We regularly hear news stories about large corporations being hit with fines and suffering significant costs due to data breaches. Many small businesses believe themselves to be immune to this threat as they believe themselves to be “too small to be a target” or that they “don’t hold valuable data.” Sadly, this is no longer the case.
Opportunistic cybercriminals run large-scale, automated searches or launch mass-distributed email-based attacks to find and exploit the ‘low hanging fruit’. Minimal time investment is needed to identify a business with weak defences, meaning no discrimination on business-size occurs.
The inconvenient truth is that businesses often hold realms of information that can be used for malicious purposes.
In the same way that you lock your doors at night and turn on the alarm to physically secure your business, you need to do the same for the data stored on your computers, laptops, tablets and mobile phones.
All data is valuable – in the wrong hands
What many people fail to realise is that nearly all data is valuable when in the wrong hands, as one way or another, most data can be monetised by criminals. Consider the following examples of information that you may have stored on your company’s devices:
- Customer information
- Financial information
- Staff information
- Trade secrets
All of these types of information can be monetised by cybercriminals.
Remember: Any breach of personal data of EU citizens may result in a fine under the EU’s General Data Protection Regulation (GDPR) – 2% or 4% of turnover dependent on whether the breach was deemed as a result of failure to implement appropriate technical or operational measures or negligence in relation to the data subject’s rights.
The evolution of the “hacker” – why would they target a small business?
Many people, quite rightly, ask the question: “Why would a hacker target me?”
“I’m just a small distributor or retailer, with nothing of value to cybercriminals”
In the past, you might have been right, however in the last few years, the world of the cybercriminal has evolved in four distinct ways:
1.“Hackers” aren’t always organised gangs
The term “hacker” is a broad one and refers to a spectrum of different levels of cybercriminal.
At one end, you have large state-sponsored, organised criminal groups working from office blocks, working to influence elections (allegedly!) and attack large conglomerates and influence share prices.
Somewhere in the middle, you have socially, or politically motivated groups known as “hacktivists”, looking to bring down the websites of organisations whose causes they don’t agree with or getting together to pool their efforts to further their cause.
At other end of the spectrum, you have the lone wolf – the individual sitting in their bedroom with the intention of making some easy money. Although the lone wolf lacks the resources of the other two groups, s/he is as dangerous as the other two if your business’ defences are not up to scratch.
Cybercriminals now come in a variety of shapes and sizes. So too, do their victims.
2. Risk vs reward is changing
Larger companies are now waking up to the threat posed by cybercriminals and malware and are investing heavily in their defensive efforts. This by no means makes them 100% safe from attack, but what it does mean is that cybercriminals need to devote more effort and time to get through these company’s defences.
This is leading to criminals using their skills and tools to widen the net and find companies that are still easy targets, whose data could still be as valuable to them, or whose resources could still be used for their gain.
3. It’s not always a manual process
The extraction of valuable information, does not have to be done manually by an individual. It can easily be performed by malicious software and viruses. For example, a common form of malware known as a rootkit can conceal its presence and gain administrative control of a computer system, slowly extracting data without the knowledge or consent of the owner. Once reported back to the source of the malicious software, this data can then be exploited for malicious purposes.
What this effectively means is, you can be targeted and exploited with little to no time investment by cybercriminals if your defences are inadequate.
4. It’s not always a “hacker” doing the hacking
Malicious, effective malware can, these days, be purchased online for personal use. Known as malware-as-a-service, anyone with internet access and the financial resources (including bitcoin) can purchase what is known as an exploit kit.
As the name suggests, an exploit kit is a cocktail of malware or malicious software that the purchaser can use as they see fit. Exploit kits are often access to control dashboards where malware can be created and then distributed in a variety of ways.
Aside from the many applications of this technology, the cause for concern amongst small business is that the spreading and targeting of malware no longer needs to be performed by someone with the necessary skills. The only requirement is motivation.
Read more about rootkits, exploits and other forms of malware in our blog: Simple cyber security threats every small business owner should know about.
As you can see, the cybercrime landscape has changed significantly in recent times. Small businesses need to take notice and adapt accordingly.
Solutions to prevent, defend and respond to common cyber security threats
If you haven’t already done so, consider some of the following defensive elements and apply them in your business. It’s important as a business, not to rely on one security element. With so many different attack methods available for cyber criminals to exploit, no single cyber security protection method or defensive tool can be effective against them all.
It’s important to employ multiple forms of protection and continuously add protective layers to achieve defence-in-depth. Read more about this approach in our blog: How PCI DSS builds layers of protection.
Anti-virus (AV) software is essential for any business and is an imperative first step in your defences. It’s very important for small business to employ high AV protection and to scan your machines regularly. The use of free anti-virus packages is not recommended. For an AV package to be truly effective it must be regularly and constantly updated with information on the latest threats. Free packages are often not updated as regularly as the paid versions, making them less effective. This means you may be vulnerable to newer strains of malware for longer.
A host-based firewall is a form of protective barrier around your devices. At its simplest, the firewall examines incoming and outgoing network traffic, determining whether it should be allowed to pass or be blocked. A host-based firewall can allow safe applications and functions to communicate while alerting you to, or even blocking, any suspicious activity. Good host-based firewalls contain a Host Intrusion Prevention System (HIPS), meaning it can detect and prevent any unauthorised changes by malicious software on your device. This is a much-needed preventive element of any defence-in-depth approach.
Many businesses protect the main desktop computers used in their business but then neglect their other devices – mobiles, tablets etc. (i.e. Endpoints). As a business you need to consider Advanced Endpoint Protection to defend all types of business-critical devices from threats they may be exposed to when they surf the Internet, receive emails or interact with social media. Any device that does all of those things and connects to your business’ network and internal systems is a potential weak point that could allow attackers in, introduce viruses or other malicious software or be a route out (data leakage/loss).
Web Application Firewall (WAF)
A WAF acts as a firewall for your website, defending it against common forms of online attack. As seen in our real-life example above, a WAF can be effective in defending against DDoS attacks. A WAF can also protect against other common attacks and known web application vulnerabilities (weaknesses) such as SQL Injections, Buffer Overflow and Cross Site Scripting (XSS) which can be used to gain access to sensitive data or gain privileged access to the website. Read more about these threats here.
Awareness and education
Ensuring you and your staff are aware of the common risks and threats is a major step towards protecting your business. You need to ensure you have an Information Security Policy defined for your business, that is supported by processes and procedures for the handling and protection of sensitive data.
Establish other policies around the use of personal mobile phones, on the use of email so that users know how to recognise phishing emails and scams, and on the use of work computers for personal Internet browsing to limit risks. Your staff are often your first line of defence against scams, phishing, ransomware and malicious websites. Raising their cyber security awareness is one of the most effective ways to prevent data loss and cyber-attacks against your business.
An incident response plan (IRP) should be in-place to help your business react quickly in the event of an attack to minimise the potentially damaging impact. An IRP provides detailed instructions on how to react to a range of incident scenarios such as data breaches, ransomware, denial of service attacks, virus outbreaks, etc. Your IRP should consider those incidents that could impact your valuable data and hinder your ability to operate your business.
Planning ahead will help your company respond and recover as quickly and as safely as possible. The impact of the real-life website downtime example above could have been reduced if the business had a plan for reporting and dealing with security incidents.
There are many ways in which you can protect your business from cyber-attack, these are just some measures.
Our paper It’s time for small businesses to take cybersecurity seriously covers the subject of data loss and the threats posed to small businesses by cybersecurity in more detail.
In this short paper, we outline why small businesses need to consider themselves a potential victim, why you need to take data loss seriously – whatever the data and why common malware symptoms such as system downtime and intermittent device crashes are a real threat.
If you are a merchant that requires technical or PCI DSS help, please click here