The Secrets of Small Business Cybersecurity

The Secrets to Small Business Cybersecurity

It might sound dramatic, but as a small business owner, you and your business are now set squarely in the sights of a new breed of organised crime. Cyber-attacks and data breaches like Kmart, David Jones and Ashley Madison are now rampant across eCommerce. Ransomware like CrytoLocker is now destroying the photo and document stores of thousands of families across the world – And it’s something parents talk about in the playgrounds. Cybersecurity is no longer just the stuff of Hollywood and certainly no longer something that just affects big businesses.

Small businesses need to be get prepared for the new wave of cyber-criminals trying to work their way into their networks and the potentially devastating effects a successful breach may have on their business and consumer trust.

In the same way that the large retail giants make headlines every time they inadvertently breach customer confidentiality, small businesses are now being targeted for access to their health records, marketing profiles, bank accounts and personal information - and holding them to ransom to unlock their critical files.

Ironically, with the advent of automated and increasingly ingenious malware toolkits, like KINS and TOX, the barriers to entry for cyber-criminals have significantly dropped - to an almost supermarket purchase level. The skills and art of traditional “hacking” have now given way to a new underclass of cyber-thug that is simply out to extort and steal. As a result, small businesses in particular are now falling victim to hackers who see them as ‘easy targets’. They figure that small businesses often have more digital assets than consumers, but they almost invariably have far less security than their larger counterparts. They’re also, traditionally, far less well equipped to deal quickly and effectively with the risks to their business and reputation when a breach occurs – Acting too slowly and causing more brand damage than necessary.

A recent study by Towergate Insurance suggests that a staggering 97% of small businesses have totally neglected to prioritise security in their business growth plans. 82% still incorrectly believe that they are not likely targets for a cyber-attack, citing a lack of “information worth stealing” and yet 23% say that they still “worry a great deal” about the risk of a cyber or data breach.

Clearly the real risk-paradigm has been missed by many business owners. While your small business may not be the sole target of a particular threat, modern attacks often start out as part of a large-scale bot-based attack. A ‘bot’ is a complex, crafted piece of software that works by scanning everything in its path, looking for a whole range of vulnerabilities in your internet-facing infrastructure, web-server or the design of your website. In today’s eCommerce websites and support systems, that’s a lot of moving parts that are being scanned for a chink in the armour. A single weakness can bring your website down or it could then be taken over visibly or invisibly and used for something really nasty.

“It’ll never happen to me!”

The bad guys are working very hard to get in, exploit your systems and steal your sensitive data – So it’s not ‘if’ – it’s ‘when’ if you choose to ignore the issue. It might be credit cards, personal information or stealing some identity information for resale to other organised criminals. Whether the attacker is an organised criminal or a disgruntled ex-employee looking for revenge, the wide ranging motives can drive an even wider range of attack types.

Here’s a few common attack types:

APTs

Advanced Persistent Threats (APTs), are long-term attacks that are looking to get into your systems and stay there quietly. They aim is to research your network, deliver further or updated malware, discover and map your security systems and defences - and then package up the information over an extended period before sending it out to the attacker.

DDoS

Distributed Denial of Service (DDoS) attacks cover a range of attacks which aim to shut down your servers or systems. They can range from external bot-nets that slow down your domain name services or public webserver through to ongoing system attacks aiming squarely at putting you out of business.

Insider Attacks

Attacks from inside or ex-employees are usually the most dangerous to small businesses. A network administrator or someone that has found some admin credentials can easily gain access to key systems, steal sensitive personnel or commercially sensitive data or install back-doors to exact some later revenge.

Malware and Viruses

Malicious software can reach your workstations through a specially crafted email, video, website or even a thumbdrive. Viruses, spyware, ransomware (like CryptoLocker), Trojan Horses, keyloggers and banking malware are just a few of the business-ending applications that can steal banking, corporate or system credentials and grind your business to a halt.

Password Attacks

These days, very few people thankfully use “pa55word” as their system password. However, faster computing means that brute force attacks on exposed systems and a wider array of tools means that cracking your complex password on a website or database is often a reality. Dictionary attacks, Rainbow Tables, key loggers and manufacturer default passwords hidden away can all spell bad news for security.

Phishing

Almost everyone has received an email pretending to be from the RTA with a speeding ticket or a bank telling you to verify your account details. The catch is that these simple and easy to spot phishing attack emails aren’t where this threat stops. New attacks are getting extremely hard to spot and far more targeted. Legitimate websites and their newsletter systems are being taken over to distribute malware to their clients and ultimately steal personal or financial institution credentials.

Don’t be the next victim of cyber-crime – Get prepared and stay prepared.

Just because you’re a small business, doesn’t mean you can ignore cybersecurity. Your customers won’t trust your brand again if it is involved in a lazy cyber-attack. Cyber-attacks are yielding organised crime multiple billions of dollars every year – So it’s big business.

Today’s cyber-crime is a new frontier where hacker’s computers are being replaced with massively parallel-processing server farms on the Amazon cloud, their tools are written by well-funded and organised criminal coding groups in Russia, China and Eastern Europe. The exploit kits are smarter than ever, more creative, more malicious and a lot faster and the malware toolkits are off-the-shelf and your clients and confidential data just becomes the commodity.

In small business, there’s lots of things that can put you out of business, but neglecting your cyber-security will get you there a lot faster. Here’s some mistakes not to make:

Forgetting to plan for a breach.  

According to Towergate, 31% of small businesses plan for a breach and 22% say that they don’t know where to start. Every day a new hacking toolkit is released, making it easier and more profitable for cyber-criminals to enter the scene. The likelihood of your business being breached grows exponentially every day. As the saying goes, “A failure to plan, is a plan for failure”. Put in a response plan and include techniques for breach handling.

Just assuming you’re already protected

Many small businesses assume that their banks will cover them for financial fraud associated with a hack or that their insurance will cover them when they collapse after a serious data breach. In most cases, unless you carry specific cyber-insurance, both of these assumptions are wrong.

Forgetting to secure your systems and confidential data against insiders.

According to the Association of Certified Fraud Examiners, insider fraud accounted for a $3.7 trillion-dollar issue last year globally. That’s a lot of disgruntled employees. While monitoring employees can be an unpalatable task, a carefully executed data-loss prevention solution (DLP), employee behaviour programme and network security profiling solution can keep staff and the business safe, reduce transaction fraud and reduce the likelihood of exfiltration of corporate secrets, personal or financial data.

Ignoring the need for solid security systems and software

Many small businesses seemingly don’t feel the need to invest in appropriate security solutions until after a costly breach. The emu approach of popping an anti-virus package onto workstations and hoping for the best is a short-lived strategy. Businesses that transact online and have regular client dealings via websites, email or chat sessions need to be prepared that there’s a lot of new interactions that might contain a malware payload. Even point-of-sale (POS) systems, both traditional and online, can give hackers a huge range of opportunities to steal customer information.   Credit card skimming using online terminal sniffers is a new problem for many physical retailers, however sometimes the oldest of problems, that pirated application download, can be the most troublesome cybersecurity issue - with malware packaged alongside the application.

What can you do to help prevent cyber-attacks?

The first thing to do is to invest a little time and money in getting a cyber-security specialist to help put a plan together and manage it with you. That plan will include practices and security systems to keep you safe and ongoing education to ensure your staff and systems remain that way.

Here’s ten simple steps that can help get your cyber-security maturity overhaul underway:

1. Put in a good firewall

While common operating systems, including Windows offer a built-in firewall, these rarely offer any useful protection against modern threats. Similarly, your average modem, router or cheap consumer firewall offers virtually no useful threat management capability or visibility solution to handle modern threats. A properly implemented unified threat management (UTM) device or ‘next-generation’ firewall will give you a solid first layer of network protection. Modern UTM appliances can also offer centralised threat management, feeds of dodgy domains, IP addresses, websites, filtering, protection against phishing and much more – Including reports that humans can read.

1. Backup your data

Probably the most overlooked, yet obvious, solution is to backup your data offline on a regular basis. Copy it and store the data in a cupboard (and also offsite). Cycle the drives using a backup application. Malware like Cryptolocker can encrypt and destroy your data stored on any drive that is connected. So keeping a copy of your important data, records, reports, databases and collateral is a quick way to safeguard your business from a critical attack.

1. Encrypt your sensitive data

If you store personnel records, financial details, passwords etc within your network, don’t forget to encrypt the data or databases. Financial statements and client records are a commodity that can easily be exfiltrated if you forget to protect the data where it’s stored. Two-step (or two factor) authentication and password vaults are a great place to start when encrypting and managing your sensitive data.

1. Use a two-factor authentication system

If you allow your staff to access website administration, remote access machines, servers or simply login to their workstations offsite, don’t forget to require a second factor to get into corporate systems. There are lots of basic two-factor systems such as Google’s own two-step verification – It requires your password and your phone to get in.

1. Consider cyber-insurance

For businesses that are entirely based online, a potential cyber-security incident will be the difference between being in business or out of business. Investing in some cyber-insurance may be a logical direction once you have reduced your risks through people, processes and technology. Run a risk assessment with your cyber-security consultant and work out what solution works best.   Many small businesses incorrectly assume that coverage is only available to big business. A range of small business policies are appearing from leading brokers. Both first party coverage, where you can protect against the general costs of a breach and the third-party coverage, where you can insure against the exposure of sensitive information from your business by a hacker. The latter can cover you for lawyers and defence costs.

1. Keep your systems and software up-to-date

The easiest thing to achieve on this list, yet the most often overlooked is to keep your systems patched and up-to-date. Investing in regular maintenance, patching and the most current operating systems can make the job of hackers just that much more difficult.   Old, weak or unpatched systems, make automated hacks relatively simple – meaning that the likelihood of being targeted just went up dramatically.

1. Educate your employees

Even if you don’t want to send every staff member on a cybersecurity awareness course, some simple education and awareness material is cheap and very effective when it comes to helping staff understand what a breach, phish, etc looks like. Many businesses are now focussing on using eLearning courses that deliver targeted employee awareness and online safety to all staff.

1. Put a formal cyber-security practice into place – and get it reviewed

Cyber-security is not a new discipline, but it is a constantly evolving one. There are a range of international standards, such as ISO27001 for information security programmes and ISO31000 for risk management. ISO27001 provides a great basis for the development of a security programme in businesses of all size. Taking the recommendations, such as password complexity and longevity, and applying them to all staff can bring some quick wins to every business.

1. Develop an incident response and disaster recovery plan.

Cyber-attacks and data-breaches are not a matter of “if” but of “when”. Putting together a disaster recovery plan, and testing it, is the final step in being prepared for the inevitable. Putting preventative measures in place will just delay it – the better the measure, the lower the impact. Know where your data lives, how to restore backups, how quickly you can contact your technical support teams and have a plan around second site business continuity ready to go. There’s no one-size-fits all but a good plan can change the outcome of a breach.

1. Get good help and put cyber-security first.

Lastly, put some regular focus back on your cyber-security. Take time out every month to work on updates, patching, standards compliance and understanding your risk. Then get your cyber-security services provider to regularly discuss and test your defences. Check your patching, firewalls and anti-malware system logs.

There’s lots of buzzwords to learn, like payment card industry (PCI-DSS) compliance, scanning, threat management, cyber-intelligence, and firewall terminology. So don’t ignore the issues – get help from a reputable cyber-services supplier and get on with business.