can undertake to make yourself less of a target and harder to breach. Hackers, for their sins, will often go for the ‘low hanging fruit’, that is to say they’re going to follow the path of least resistance. As an example, a burglar is always likely to choose a house without a burglar alarm, as opposed to a house that does. The same goes for your online business.
Steps to securing your business and that of your customers and partners:
- Lock your doors and windows – that is to say, invest in technology such as firewalls and intrusion prevention systems (IPS) to help prevent hackers from breaching your network.
- Keep systems up to date – The key here is to make sure that when patches are released for firewalls, servers, and PCs they are installed.
- User awareness training – This is possibly the single best thing you can do to improve the security across your organisation. Regular, short training sessions on topics like strong passwords and phishing can help your employees become security advocates themselves.
- User awareness training – I can’t state enough how much this will help!
- Collaborate and communicate – Collaborating with your supplier network can be a key step in understanding the threats facing your business. Should you detect any abnormal activity whether on your own network or from a supplier then communicating and alerting partners can help stop an attack from spreading further.
- Seek expert help – If you think you’ve been breached or hacked then do not be afraid to approach third party security organisations for help. They’re experts at what they do and can help you secure any vulnerable systems once an attack has been mitigated.
Security is always going to be challenging. Even with the greatest levels of protections you are not guaranteed to be safe, but implementing basic controls, technologies and training will go a long way to keeping you secure. Consider outsourcing some or all of your security to a third party. Managed Security Service Providers have some of the World’s best security experts available 24/7 working to keep your company secure, leaving you to get on with doing what you do best – running a successful business.