The problems associated with running a small business are many and varied: are your customers going to pay your invoices in time? Do you have enough work to hire that extra person? Is your supply chain robust enough to deal with sudden changes in demand? Up until recently, there wasn’t much chance that cyber security was on the list of typical worries for a small business owner, but that’s changing…
Alongside our increased reliance on the Internet and connectivity has come an exposure to greater risk, as cyber criminals cotton on to the fact that SMEs have virtually no budget available to protect themselves from attacks. The upshot of this is that SMEs are more of a target than ever for sophisticated and highly organised criminals, who use our reliance on computer systems – intended to make doing business easier – against us.
Modern SMEs often rely on cloud based systems, where all data and software is provided on a metered basis and hosted by a third party. A good example of this is Microsoft’s Office 365 programme, which seeks to replace traditional installations of Office productivity software, email systems and Active Directory with a monthly subscription to Microsoft’s cloud service. While this minimizes the costs associated with setting up a fully functional IT infrastructure, often reducing capital expenditure down to the cost of the laptop and phone issued to each employee, it also means giving up control of that infrastructure. In most cases, this is a Good Thing, since large vendors are almost always better at securing their products, and have the money to hire dedicated cyber security specialists. It has, however, also led to a reduction in the capacity for small organizations to protect themselves against threats, as they will often have no formal IT or security teams in place to support them in the event of an attack.
Cyber criminals know this, and they are now targeting their attacks on smaller organisations, and using some very nasty, efficient attacks to do so. The modern cyber-criminal is often part of a well organized and highly successful enterprise, with a highly developed corporate structure consisting of CEOs, financial controllers, developers, sales teams and marketing. They are often run much more efficiently than traditional enterprises, with the added “benefit” that they have no compliance costs or tax bill. These highly sophisticated organizations are experts at successfully executing efficient and effective attacks.
A successful cyber-attack is usually a case of identifying the weakest link in the defences of your target. Most of the time, that weakest link is actually a person. To take one example: what would you or your staff do if you received an email purporting to have a PDF of an invoice attached? A fair number of people would open it – and just like that, a machine within your organisation is compromised – potentially under the control of a malicious attacker. Now, many people will claim that they never open attachments from unknown senders. Good for them. However, consider what would happen if the email appeared to come from within the company, perhaps masquerading as an instruction from the CEO to the Financial Director to pay the invoice. Here, the criminals can potentially win twice! If they control the receiving bank account, they might just get paid the amount on the invoice, and gain control of the recipient’s machine!
This is an example of what we call a “spearphishing” attack. Phishing is the act of sending an email to a recipient with the intention of compromising either the machine or just login credentials. Spearphishing is simply the same, but with an emphasis on targeting a particular individual within the organisation. Many criminals will use publically available information to develop and hone their attacks. A lot of corporate information can be gathered completely passively using public resources, such as company websites, LinkedIn profiles, social media and press releases. They may call your office, claiming to be a supplier or a senior member of staff to encourage the target to take the bait within the original email, or give up more sensitive information or credentials – a form of interaction we call “social engineering.” None of this is particularly sophisticated – it’s the age old scamming activity that has been with us for centuries, but modern technology has made it possible to perform these sorts of attacks very efficiently, with very little chance of being caught.
A number of SMEs, as well as some very large organisations, have also recently fallen victim to “ransomware.” Ransomware is usually a form of virus that infects a machine and encrypts all the data held on it. The user is then usually prompted to pay a ransom to unlock the data using an encryption key. The ransom is often payable in BitCoins (an untraceable crypto currency) and this particular method of attack has been extremely successful, since most people do not take adequate backups to restore their data. Sadly, this is an attack method we are starting to see more in business and enterprise clients. This appears to be a new trend, as criminals, fresh from weaponizing their software on the consumer market, have now moved on to bigger, more lucrative targets.
Ransomware attacks are incredibly costly to resolve, even if you have comprehensive offline backups to restore without having to pay the ransom; the time taken to restore all that data could easily put an SME out of business. To make matters worse, ransomware, like most malicious software these days, is sold as a package by criminal vendors, complete with automatic updates and a support contract. This makes it easy for even very unsophisticated attackers to successfully attack your systems.
These are just two examples of threats that face modern SMEs. Neither is particularly difficult to execute, involve low levels of risk for the attacker, and have a potentially very large payoff for little effort. Traditional defences, such as anti-virus software, are not a particularly effective way of combating these threats, as current research suggests that anti-virus software is not effective against 100 percent of known threats.
It can seem like a hopeless situation for an SME, which generally has a very limited budget available for cyber security. This can be especially true when we consider that cyber security is often considered as a cost only, with no return on investment, thereby further limiting the cash available for investment. There are, however, a few things you can do to make yourself a more difficult target.
One of the most effective ways to strengthen your defences is to invest in staff cyber security awareness training and develop an organizational security policy. The security policy should be the responsibility of a board member and should be regularly updated in line with your business objectives. You should also ensure that you have a procedure to follow when a breach is detected, and that your staff know how to follow the process.
Cyber security awareness training should ideally be mandatory for all staff, but if you need to concentrate on certain roles, ensure that employees with special privileges, such as those with access to bank accounts or administrative access to systems are prioritised. None of this requires any investment in technology, and if you’re lucky enough to employ someone with even a basic knowledge of security, they may well be able to help educate other staff members if they get the opportunity for formal training. Other soft controls that can be used include:
•Ensuring that all staff sign up to an acceptable use policy and understand their responsibilities within it and the organisational security policy.
•Asking suppliers and other third parties to detail their approach to cyber security before allowing them any access to your systems.
•Get interested staff to attend local security meet ups and keep an eye on the media to remain up to date on the latest threats.
•Talk to other SMEs about how they are protecting themselves.
•Ensure that you have comprehensive backups in place, ideally offline so that a ransomware attack can’t also encrypt your backups.
Once your soft controls are in place, you can consider deploying technology to make yourself a more difficult target. Most organizations, particularly those running on Windows, will already have anti-virus products installed. You should ensure that this is always kept up to date, and that software updates for operating systems and software packages are applied as soon as possible. There is also a wealth of security enhancements that are offered for free along with existing services. You should use features such as disk encryption where it’s supported. This is included in OS X and business editions of Windows. If you use cloud services, you’ll often find that they offer multi-factor authentication via a mobile app. This allows you to stop relying on a simple username and password combination for access to systems, and ensures that a user must also have access to an authorized device to log in.
If you have the budget, you can get a great deal of value for money by talking to cyber security professionals, either informally through your contact network or by engaging them directly. Depending on the jurisdiction in which you operate, there may well be grants available for this kind of work. Security professionals should help you to prioritise your defences and identify key technologies and controls in which to invest, in order to make yourself a harder target.
So much of cyber security involves making yourself a harder target than the next guy, and this is nowhere near an exhaustive list of options. What is absolutely key is to ensure that whatever you do, it fits your business and your business objectives. Even a small enhancement can make the difference between going out of business and surviving an attack.