Over the past 12 months it has become clear that the cybersecurity landscape is changing rapidly for small businesses. 2017 saw a string of high-profile attacks including WannaCry and NotPetya which has made improved security essential for not only the protection of sensitive data, but also to protect against the negative impact that downtime can have on the finances and reputation of the company involved.
The rise in attacks has demonstrated that while essential, having strong cybersecurity is not enough. With almost 90% of cyberattacks linked to human error or behavior and one in five small businesses becoming the victim of cybercrime each year, ensuring the security of data now requires a robust policy of training, personal responsibility and dealing with trends of the mobile workforce alongside traditional security measures.
How do data breaches happen?
A data breach occurs when an unauthorized person (such as a hacker or cyber criminal) accesses files and databases containing sensitive and/ or personal information. This breach can occur remotely, through bypassing the network’s security, or it can even occur physically by access to a computer and infiltrating the network this way. Once accessed, this vital data can be extracted, stolen and even leaked.
While this list is not exhaustive, it does reflect some of the most common ways that SMBs may suffer a data breach and investigates how to protect against them.
1. Cybersecurity threats
The most high-profile threats to data security for small business are malware attacks. The breadth and speed with which attacks such as WannaCry and NotPetya swept across the world highlight that this is not just an issue for governments and corporations, but businesses of all sizes. Small businesses may feel they are ‘too small’ to be a target, but this complacency could result in an attack that the SMB struggles to recover from.
It is estimated that the worldwide damage cost of ransomware attacks could reach $11.5 billion annually by 2019 as attacks continue to evolve into new forms of threat.
To defend against attacks, it is vital that strong endpoint protection is not only in place, but regularly updated to ensure that newer threats are identified as early as possible.
This is the broad term for online confidence scams: bad actors leverage human emotions and behaviors against the victim to secure access to contacts, passwords and other sensitive information and personal data. Phishing emails – those that appear to be from trusted sources such as a bank and are sent by the perpetrator en masse - are the most well-known of these types of attack.
While phishing emails are often easy to spot, more targeted attacks known as spear phishing can be much harder to identify. This is because the cybercriminal will research the target and tailor the attack accordingly. It can be as simple as an HR email that appears to be from the victim’s real HR manager or a tech support call, but it may be enough to gain access to a company’s network and place malicious files.
As this method is so targeted, it often bypasses traditional spam filters, making the email recipient the only barrier between the attacker and the company’s network. Spear phishing attacks are increasingly common, with a 50% rise in Q4 2017.
With 74% of cyberthreats accessing systems through links and malicious attachments, the key to preventing this kind of risk is in training. If employees can identify suspicious communications and alert their manager to anything they might be unsure of, the chances of becoming the victim of an attack could be significantly reduced.
2. Device loss/theft
Flexible workers, that is, people who work from home, are expected to account for 42.5% of the global workforce by 2022. While this trend can offer increased productivity and reduced costs for cash-strapped small businesses, it also introduces or increases the risk of data breach. Staff accessing business data on mobile devices makes the risk of a lost or stolen device increase dramatically.
While a break-in at an employee’s home could happen, the most common case of misplacing devices is not likely to be malicious. An employee who commutes to work, or who works flexibly between locations, may have left their laptop on a train or misplaced their mobile device. However, with only 5% of missing laptops being recovered, it is critical that access to sensitive business documents and data has multi-layered security (password, PIN, secure encryption, etc.). This means that if a device is stolen, it is unlikely that the perpetrator would gain access to sensitive data.
There is still a risk of devices being lost, stolen or misplaced even if they are provided by the company. However, these devices are more likely to have company security software installed and therefore be more secure than personal devices. Implementing a robust bring your own device (BYOD) policy will help to bridge this gap and reduce the risk associated with personal devices.
An effective BYOD policy should be detailed and clear so that everybody knows what is expected of them with regards to accessing and storing sensitive data and setting up security measures such as two-factor authentication and strong passwords. The policy could also include permission to remotely track, lock or wipe devices using a Mobile Device Management (MDM) system, in the event that they are lost or stolen.
3. Weak network security
A network is only as strong as its weakest point of entry. It is therefore essential to build a culture where login details are not shared and access to shared documents and sensitive data is monitored to ensure it is only available to those who require it.
With just 30% of UK organizations requiring staff to use multi-factor authentication, the combination of an increasingly mobile workforce and weak passwords should be a major concern to SMBs. 80% of breaches are thought to use stolen or simple passwords and so it is vital to ensure that staff not only use secure passwords, but change them on a regular basis. This policy needs to be universally implemented so that personal devices are as secure as those in the office.
Learn more: Create a strong password in three easy steps.
Out of date software
One of the reasons that WannaCry was able to have such a dramatic impact was because so many machines were running outdated versions of Windows, such as Windows XP, that were no longer supported by Microsoft. By not keeping software updated and installing the latest patches, these devices became vulnerable to the attack.
It is a basic task but, as with the passwords, installing updates, patches and fixes are vital to security. If it is not a part of your best practices and universally implemented across every device in your small business, it is a potential way for a bad actor to infiltrate your network.
4. The Insider Threat
The risk of a data breach is not always external. While most time and money are focussed on protecting data from outside attacks, the insider threat cannot be ignored by companies of any size. Crowd Research Partners' Insider Threat Report (2018) revealed that 90% of companies are at risk of insider threats and more than half were attacked in 2017.
An insider could be any current or former staff member - the term refers to anyone with authorized access to systems or data who then exploit that access. For example: an employee about to leave the business who accesses and records contacts from a database to take to their new employer. These actions could be careless (or ignorant) or malicious, but either way, by misusing that access, they cause the theft or destruction of data.
A third of organizations feel they have no capability to defend against an insider attack, although there is plenty you can do to reduce the risk. Make sure all staff are aware of their responsibilities by improving oversight and implementing data and cyber protection policies. This is especially important for SMBs where individuals may be involved with a number of different responsibilities across departments and require wide access.
In most non-malicious cases, training and the construction of a culture of responsibility will help to reduce the risks of carelessness and ensure that the basics of security are universally maintained company-wide. For malicious attacks, it is important to regularly monitor access privileges so that permissions are only given to those who need them and are changed when no longer necessary. It’s also worth including a non-disclosure agreement in staff and freelance contracts.
Is your business at risk?
Of the risks detailed above, there are likely to be some that you haven’t considered or fully prepared for. While it is vital to implement a modern and fully updated antivirus solution, the evolution of the threat means that software should only be one part of a holistic security program. By producing best practices and providing training, SMBs can build a culture of awareness and proactivity around preventing the risks of a data breach throughout their employee base.
Discover AVG’s range of antivirus solutions for small business here.