Published on August 12th, 2019 📆 | 5272 Views ⚑0
how SMEs can guard against them
The cybersecurity threat is constantly evolving. Once it was the man in the street or large corporates that were the target of hackers. However, with bigger companies having invested heavily in cyberdefence for themselves and their customers in recent years, cybercriminals are turning their attention to smaller and midsized companies, which potentially provide easier pickings.
Indeed, according to the recently released Verizon Data Breach Investigation Report (DBIR), which looked at nearly 42,000 data breaches across 86 countries, 43pc of incidents involved smaller businesses. Around seven in ten were financially motivated and around 25pc related to cyber-espionage.
Further research from insurance company Hiscox shows that smaller businesses are the target of 65,000 attempted cyberattacks every day, with nearly one in three having suffered a breach in the previous year. Hiscox says these incidents cost the average business more than £25,000 in direct costs (eg, paid ransoms and replacement hardware) but much more in terms of damage to reputation and lost customers.
According to Glenn Attridge, head of cyberdefence and security response, RBS, it is now easier and cheaper for cybercriminals to target small and medium-sized companies. “Smaller companies which view cybersecurity as an overhead are increasingly being left exposed to attacks from opportunistic hackers,” he says.
The basics of cybersecurity
So how do medium-sized businesses (MSBs) guard against these hackers? For Mr Attridge, there are essentials that need to be put in place both to help prevent an attack and respond quickly if and when one happens.
These include installing firewalls, updating computer operating systems and antivirus software, and backing up essential data to a safe location regularly. “Businesses need to think about how dependent they are on their critical data, what they can stomach regarding loss of this data and consider how they would continue to run their business without access to it.”
According to a recent report from Google, implementing two-factor authentication (2FA) for access to important systems is a particularly effective way of deterring opportunistic cybercriminals. Its research shows that 2FA, where users have to input additional data such as an SMS code from a recovery phone number to access data, is effective in deterring automated bots completely – as well as two-thirds (66pc) of targeted attacks.
However, 2FA is just one of a number of options that medium-sized businesses should include as part of a suite of tools to deter cybercriminals. Another is to use a password manager where users only have to remember a master password, and can then use different and complex passwords to access their systems.
Inevitably, many cyberattacks are simply down to human error, says Mr Attridge, with people too trusting with the information that they give away or the people and companies that they meet online. “Rather than treating the internet like a familiar, brightly lit high street, they need to look at it as more of an unknown alleyway where risk might lurk around the corner.”
For Eddie Whittingham, a former police officer who now runs The Defence Works, an online cybersecurity training firm for company staff, cybercrime is simply the evolution of traditional crime and is now carried out by organised criminals rather than “teenagers in hoodies”. He says: “It’s much lower-risk and higher-reward than physical crime.”
According to Tim Rawlins, director and senior adviser at cybersecurity company NCC Group, medium-sized businesses need to be “encouraging staff to do the right thing” by putting systems in place that make it easy to transfer data rather than using workarounds such as using potentially infected USB sticks.
They also need to offer training to keep staff up to speed with phishing and other common types of cyberattacks so they do not inadvertently compromise an organisation’s security systems.
However, ultimately all businesses need to prepare for not if, but when, a cyberattack happens, says Chester Wisniewski, principal research scientist for security company Sophos. “Most firms have a well-documented plan for a fire. Why not the same for cyber attacks?”
Mr Rawlins adds that medium-sized companies also need to ensure security logging systems are in place so if there is an attack it can be dealt with quickly. “Using the logs, forensic investigators can determine exactly when and where the attack happened.”
Finally, one effective way of preparing for a cyberbreach is for companies to simulate a real-life attack. This year NatWest organised a cybersecurity summit where its customers had to manage a security breach at a fictitious bank. Organised by NCC Group, it delivered six rounds of high-speed updates that teams had to deal with.
Mr Rawlins says: “An exercise like this is by far the most effective way to teach cyber-resilience. By getting the responsible people in a room and allowing them to make mistakes, you are more likely to get it right when the real thing happens.”
Six steps if a cyberattack occurs
1 Determine what was stolen
Identify what information has been compromised, who has gained access to it, and what damage has been caused. Is the breach still in progress or not?
2 Change all affected passwords
If an online account has been compromised, change the password right away. If you used the same password for other accounts, change those as well.
3 Use a security specialist
If you are unable to contain the breach you should contact a cybersecurity specialist. By analysing your IT network security logs, they should be able to determine how the attack happened and may be able to help contain it.
4 Report incidents to the authorities
If you have been subject to a personal data breach, then under the EU General Data Protection Regulation you will need to contact the Information Commissioner’s Office. If there is malicious cyberactivity related to this, you should report it to the National Cyber Security Centre and ActionFraud.
5 Inform stakeholders
Ideally you should have an established communications strategy before any attack takes place. This should include a press statement accepting responsibility and explaining what you plan to do. You should also prepare an FAQ site to guide staff and agree on communications to stakeholders, including those in the supply chain.
6 Evaluation and improvement
After the breach you should evaluate your response to the event, identify lessons learnt and improve your security response plan so you are prepared if it happens again.
The NatWest Business Hub gives you access to insight, local events and stories from businesses facing the same challenges as you. Visit natwestbusinesshub.com