Raj Samani, EMEA CTO at security company McAfee explains that small businesses are now the prime targets for cyber attacks, and outlines ways to build an effective defence.
Some small business owners – you might be one of them – will take comfort in the belief their operations are too inconsequential to attract attention from international cybercriminals. However, smaller companies have in fact become a preferred target for cybercrime largely because many lack the time, budget and expertise to put comprehensive security defences in place. They are also seen as much easier targets for cyber criminals than large multinational corporations, in part because many smaller companies only have a basic notion of their network security risk.
According to the Department for Business Innovation & Skills, SMEs account for 99.2 percent of all businesses in the UK, making up 59.1 percent of private sector employment and 48.8 per cent of private sector turnover at the start of 2012. As such, it is not surprising they increasingly fall victim to cyber criminals. In fact, the Department for Business, Innovation & Skills’ 2013 Information Security Breaches Survey has shown that 87 percent of small businesses across the UK experienced a breach in the last year, an increase from the previous year’s 76 percent, with cost implications of between £35,000 and £65,000 for extreme cases.
Best practice makes perfect internet security
Today, IT networks at organisations of all shapes and sizes are much more complex than they were just five years ago and have grown organically over time. Frequently, they are made up of a combination of on-premise networks, mobile networks and cloud services. Unfortunately, in many cases, internal security protection has not kept up with these changes.
Cyber crime is a real threat that should not be ignored, and as such, the below advice will help you get on track to implement an effective security policy suited to the needs of your organisation:
1. Update software
Make sure both software updates and antivirus programs are current. Malware is constantly evolving to take advantage of vulnerabilities in software, and so are patches and fixes that repair these weaknesses. However, these fixes are useless if updates aren’t applied.
2. Educate employees
Educate your staff to never open unknown attachments in emails or click on unknown links. It may sound basic, but web- and email-based threats are growing very quickly. In the first half of 2012, web-based malware infections grew 400 percent over 2011, and email-based attacks grew 56 percent from the first to the second quarter of 2012. It is often said that technology is only as good as the people that use it and preventing behaviour that puts your systems at risk is key.
3. Effectively deal with remote workers
Small business owners increasingly depend on remote workers and external contractors to help with the workload, but it is important to securely manage them. Knowing how many people are accessing which corporate information, and from where is critical to ensure your organisation’s security defence.
4. Be careful of social media
Social media can be an important marketing channel, but malicious code is increasingly injected into social networking sites, including harmless-looking links, advertisements and game apps. On Twitter, shortened URLs make it impossible to recognise if links are legitimate and retweeting these helps spread infections.
5. Employ stringent password policies
Workers with access to financial or personal data should have separate accounts for sensitive and more general business content. Ask your staff to change passwords regularly, using a mix of alpha and numeric characters that do not resemble words, so that exposure from password theft is time-limited.
6. Limit access to financial data
Minimise the number of people who have access to sensitive financial or personal content – the fewer people who have log-in credentials to this data, the harder for criminals to compromise the data.
7. Be wary of downloaded apps
Be alert when buying and installing applications from online app stores and make sure they come from a reputable source to avoid malware infections.
8. Develop a layered approach to security
This means the integration of multiple forms of technology for maximum protection, including web, email, data and mobile protection.
9. Speak to an expert you can trust
All-in-one layered security systems are widely available, but if you prefer to deploy separate technology for different areas, consult a security specialist as vulnerabilities can occur if technology is not well integrated. If you don’t feel you have the necessary technical expertise to implement an effective security policy, consider asking a member of staff with interest in IT to help you with the decision-making process.
10. Apply for a Cyber Security Innovation Voucher
The Technology Strategy Board has recently introduced Innovation Vouchers for Cyber Security, a scheme for SMEs, entrepreneurs and start-ups to bid for up to £5,000 to improve their cyber security with the help of third party experts.
According to feedback we’ve had from customers and partners across the UK, small businesses are concerned about the amount of time that administering security will take, and the demands it will place on already stretched IT resources. Also, they worry about how their security needs might change over time and whether that will result in additional spending.
There is no doubt your security needs will change as you grow, but taking comprehensive steps before your infrastructure becomes too large to be effectively managed will help you in the long-run. Many security solutions available today are highly scalable and can adapt to the changes that new technology and evolving security risks can force on your business. A majority of UK businesses are relying on nothing but luck to protect them from cybercrime threats. Put measures in place now, so that your luck doesn’t run out.
Security is becoming more and more important as time goes on, but it goes beyond protecting yourself against cyber attacks. Read our post about protecting your technology equipment.